Mercurial > pidgin
annotate src/protocols/jabber/auth.c @ 8086:55431e80a783
[gaim-migrate @ 8785]
let people enable plain authentication over unencrypted channels if they
really want to. and plug a memory leak in said authentication scheme.
committer: Tailor Script <tailor@pidgin.im>
author | Nathan Walp <nwalp@pidgin.im> |
---|---|
date | Tue, 13 Jan 2004 00:03:27 +0000 |
parents | 0694e3afa206 |
children | 380d2bbdef1a |
rev | line source |
---|---|
7014 | 1 /* |
2 * gaim - Jabber Protocol Plugin | |
3 * | |
4 * Copyright (C) 2003, Nathan Walp <faceprint@faceprint.com> | |
5 * | |
6 * This program is free software; you can redistribute it and/or modify | |
7 * it under the terms of the GNU General Public License as published by | |
8 * the Free Software Foundation; either version 2 of the License, or | |
9 * (at your option) any later version. | |
10 * | |
11 * This program is distributed in the hope that it will be useful, | |
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
14 * GNU General Public License for more details. | |
15 * | |
16 * You should have received a copy of the GNU General Public License | |
17 * along with this program; if not, write to the Free Software | |
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
19 * | |
20 */ | |
21 #include "internal.h" | |
22 | |
23 #include "jutil.h" | |
24 #include "auth.h" | |
25 #include "xmlnode.h" | |
26 #include "jabber.h" | |
27 #include "iq.h" | |
28 #include "sha.h" | |
29 | |
30 #include "debug.h" | |
31 #include "md5.h" | |
32 #include "util.h" | |
33 #include "sslconn.h" | |
34 | |
35 | |
36 void | |
37 jabber_auth_start(JabberStream *js, xmlnode *packet) | |
38 { | |
39 xmlnode *mechs, *mechnode; | |
40 xmlnode *starttls; | |
7291 | 41 xmlnode *auth; |
7014 | 42 |
7291 | 43 gboolean digest_md5 = FALSE, plain=FALSE; |
7014 | 44 |
7157 | 45 if((starttls = xmlnode_get_child(packet, "starttls"))) { |
7630 | 46 if(gaim_account_get_bool(js->gc->account, "use_tls", TRUE) && |
47 gaim_ssl_is_supported()) { | |
7157 | 48 jabber_send_raw(js, |
7642 | 49 "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>", -1); |
7157 | 50 return; |
51 } else if(xmlnode_get_child(starttls, "required")) { | |
52 gaim_connection_error(js->gc, _("Server requires SSL for login")); | |
53 return; | |
54 } | |
7014 | 55 } |
56 | |
8016 | 57 if(js->registration) { |
58 jabber_register_start(js); | |
59 return; | |
60 } | |
61 | |
7014 | 62 mechs = xmlnode_get_child(packet, "mechanisms"); |
63 | |
64 if(!mechs) { | |
7981 | 65 gaim_connection_error(js->gc, _("Invalid response from server.")); |
7014 | 66 return; |
67 } | |
68 | |
69 for(mechnode = mechs->child; mechnode; mechnode = mechnode->next) | |
70 { | |
71 if(mechnode->type == NODE_TYPE_TAG) { | |
72 char *mech_name = xmlnode_get_data(mechnode); | |
73 if(mech_name && !strcmp(mech_name, "DIGEST-MD5")) | |
74 digest_md5 = TRUE; | |
7291 | 75 else if(mech_name && !strcmp(mech_name, "PLAIN")) |
76 plain = TRUE; | |
7014 | 77 g_free(mech_name); |
78 } | |
79 } | |
80 | |
7291 | 81 auth = xmlnode_new("auth"); |
82 xmlnode_set_attrib(auth, "xmlns", "urn:ietf:params:xml:ns:xmpp-sasl"); | |
7703 | 83 |
7645 | 84 if(digest_md5) { |
7291 | 85 xmlnode_set_attrib(auth, "mechanism", "DIGEST-MD5"); |
86 js->auth_type = JABBER_AUTH_DIGEST_MD5; | |
8086 | 87 } else if(plain) { |
88 GString *response; | |
7703 | 89 char *enc_out; |
90 | |
8086 | 91 if(js->gsc == NULL && !gaim_account_get_bool(js->gc->account, "auth_plain_in_clear", FALSE)) { |
92 /* XXX: later, make this yes/no so they can just click to enable it */ | |
93 gaim_connection_error(js->gc, | |
94 _("Server requires plaintext authentication over an unencrypted stream")); | |
95 xmlnode_free(auth); | |
96 return; | |
97 } | |
98 | |
99 response = g_string_new(""); | |
7703 | 100 response = g_string_append_len(response, "\0", 1); |
101 response = g_string_append(response, js->user->node); | |
102 response = g_string_append_len(response, "\0", 1); | |
103 response = g_string_append(response, | |
104 gaim_account_get_password(js->gc->account)); | |
105 | |
106 enc_out = gaim_base64_encode(response->str, response->len); | |
107 | |
7642 | 108 xmlnode_set_attrib(auth, "mechanism", "PLAIN"); |
7703 | 109 xmlnode_insert_data(auth, enc_out, -1); |
110 g_free(enc_out); | |
8086 | 111 g_string_free(response, TRUE); |
7703 | 112 |
7291 | 113 js->auth_type = JABBER_AUTH_PLAIN; |
7014 | 114 } else { |
115 gaim_connection_error(js->gc, | |
116 _("Server does not use any supported authentication method")); | |
7291 | 117 xmlnode_free(auth); |
118 return; | |
7014 | 119 } |
7703 | 120 |
7291 | 121 jabber_send(js, auth); |
122 xmlnode_free(auth); | |
7014 | 123 } |
124 | |
7395 | 125 static void auth_old_result_cb(JabberStream *js, xmlnode *packet, gpointer data) |
7014 | 126 { |
127 const char *type = xmlnode_get_attrib(packet, "type"); | |
128 | |
7730 | 129 if(type && !strcmp(type, "result")) { |
130 jabber_stream_set_state(js, JABBER_STREAM_CONNECTED); | |
131 } else { | |
7014 | 132 xmlnode *error = xmlnode_get_child(packet, "error"); |
7730 | 133 const char *err_code = NULL; |
134 char *err_text = NULL; | |
7014 | 135 char *buf; |
136 | |
7730 | 137 if(error) { |
138 err_code = xmlnode_get_attrib(error, "code"); | |
139 err_text = xmlnode_get_data(error); | |
140 } | |
7014 | 141 |
142 if(!err_code) | |
143 err_code = ""; | |
144 if(!err_text) | |
145 err_text = g_strdup(_("Unknown")); | |
146 | |
147 if(!strcmp(err_code, "401")) | |
148 js->gc->wants_to_die = TRUE; | |
149 | |
150 buf = g_strdup_printf("Error %s: %s", | |
151 err_code, err_text); | |
152 | |
153 gaim_connection_error(js->gc, buf); | |
154 g_free(err_text); | |
155 g_free(buf); | |
156 } | |
157 } | |
158 | |
7395 | 159 static void auth_old_cb(JabberStream *js, xmlnode *packet, gpointer data) |
7014 | 160 { |
161 JabberIq *iq; | |
162 xmlnode *query, *x; | |
163 gboolean digest = FALSE; | |
7514 | 164 const char *type = xmlnode_get_attrib(packet, "type"); |
7014 | 165 const char *pw = gaim_account_get_password(js->gc->account); |
166 | |
7514 | 167 if(!type) { |
7981 | 168 gaim_connection_error(js->gc, _("Invalid response from server.")); |
7014 | 169 return; |
7515 | 170 } else if(!strcmp(type, "error")) { |
7644 | 171 /* XXX: still need to handle XMPP-style errors */ |
172 xmlnode *error; | |
173 char *buf, *err_txt = NULL; | |
174 const char *code = NULL; | |
175 if((error = xmlnode_get_child(packet, "error"))) { | |
176 code = xmlnode_get_attrib(error, "code"); | |
177 err_txt = xmlnode_get_data(error); | |
178 } | |
179 buf = g_strdup_printf("%s%s%s", code ? code : "", code ? ": " : "", | |
180 err_txt ? err_txt : _("Unknown Error")); | |
181 gaim_connection_error(js->gc, buf); | |
182 if(err_txt) | |
183 g_free(err_txt); | |
184 g_free(buf); | |
7515 | 185 } else if(!strcmp(type, "result")) { |
7514 | 186 query = xmlnode_get_child(packet, "query"); |
187 if(js->stream_id && xmlnode_get_child(query, "digest")) { | |
188 digest = TRUE; | |
8086 | 189 } else if(xmlnode_get_child(query, "password")) { |
190 if(js->gsc == NULL && !gaim_account_get_bool(js->gc->account, | |
191 "auth_plain_in_clear", FALSE)) { | |
192 /* XXX: later, make this yes/no so they can just click to enable it */ | |
193 gaim_connection_error(js->gc, | |
194 _("Server requires plaintext authentication over an unencrypted stream")); | |
195 return; | |
196 } | |
197 } else { | |
7514 | 198 gaim_connection_error(js->gc, |
199 _("Server does not use any supported authentication method")); | |
200 return; | |
201 } | |
7014 | 202 |
7514 | 203 iq = jabber_iq_new_query(js, JABBER_IQ_SET, "jabber:iq:auth"); |
204 query = xmlnode_get_child(iq->node, "query"); | |
205 x = xmlnode_new_child(query, "username"); | |
206 xmlnode_insert_data(x, js->user->node, -1); | |
207 x = xmlnode_new_child(query, "resource"); | |
208 xmlnode_insert_data(x, js->user->resource, -1); | |
7014 | 209 |
7514 | 210 if(digest) { |
211 unsigned char hashval[20]; | |
212 char *s, h[41], *p; | |
213 int i; | |
7014 | 214 |
7514 | 215 x = xmlnode_new_child(query, "digest"); |
216 s = g_strdup_printf("%s%s", js->stream_id, pw); | |
217 shaBlock((unsigned char *)s, strlen(s), hashval); | |
218 p = h; | |
219 for(i=0; i<20; i++, p+=2) | |
220 snprintf(p, 3, "%02x", hashval[i]); | |
221 xmlnode_insert_data(x, h, -1); | |
222 g_free(s); | |
223 } else { | |
224 x = xmlnode_new_child(query, "password"); | |
225 xmlnode_insert_data(x, pw, -1); | |
226 } | |
227 | |
228 jabber_iq_set_callback(iq, auth_old_result_cb, NULL); | |
229 | |
230 jabber_iq_send(iq); | |
7014 | 231 } |
232 } | |
233 | |
234 void jabber_auth_start_old(JabberStream *js) | |
235 { | |
236 JabberIq *iq; | |
237 xmlnode *query, *username; | |
238 | |
239 iq = jabber_iq_new_query(js, JABBER_IQ_GET, "jabber:iq:auth"); | |
240 | |
241 query = xmlnode_get_child(iq->node, "query"); | |
242 username = xmlnode_new_child(query, "username"); | |
243 xmlnode_insert_data(username, js->user->node, -1); | |
244 | |
7395 | 245 jabber_iq_set_callback(iq, auth_old_cb, NULL); |
7014 | 246 |
247 jabber_iq_send(iq); | |
248 } | |
249 | |
250 static GHashTable* parse_challenge(const char *challenge) | |
251 { | |
252 GHashTable *ret = g_hash_table_new_full(g_str_hash, g_str_equal, | |
253 g_free, g_free); | |
254 char **pairs; | |
255 int i; | |
256 | |
257 pairs = g_strsplit(challenge, ",", -1); | |
258 | |
259 for(i=0; pairs[i]; i++) { | |
260 char **keyval = g_strsplit(pairs[i], "=", 2); | |
261 if(keyval[0] && keyval[1]) { | |
262 if(keyval[1][0] == '"' && keyval[1][strlen(keyval[1])-1] == '"') | |
263 g_hash_table_replace(ret, g_strdup(keyval[0]), g_strndup(keyval[1]+1, strlen(keyval[1])-2)); | |
264 else | |
265 g_hash_table_replace(ret, g_strdup(keyval[0]), g_strdup(keyval[1])); | |
266 } | |
267 g_strfreev(keyval); | |
268 } | |
269 | |
270 g_strfreev(pairs); | |
271 | |
272 return ret; | |
273 } | |
274 | |
275 static unsigned char* | |
276 generate_response_value(JabberID *jid, const char *passwd, const char *nonce, | |
7267 | 277 const char *cnonce, const char *a2, const char *realm) |
7014 | 278 { |
279 md5_state_t ctx; | |
280 md5_byte_t result[16]; | |
281 | |
282 char *x, *y, *a1, *ha1, *ha2, *kd, *z; | |
283 | |
7267 | 284 x = g_strdup_printf("%s:%s:%s", jid->node, realm, passwd); |
7014 | 285 md5_init(&ctx); |
286 md5_append(&ctx, x, strlen(x)); | |
287 md5_finish(&ctx, result); | |
288 | |
289 y = g_strndup(result, 16); | |
290 | |
7395 | 291 a1 = g_strdup_printf("%s:%s:%s:%s@%s", y, nonce, cnonce, jid->node, |
292 jid->domain); | |
7014 | 293 |
294 md5_init(&ctx); | |
295 md5_append(&ctx, a1, strlen(a1)); | |
296 md5_finish(&ctx, result); | |
297 | |
7106
db6bd3e794d8
[gaim-migrate @ 7671]
Christian Hammond <chipx86@chipx86.com>
parents:
7014
diff
changeset
|
298 ha1 = gaim_base16_encode(result, 16); |
7014 | 299 |
300 md5_init(&ctx); | |
301 md5_append(&ctx, a2, strlen(a2)); | |
302 md5_finish(&ctx, result); | |
303 | |
7106
db6bd3e794d8
[gaim-migrate @ 7671]
Christian Hammond <chipx86@chipx86.com>
parents:
7014
diff
changeset
|
304 ha2 = gaim_base16_encode(result, 16); |
7014 | 305 |
306 kd = g_strdup_printf("%s:%s:00000001:%s:auth:%s", ha1, nonce, cnonce, ha2); | |
307 | |
308 md5_init(&ctx); | |
309 md5_append(&ctx, kd, strlen(kd)); | |
310 md5_finish(&ctx, result); | |
311 | |
7106
db6bd3e794d8
[gaim-migrate @ 7671]
Christian Hammond <chipx86@chipx86.com>
parents:
7014
diff
changeset
|
312 z = gaim_base16_encode(result, 16); |
7014 | 313 |
314 g_free(x); | |
315 g_free(y); | |
316 g_free(a1); | |
317 g_free(ha1); | |
318 g_free(ha2); | |
319 g_free(kd); | |
320 | |
321 return z; | |
322 } | |
323 | |
324 void | |
325 jabber_auth_handle_challenge(JabberStream *js, xmlnode *packet) | |
326 { | |
327 | |
7703 | 328 if(js->auth_type == JABBER_AUTH_DIGEST_MD5) { |
7291 | 329 char *enc_in = xmlnode_get_data(packet); |
330 char *dec_in; | |
331 char *enc_out; | |
332 GHashTable *parts; | |
7014 | 333 |
7395 | 334 if(!enc_in) { |
7981 | 335 gaim_connection_error(js->gc, _("Invalid response from server.")); |
7395 | 336 return; |
337 } | |
338 | |
7291 | 339 gaim_base64_decode(enc_in, &dec_in, NULL); |
7395 | 340 gaim_debug(GAIM_DEBUG_MISC, "jabber", "decoded challenge (%d): %s\n", |
341 strlen(dec_in), dec_in); | |
7291 | 342 |
343 parts = parse_challenge(dec_in); | |
7014 | 344 |
345 | |
7291 | 346 if (g_hash_table_lookup(parts, "rspauth")) { |
347 char *rspauth = g_hash_table_lookup(parts, "rspauth"); | |
7014 | 348 |
349 | |
7291 | 350 if(rspauth && js->expected_rspauth && |
351 !strcmp(rspauth, js->expected_rspauth)) { | |
352 jabber_send_raw(js, | |
7642 | 353 "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl' />", |
354 -1); | |
7291 | 355 } else { |
356 gaim_connection_error(js->gc, _("Invalid challenge from server")); | |
357 } | |
358 g_free(js->expected_rspauth); | |
359 } else { | |
360 /* assemble a response, and send it */ | |
361 /* see RFC 2831 */ | |
362 GString *response = g_string_new(""); | |
363 char *a2; | |
364 char *auth_resp; | |
365 char *buf; | |
366 char *cnonce; | |
367 char *realm; | |
368 char *nonce; | |
7014 | 369 |
7291 | 370 /* we're actually supposed to prompt the user for a realm if |
371 * the server doesn't send one, but that really complicates things, | |
372 * so i'm not gonna worry about it until is poses a problem to | |
373 * someone, or I get really bored */ | |
374 realm = g_hash_table_lookup(parts, "realm"); | |
375 if(!realm) | |
376 realm = js->user->domain; | |
7014 | 377 |
7291 | 378 cnonce = g_strdup_printf("%x%u%x", g_random_int(), (int)time(NULL), |
379 g_random_int()); | |
380 nonce = g_hash_table_lookup(parts, "nonce"); | |
7014 | 381 |
382 | |
7291 | 383 a2 = g_strdup_printf("AUTHENTICATE:xmpp/%s", realm); |
384 auth_resp = generate_response_value(js->user, | |
385 gaim_account_get_password(js->gc->account), nonce, cnonce, a2, realm); | |
386 g_free(a2); | |
387 | |
388 a2 = g_strdup_printf(":xmpp/%s", realm); | |
389 js->expected_rspauth = generate_response_value(js->user, | |
390 gaim_account_get_password(js->gc->account), nonce, cnonce, a2, realm); | |
391 g_free(a2); | |
392 | |
393 | |
394 g_string_append_printf(response, "username=\"%s\"", js->user->node); | |
395 g_string_append_printf(response, ",realm=\"%s\"", realm); | |
396 g_string_append_printf(response, ",nonce=\"%s\"", nonce); | |
397 g_string_append_printf(response, ",cnonce=\"%s\"", cnonce); | |
398 g_string_append_printf(response, ",nc=00000001"); | |
399 g_string_append_printf(response, ",qop=auth"); | |
400 g_string_append_printf(response, ",digest-uri=\"xmpp/%s\"", realm); | |
401 g_string_append_printf(response, ",response=%s", auth_resp); | |
402 g_string_append_printf(response, ",charset=utf-8"); | |
403 | |
404 g_free(auth_resp); | |
405 g_free(cnonce); | |
406 | |
407 enc_out = gaim_base64_encode(response->str, response->len); | |
408 | |
409 gaim_debug(GAIM_DEBUG_MISC, "jabber", "decoded response (%d): %s\n", response->len, response->str); | |
410 | |
411 buf = g_strdup_printf("<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>%s</response>", enc_out); | |
412 | |
7642 | 413 jabber_send_raw(js, buf, -1); |
7291 | 414 |
415 g_free(buf); | |
416 | |
417 g_free(enc_out); | |
418 | |
419 g_string_free(response, TRUE); | |
7014 | 420 } |
7291 | 421 |
422 g_free(enc_in); | |
423 g_free(dec_in); | |
424 g_hash_table_destroy(parts); | |
7014 | 425 } |
426 } | |
427 | |
428 void jabber_auth_handle_success(JabberStream *js, xmlnode *packet) | |
429 { | |
430 const char *ns = xmlnode_get_attrib(packet, "xmlns"); | |
431 | |
432 if(!ns || strcmp(ns, "urn:ietf:params:xml:ns:xmpp-sasl")) { | |
7981 | 433 gaim_connection_error(js->gc, _("Invalid response from server.")); |
7014 | 434 return; |
435 } | |
436 | |
437 jabber_stream_set_state(js, JABBER_STREAM_REINITIALIZING); | |
438 } | |
439 | |
440 void jabber_auth_handle_failure(JabberStream *js, xmlnode *packet) | |
441 { | |
442 const char *ns = xmlnode_get_attrib(packet, "xmlns"); | |
443 | |
444 if(!ns) | |
7981 | 445 gaim_connection_error(js->gc, _("Invalid response from server.")); |
7014 | 446 else if(!strcmp(ns, "urn:ietf:params:xml:ns:xmpp-sasl")) { |
447 if(xmlnode_get_child(packet, "bad-protocol")) { | |
448 gaim_connection_error(js->gc, _("Bad Protocol")); | |
449 } else if(xmlnode_get_child(packet, "encryption-required")) { | |
450 js->gc->wants_to_die = TRUE; | |
451 gaim_connection_error(js->gc, _("Encryption Required")); | |
452 } else if(xmlnode_get_child(packet, "invalid-authzid")) { | |
453 js->gc->wants_to_die = TRUE; | |
454 gaim_connection_error(js->gc, _("Invalid authzid")); | |
455 } else if(xmlnode_get_child(packet, "invalid-mechanism")) { | |
456 js->gc->wants_to_die = TRUE; | |
457 gaim_connection_error(js->gc, _("Invalid Mechanism")); | |
458 } else if(xmlnode_get_child(packet, "invalid-realm")) { | |
459 gaim_connection_error(js->gc, _("Invalid Realm")); | |
460 } else if(xmlnode_get_child(packet, "mechanism-too-weak")) { | |
461 js->gc->wants_to_die = TRUE; | |
462 gaim_connection_error(js->gc, _("Mechanism Too Weak")); | |
463 } else if(xmlnode_get_child(packet, "not-authorized")) { | |
464 js->gc->wants_to_die = TRUE; | |
465 gaim_connection_error(js->gc, _("Not Authorized")); | |
466 } else if(xmlnode_get_child(packet, "temporary-auth-failure")) { | |
467 gaim_connection_error(js->gc, | |
468 _("Temporary Authentication Failure")); | |
469 } else { | |
470 gaim_connection_error(js->gc, _("Authentication Failure")); | |
471 } | |
472 } | |
473 } |