7014
|
1 /*
|
|
2 * gaim - Jabber Protocol Plugin
|
|
3 *
|
|
4 * Copyright (C) 2003, Nathan Walp <faceprint@faceprint.com>
|
|
5 *
|
|
6 * This program is free software; you can redistribute it and/or modify
|
|
7 * it under the terms of the GNU General Public License as published by
|
|
8 * the Free Software Foundation; either version 2 of the License, or
|
|
9 * (at your option) any later version.
|
|
10 *
|
|
11 * This program is distributed in the hope that it will be useful,
|
|
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
14 * GNU General Public License for more details.
|
|
15 *
|
|
16 * You should have received a copy of the GNU General Public License
|
|
17 * along with this program; if not, write to the Free Software
|
|
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
19 *
|
|
20 */
|
|
21 #include "internal.h"
|
|
22
|
|
23 #include "jutil.h"
|
|
24 #include "auth.h"
|
|
25 #include "xmlnode.h"
|
|
26 #include "jabber.h"
|
|
27 #include "iq.h"
|
|
28 #include "sha.h"
|
|
29
|
|
30 #include "debug.h"
|
|
31 #include "md5.h"
|
|
32 #include "util.h"
|
|
33 #include "sslconn.h"
|
|
34
|
|
35
|
|
36 void
|
|
37 jabber_auth_start(JabberStream *js, xmlnode *packet)
|
|
38 {
|
|
39 xmlnode *mechs, *mechnode;
|
|
40 xmlnode *starttls;
|
|
41
|
|
42 gboolean digest_md5 = FALSE;
|
|
43
|
|
44 if(gaim_ssl_is_supported() &&
|
|
45 (starttls = xmlnode_get_child(packet, "starttls"))) {
|
|
46 jabber_send_raw(js,
|
|
47 "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
|
|
48 return;
|
|
49 }
|
|
50
|
|
51 mechs = xmlnode_get_child(packet, "mechanisms");
|
|
52
|
|
53 if(!mechs) {
|
|
54 gaim_connection_error(js->gc, _("Invalid response from server"));
|
|
55 return;
|
|
56 }
|
|
57
|
|
58 for(mechnode = mechs->child; mechnode; mechnode = mechnode->next)
|
|
59 {
|
|
60 if(mechnode->type == NODE_TYPE_TAG) {
|
|
61 char *mech_name = xmlnode_get_data(mechnode);
|
|
62 if(mech_name && !strcmp(mech_name, "DIGEST-MD5"))
|
|
63 digest_md5 = TRUE;
|
|
64 g_free(mech_name);
|
|
65 }
|
|
66 }
|
|
67
|
|
68 if(digest_md5) {
|
|
69 jabber_send_raw(js, "<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'"
|
|
70 " mechanism='DIGEST-MD5' />");
|
|
71 } else {
|
|
72 gaim_connection_error(js->gc,
|
|
73 _("Server does not use any supported authentication method"));
|
|
74 }
|
|
75 }
|
|
76
|
|
77 static void auth_old_result_cb(JabberStream *js, xmlnode *packet)
|
|
78 {
|
|
79 const char *type = xmlnode_get_attrib(packet, "type");
|
|
80
|
|
81 if(type && !strcmp(type, "error")) {
|
|
82 xmlnode *error = xmlnode_get_child(packet, "error");
|
|
83 const char *err_code;
|
|
84 char *err_text;
|
|
85 char *buf;
|
|
86
|
|
87 err_code = xmlnode_get_attrib(error, "code");
|
|
88 err_text = xmlnode_get_data(error);
|
|
89
|
|
90 if(!err_code)
|
|
91 err_code = "";
|
|
92 if(!err_text)
|
|
93 err_text = g_strdup(_("Unknown"));
|
|
94
|
|
95 if(!strcmp(err_code, "401"))
|
|
96 js->gc->wants_to_die = TRUE;
|
|
97
|
|
98 buf = g_strdup_printf("Error %s: %s",
|
|
99 err_code, err_text);
|
|
100
|
|
101 gaim_connection_error(js->gc, buf);
|
|
102 g_free(err_text);
|
|
103 g_free(buf);
|
|
104 }
|
|
105 jabber_stream_set_state(js, JABBER_STREAM_CONNECTED);
|
|
106 }
|
|
107
|
|
108 static void auth_old_cb(JabberStream *js, xmlnode *packet)
|
|
109 {
|
|
110 JabberIq *iq;
|
|
111 xmlnode *query, *x;
|
|
112 gboolean digest = FALSE;
|
|
113 const char *pw = gaim_account_get_password(js->gc->account);
|
|
114
|
|
115 query = xmlnode_get_child(packet, "query");
|
|
116 if(js->stream_id && xmlnode_get_child(query, "digest")) {
|
|
117 digest = TRUE;
|
|
118 } else if(!xmlnode_get_child(query, "password")) {
|
|
119 gaim_connection_error(js->gc,
|
|
120 _("Server does not use any supported authentication method"));
|
|
121 return;
|
|
122 }
|
|
123
|
|
124 iq = jabber_iq_new_query(js, JABBER_IQ_SET, "jabber:iq:auth");
|
|
125 query = xmlnode_get_child(iq->node, "query");
|
|
126 x = xmlnode_new_child(query, "username");
|
|
127 xmlnode_insert_data(x, js->user->node, -1);
|
|
128 x = xmlnode_new_child(query, "resource");
|
|
129 xmlnode_insert_data(x, js->user->resource, -1);
|
|
130
|
|
131 if(digest) {
|
|
132 unsigned char hashval[20];
|
|
133 char *s, h[41], *p;
|
|
134 int i;
|
|
135
|
|
136 x = xmlnode_new_child(query, "digest");
|
|
137 s = g_strdup_printf("%s%s", js->stream_id, pw);
|
|
138 shaBlock((unsigned char *)s, strlen(s), hashval);
|
|
139 p = h;
|
|
140 for(i=0; i<20; i++, p+=2)
|
|
141 snprintf(p, 3, "%02x", hashval[i]);
|
|
142 xmlnode_insert_data(x, h, -1);
|
|
143 g_free(s);
|
|
144 } else {
|
|
145 x = xmlnode_new_child(query, "password");
|
|
146 xmlnode_insert_data(x, pw, -1);
|
|
147 }
|
|
148
|
|
149 jabber_iq_set_callback(iq, auth_old_result_cb);
|
|
150
|
|
151 jabber_iq_send(iq);
|
|
152 }
|
|
153
|
|
154 void jabber_auth_start_old(JabberStream *js)
|
|
155 {
|
|
156 JabberIq *iq;
|
|
157 xmlnode *query, *username;
|
|
158
|
|
159 iq = jabber_iq_new_query(js, JABBER_IQ_GET, "jabber:iq:auth");
|
|
160
|
|
161 query = xmlnode_get_child(iq->node, "query");
|
|
162 username = xmlnode_new_child(query, "username");
|
|
163 xmlnode_insert_data(username, js->user->node, -1);
|
|
164
|
|
165 jabber_iq_set_callback(iq, auth_old_cb);
|
|
166
|
|
167 jabber_iq_send(iq);
|
|
168 }
|
|
169
|
|
170 static GHashTable* parse_challenge(const char *challenge)
|
|
171 {
|
|
172 GHashTable *ret = g_hash_table_new_full(g_str_hash, g_str_equal,
|
|
173 g_free, g_free);
|
|
174 char **pairs;
|
|
175 int i;
|
|
176
|
|
177 pairs = g_strsplit(challenge, ",", -1);
|
|
178
|
|
179 for(i=0; pairs[i]; i++) {
|
|
180 char **keyval = g_strsplit(pairs[i], "=", 2);
|
|
181 if(keyval[0] && keyval[1]) {
|
|
182 if(keyval[1][0] == '"' && keyval[1][strlen(keyval[1])-1] == '"')
|
|
183 g_hash_table_replace(ret, g_strdup(keyval[0]), g_strndup(keyval[1]+1, strlen(keyval[1])-2));
|
|
184 else
|
|
185 g_hash_table_replace(ret, g_strdup(keyval[0]), g_strdup(keyval[1]));
|
|
186 }
|
|
187 g_strfreev(keyval);
|
|
188 }
|
|
189
|
|
190 g_strfreev(pairs);
|
|
191
|
|
192 return ret;
|
|
193 }
|
|
194
|
|
195 static unsigned char*
|
|
196 generate_response_value(JabberID *jid, const char *passwd, const char *nonce,
|
|
197 const char *cnonce, const char *a2)
|
|
198 {
|
|
199 md5_state_t ctx;
|
|
200 md5_byte_t result[16];
|
|
201
|
|
202 char *x, *y, *a1, *ha1, *ha2, *kd, *z;
|
|
203
|
|
204 x = g_strdup_printf("%s:%s:%s", jid->node, jid->domain, passwd);
|
|
205 md5_init(&ctx);
|
|
206 md5_append(&ctx, x, strlen(x));
|
|
207 md5_finish(&ctx, result);
|
|
208
|
|
209 y = g_strndup(result, 16);
|
|
210
|
|
211 a1 = g_strdup_printf("%s:%s:%s:%s@%s/%s", y, nonce, cnonce, jid->node,
|
|
212 jid->domain, jid->resource);
|
|
213
|
|
214 md5_init(&ctx);
|
|
215 md5_append(&ctx, a1, strlen(a1));
|
|
216 md5_finish(&ctx, result);
|
|
217
|
|
218 ha1 = tobase16(result, 16);
|
|
219
|
|
220 md5_init(&ctx);
|
|
221 md5_append(&ctx, a2, strlen(a2));
|
|
222 md5_finish(&ctx, result);
|
|
223
|
|
224 ha2 = tobase16(result, 16);
|
|
225
|
|
226 kd = g_strdup_printf("%s:%s:00000001:%s:auth:%s", ha1, nonce, cnonce, ha2);
|
|
227
|
|
228 md5_init(&ctx);
|
|
229 md5_append(&ctx, kd, strlen(kd));
|
|
230 md5_finish(&ctx, result);
|
|
231
|
|
232 z = tobase16(result, 16);
|
|
233
|
|
234 g_free(x);
|
|
235 g_free(y);
|
|
236 g_free(a1);
|
|
237 g_free(ha1);
|
|
238 g_free(ha2);
|
|
239 g_free(kd);
|
|
240
|
|
241 return z;
|
|
242 }
|
|
243
|
|
244 void
|
|
245 jabber_auth_handle_challenge(JabberStream *js, xmlnode *packet)
|
|
246 {
|
|
247 char *enc_in = xmlnode_get_data(packet);
|
|
248 char *dec_in;
|
|
249 char *enc_out;
|
|
250 GHashTable *parts;
|
|
251
|
|
252 frombase64(enc_in, &dec_in, NULL);
|
|
253
|
|
254 parts = parse_challenge(dec_in);
|
|
255
|
|
256 /* we're actually supposed to prompt the user for a realm if
|
|
257 * the server doesn't send one, but that really complicates things,
|
|
258 * so i'm not gonna worry about it until is poses a problem to someone,
|
|
259 * or I get really bored */
|
|
260
|
|
261 if(g_hash_table_lookup(parts, "realm")) {
|
|
262 /* assemble a response, and send it */
|
|
263 /* see RFC 2831 */
|
|
264 GString *response = g_string_new("");
|
|
265 char *a2;
|
|
266 char *auth_resp;
|
|
267 char *buf;
|
|
268 char *cnonce;
|
|
269 char *realm;
|
|
270 char *nonce;
|
|
271
|
|
272 cnonce = g_strdup_printf("%p%u%p", js, (int)time(NULL), packet);
|
|
273 nonce = g_hash_table_lookup(parts, "nonce");
|
|
274 realm = g_hash_table_lookup(parts, "realm");
|
|
275
|
|
276 a2 = g_strdup_printf("AUTHENTICATE:xmpp/%s", realm);
|
|
277 auth_resp = generate_response_value(js->user,
|
|
278 gaim_account_get_password(js->gc->account), nonce, cnonce, a2);
|
|
279 g_free(a2);
|
|
280
|
|
281 a2 = g_strdup_printf(":xmpp/%s", realm);
|
|
282 js->expected_rspauth = generate_response_value(js->user,
|
|
283 gaim_account_get_password(js->gc->account), nonce, cnonce, a2);
|
|
284 g_free(a2);
|
|
285
|
|
286
|
|
287 g_string_append_printf(response, "username=\"%s\"", js->user->node);
|
|
288 g_string_append_printf(response, ",realm=\"%s\"", realm);
|
|
289 g_string_append_printf(response, ",nonce=\"%s\"", nonce);
|
|
290 g_string_append_printf(response, ",cnonce=\"%s\"", cnonce);
|
|
291 g_string_append_printf(response, ",nc=00000001");
|
|
292 g_string_append_printf(response, ",qop=auth");
|
|
293 g_string_append_printf(response, ",digest-uri=\"xmpp/%s\"", realm);
|
|
294 g_string_append_printf(response, ",response=%s", auth_resp);
|
|
295 g_string_append_printf(response, ",charset=utf-8");
|
|
296 g_string_append_printf(response, ",authzid=\"%s\"",
|
|
297 gaim_account_get_username(js->gc->account));
|
|
298
|
|
299 g_free(auth_resp);
|
|
300 g_free(cnonce);
|
|
301
|
|
302 enc_out = tobase64(response->str, response->len);
|
|
303
|
|
304 gaim_debug(GAIM_DEBUG_MISC, "jabber", "decoded response (%d): %s\n", response->len, response->str);
|
|
305
|
|
306 buf = g_strdup_printf("<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>%s</response>", enc_out);
|
|
307
|
|
308 jabber_send_raw(js, buf);
|
|
309
|
|
310 g_free(buf);
|
|
311
|
|
312 g_free(enc_out);
|
|
313
|
|
314 g_string_free(response, TRUE);
|
|
315 } else if (g_hash_table_lookup(parts, "rspauth")) {
|
|
316 char *rspauth = g_hash_table_lookup(parts, "rspauth");
|
|
317
|
|
318
|
|
319 if(rspauth && !strcmp(rspauth, js->expected_rspauth)) {
|
|
320 jabber_send_raw(js,
|
|
321 "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl' />");
|
|
322 } else {
|
|
323 gaim_connection_error(js->gc, _("Invalid challenge from server"));
|
|
324 }
|
|
325 g_free(js->expected_rspauth);
|
|
326 }
|
|
327
|
|
328 g_free(enc_in);
|
|
329 g_free(dec_in);
|
|
330 g_hash_table_destroy(parts);
|
|
331 }
|
|
332
|
|
333 void jabber_auth_handle_success(JabberStream *js, xmlnode *packet)
|
|
334 {
|
|
335 const char *ns = xmlnode_get_attrib(packet, "xmlns");
|
|
336
|
|
337 if(!ns || strcmp(ns, "urn:ietf:params:xml:ns:xmpp-sasl")) {
|
|
338 gaim_connection_error(js->gc, _("Invalid response from server"));
|
|
339 return;
|
|
340 }
|
|
341
|
|
342 jabber_stream_set_state(js, JABBER_STREAM_REINITIALIZING);
|
|
343 }
|
|
344
|
|
345 void jabber_auth_handle_failure(JabberStream *js, xmlnode *packet)
|
|
346 {
|
|
347 const char *ns = xmlnode_get_attrib(packet, "xmlns");
|
|
348
|
|
349 if(!ns)
|
|
350 gaim_connection_error(js->gc, _("Invalid response from server"));
|
|
351 else if(!strcmp(ns, "urn:ietf:params:xml:ns:xmpp-sasl")) {
|
|
352 if(xmlnode_get_child(packet, "bad-protocol")) {
|
|
353 gaim_connection_error(js->gc, _("Bad Protocol"));
|
|
354 } else if(xmlnode_get_child(packet, "encryption-required")) {
|
|
355 js->gc->wants_to_die = TRUE;
|
|
356 gaim_connection_error(js->gc, _("Encryption Required"));
|
|
357 } else if(xmlnode_get_child(packet, "invalid-authzid")) {
|
|
358 js->gc->wants_to_die = TRUE;
|
|
359 gaim_connection_error(js->gc, _("Invalid authzid"));
|
|
360 } else if(xmlnode_get_child(packet, "invalid-mechanism")) {
|
|
361 js->gc->wants_to_die = TRUE;
|
|
362 gaim_connection_error(js->gc, _("Invalid Mechanism"));
|
|
363 } else if(xmlnode_get_child(packet, "invalid-realm")) {
|
|
364 gaim_connection_error(js->gc, _("Invalid Realm"));
|
|
365 } else if(xmlnode_get_child(packet, "mechanism-too-weak")) {
|
|
366 js->gc->wants_to_die = TRUE;
|
|
367 gaim_connection_error(js->gc, _("Mechanism Too Weak"));
|
|
368 } else if(xmlnode_get_child(packet, "not-authorized")) {
|
|
369 js->gc->wants_to_die = TRUE;
|
|
370 gaim_connection_error(js->gc, _("Not Authorized"));
|
|
371 } else if(xmlnode_get_child(packet, "temporary-auth-failure")) {
|
|
372 gaim_connection_error(js->gc,
|
|
373 _("Temporary Authentication Failure"));
|
|
374 } else {
|
|
375 gaim_connection_error(js->gc, _("Authentication Failure"));
|
|
376 }
|
|
377 }
|
|
378 }
|