Mercurial > pidgin
annotate src/protocols/jabber/auth.c @ 8397:b63debdf5a92
[gaim-migrate @ 9126]
be more user-friendly about the whole unencrypted plaintext password thing
committer: Tailor Script <tailor@pidgin.im>
author | Nathan Walp <nwalp@pidgin.im> |
---|---|
date | Fri, 05 Mar 2004 16:14:22 +0000 |
parents | dd6fe7d965aa |
children | c13a4913a071 |
rev | line source |
---|---|
7014 | 1 /* |
2 * gaim - Jabber Protocol Plugin | |
3 * | |
4 * Copyright (C) 2003, Nathan Walp <faceprint@faceprint.com> | |
5 * | |
6 * This program is free software; you can redistribute it and/or modify | |
7 * it under the terms of the GNU General Public License as published by | |
8 * the Free Software Foundation; either version 2 of the License, or | |
9 * (at your option) any later version. | |
10 * | |
11 * This program is distributed in the hope that it will be useful, | |
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
14 * GNU General Public License for more details. | |
15 * | |
16 * You should have received a copy of the GNU General Public License | |
17 * along with this program; if not, write to the Free Software | |
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
19 * | |
20 */ | |
21 #include "internal.h" | |
22 | |
23 #include "jutil.h" | |
24 #include "auth.h" | |
25 #include "xmlnode.h" | |
26 #include "jabber.h" | |
27 #include "iq.h" | |
28 #include "sha.h" | |
29 | |
30 #include "debug.h" | |
31 #include "md5.h" | |
32 #include "util.h" | |
33 #include "sslconn.h" | |
8397 | 34 #include "request.h" |
35 | |
36 static void auth_old_result_cb(JabberStream *js, xmlnode *packet, | |
37 gpointer data); | |
7014 | 38 |
8296 | 39 gboolean |
40 jabber_process_starttls(JabberStream *js, xmlnode *packet) | |
7014 | 41 { |
42 xmlnode *starttls; | |
43 | |
7157 | 44 if((starttls = xmlnode_get_child(packet, "starttls"))) { |
7630 | 45 if(gaim_account_get_bool(js->gc->account, "use_tls", TRUE) && |
46 gaim_ssl_is_supported()) { | |
7157 | 47 jabber_send_raw(js, |
7642 | 48 "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>", -1); |
8296 | 49 return TRUE; |
7157 | 50 } else if(xmlnode_get_child(starttls, "required")) { |
51 gaim_connection_error(js->gc, _("Server requires SSL for login")); | |
8296 | 52 return TRUE; |
7157 | 53 } |
7014 | 54 } |
55 | |
8296 | 56 return FALSE; |
57 } | |
58 | |
8397 | 59 static void finish_plaintext_authentication(JabberStream *js) |
60 { | |
61 if(js->auth_type == JABBER_AUTH_PLAIN) { | |
62 xmlnode *auth; | |
63 GString *response; | |
64 char *enc_out; | |
65 | |
66 auth = xmlnode_new("auth"); | |
67 xmlnode_set_attrib(auth, "xmlns", "urn:ietf:params:xml:ns:xmpp-sasl"); | |
68 | |
69 response = g_string_new(""); | |
70 response = g_string_append_len(response, "\0", 1); | |
71 response = g_string_append(response, js->user->node); | |
72 response = g_string_append_len(response, "\0", 1); | |
73 response = g_string_append(response, | |
74 gaim_account_get_password(js->gc->account)); | |
75 | |
76 enc_out = gaim_base64_encode(response->str, response->len); | |
77 | |
78 xmlnode_set_attrib(auth, "mechanism", "PLAIN"); | |
79 xmlnode_insert_data(auth, enc_out, -1); | |
80 g_free(enc_out); | |
81 g_string_free(response, TRUE); | |
82 | |
83 jabber_send(js, auth); | |
84 xmlnode_free(auth); | |
85 } else if(js->auth_type == JABBER_AUTH_IQ_AUTH) { | |
86 JabberIq *iq; | |
87 xmlnode *query, *x; | |
88 | |
89 iq = jabber_iq_new_query(js, JABBER_IQ_SET, "jabber:iq:auth"); | |
90 query = xmlnode_get_child(iq->node, "query"); | |
91 x = xmlnode_new_child(query, "username"); | |
92 xmlnode_insert_data(x, js->user->node, -1); | |
93 x = xmlnode_new_child(query, "resource"); | |
94 xmlnode_insert_data(x, js->user->resource, -1); | |
95 x = xmlnode_new_child(query, "password"); | |
96 xmlnode_insert_data(x, gaim_account_get_password(js->gc->account), -1); | |
97 jabber_iq_set_callback(iq, auth_old_result_cb, NULL); | |
98 jabber_iq_send(iq); | |
99 } | |
100 } | |
101 | |
102 static void allow_plaintext_auth(GaimAccount *account) | |
103 { | |
104 gaim_account_set_bool(account, "auth_plain_in_clear", TRUE); | |
105 | |
106 finish_plaintext_authentication(account->gc->proto_data); | |
107 } | |
108 | |
109 static void disallow_plaintext_auth(GaimAccount *account) | |
110 { | |
111 gaim_connection_error(account->gc, _("Server requires plaintext authentication over an unencrypted stream")); | |
112 } | |
113 | |
8296 | 114 void |
115 jabber_auth_start(JabberStream *js, xmlnode *packet) | |
116 { | |
117 xmlnode *mechs, *mechnode; | |
118 | |
119 gboolean digest_md5 = FALSE, plain=FALSE; | |
120 | |
121 | |
8016 | 122 if(js->registration) { |
123 jabber_register_start(js); | |
124 return; | |
125 } | |
126 | |
7014 | 127 mechs = xmlnode_get_child(packet, "mechanisms"); |
128 | |
129 if(!mechs) { | |
7981 | 130 gaim_connection_error(js->gc, _("Invalid response from server.")); |
7014 | 131 return; |
132 } | |
133 | |
8135 | 134 for(mechnode = xmlnode_get_child(mechs, "mechanism"); mechnode; |
135 mechnode = xmlnode_get_next_twin(mechnode)) | |
7014 | 136 { |
8135 | 137 char *mech_name = xmlnode_get_data(mechnode); |
138 if(mech_name && !strcmp(mech_name, "DIGEST-MD5")) | |
139 digest_md5 = TRUE; | |
140 else if(mech_name && !strcmp(mech_name, "PLAIN")) | |
141 plain = TRUE; | |
142 g_free(mech_name); | |
7014 | 143 } |
144 | |
7703 | 145 |
7645 | 146 if(digest_md5) { |
8397 | 147 xmlnode *auth; |
148 | |
149 js->auth_type = JABBER_AUTH_DIGEST_MD5; | |
150 auth = xmlnode_new("auth"); | |
151 xmlnode_set_attrib(auth, "xmlns", "urn:ietf:params:xml:ns:xmpp-sasl"); | |
7291 | 152 xmlnode_set_attrib(auth, "mechanism", "DIGEST-MD5"); |
8397 | 153 |
154 jabber_send(js, auth); | |
155 xmlnode_free(auth); | |
8086 | 156 } else if(plain) { |
8397 | 157 js->auth_type = JABBER_AUTH_PLAIN; |
7703 | 158 |
8086 | 159 if(js->gsc == NULL && !gaim_account_get_bool(js->gc->account, "auth_plain_in_clear", FALSE)) { |
8397 | 160 gaim_request_yes_no(js->gc, _("Plaintext Authentication"), |
161 _("Plaintext Authentication"), | |
162 _("This server requires plaintext authentication over an unencrypted connection. Allow this and continue authentication?"), | |
163 2, js->gc->account, allow_plaintext_auth, | |
164 disallow_plaintext_auth); | |
8086 | 165 return; |
166 } | |
8397 | 167 finish_plaintext_authentication(js); |
7014 | 168 } else { |
169 gaim_connection_error(js->gc, | |
170 _("Server does not use any supported authentication method")); | |
171 } | |
172 } | |
173 | |
7395 | 174 static void auth_old_result_cb(JabberStream *js, xmlnode *packet, gpointer data) |
7014 | 175 { |
176 const char *type = xmlnode_get_attrib(packet, "type"); | |
177 | |
7730 | 178 if(type && !strcmp(type, "result")) { |
179 jabber_stream_set_state(js, JABBER_STREAM_CONNECTED); | |
180 } else { | |
7014 | 181 xmlnode *error = xmlnode_get_child(packet, "error"); |
7730 | 182 const char *err_code = NULL; |
183 char *err_text = NULL; | |
7014 | 184 char *buf; |
185 | |
7730 | 186 if(error) { |
187 err_code = xmlnode_get_attrib(error, "code"); | |
188 err_text = xmlnode_get_data(error); | |
189 } | |
7014 | 190 |
191 if(!err_code) | |
192 err_code = ""; | |
193 if(!err_text) | |
194 err_text = g_strdup(_("Unknown")); | |
195 | |
196 if(!strcmp(err_code, "401")) | |
197 js->gc->wants_to_die = TRUE; | |
198 | |
199 buf = g_strdup_printf("Error %s: %s", | |
200 err_code, err_text); | |
201 | |
202 gaim_connection_error(js->gc, buf); | |
203 g_free(err_text); | |
204 g_free(buf); | |
205 } | |
206 } | |
207 | |
7395 | 208 static void auth_old_cb(JabberStream *js, xmlnode *packet, gpointer data) |
7014 | 209 { |
210 JabberIq *iq; | |
211 xmlnode *query, *x; | |
7514 | 212 const char *type = xmlnode_get_attrib(packet, "type"); |
7014 | 213 const char *pw = gaim_account_get_password(js->gc->account); |
214 | |
7514 | 215 if(!type) { |
7981 | 216 gaim_connection_error(js->gc, _("Invalid response from server.")); |
7014 | 217 return; |
7515 | 218 } else if(!strcmp(type, "error")) { |
7644 | 219 /* XXX: still need to handle XMPP-style errors */ |
220 xmlnode *error; | |
221 char *buf, *err_txt = NULL; | |
222 const char *code = NULL; | |
223 if((error = xmlnode_get_child(packet, "error"))) { | |
224 code = xmlnode_get_attrib(error, "code"); | |
225 err_txt = xmlnode_get_data(error); | |
226 } | |
227 buf = g_strdup_printf("%s%s%s", code ? code : "", code ? ": " : "", | |
228 err_txt ? err_txt : _("Unknown Error")); | |
229 gaim_connection_error(js->gc, buf); | |
230 if(err_txt) | |
231 g_free(err_txt); | |
232 g_free(buf); | |
7515 | 233 } else if(!strcmp(type, "result")) { |
7514 | 234 query = xmlnode_get_child(packet, "query"); |
235 if(js->stream_id && xmlnode_get_child(query, "digest")) { | |
236 unsigned char hashval[20]; | |
237 char *s, h[41], *p; | |
238 int i; | |
7014 | 239 |
8397 | 240 iq = jabber_iq_new_query(js, JABBER_IQ_SET, "jabber:iq:auth"); |
241 query = xmlnode_get_child(iq->node, "query"); | |
242 x = xmlnode_new_child(query, "username"); | |
243 xmlnode_insert_data(x, js->user->node, -1); | |
244 x = xmlnode_new_child(query, "resource"); | |
245 xmlnode_insert_data(x, js->user->resource, -1); | |
246 | |
7514 | 247 x = xmlnode_new_child(query, "digest"); |
248 s = g_strdup_printf("%s%s", js->stream_id, pw); | |
249 shaBlock((unsigned char *)s, strlen(s), hashval); | |
250 p = h; | |
251 for(i=0; i<20; i++, p+=2) | |
252 snprintf(p, 3, "%02x", hashval[i]); | |
253 xmlnode_insert_data(x, h, -1); | |
254 g_free(s); | |
8397 | 255 jabber_iq_set_callback(iq, auth_old_result_cb, NULL); |
256 jabber_iq_send(iq); | |
257 | |
258 } else if(xmlnode_get_child(query, "password")) { | |
259 if(js->gsc == NULL && !gaim_account_get_bool(js->gc->account, | |
260 "auth_plain_in_clear", FALSE)) { | |
261 gaim_request_yes_no(js->gc, _("Plaintext Authentication"), | |
262 _("Plaintext Authentication"), | |
263 _("This server requires plaintext authentication over an unencrypted connection. Allow this and continue authentication?"), | |
264 2, js->gc->account, allow_plaintext_auth, | |
265 disallow_plaintext_auth); | |
266 return; | |
267 } | |
268 finish_plaintext_authentication(js); | |
7514 | 269 } else { |
8397 | 270 gaim_connection_error(js->gc, |
271 _("Server does not use any supported authentication method")); | |
272 return; | |
7514 | 273 } |
7014 | 274 } |
275 } | |
276 | |
277 void jabber_auth_start_old(JabberStream *js) | |
278 { | |
279 JabberIq *iq; | |
280 xmlnode *query, *username; | |
281 | |
282 iq = jabber_iq_new_query(js, JABBER_IQ_GET, "jabber:iq:auth"); | |
283 | |
284 query = xmlnode_get_child(iq->node, "query"); | |
285 username = xmlnode_new_child(query, "username"); | |
286 xmlnode_insert_data(username, js->user->node, -1); | |
287 | |
7395 | 288 jabber_iq_set_callback(iq, auth_old_cb, NULL); |
7014 | 289 |
290 jabber_iq_send(iq); | |
291 } | |
292 | |
293 static GHashTable* parse_challenge(const char *challenge) | |
294 { | |
295 GHashTable *ret = g_hash_table_new_full(g_str_hash, g_str_equal, | |
296 g_free, g_free); | |
297 char **pairs; | |
298 int i; | |
299 | |
300 pairs = g_strsplit(challenge, ",", -1); | |
301 | |
302 for(i=0; pairs[i]; i++) { | |
303 char **keyval = g_strsplit(pairs[i], "=", 2); | |
304 if(keyval[0] && keyval[1]) { | |
305 if(keyval[1][0] == '"' && keyval[1][strlen(keyval[1])-1] == '"') | |
306 g_hash_table_replace(ret, g_strdup(keyval[0]), g_strndup(keyval[1]+1, strlen(keyval[1])-2)); | |
307 else | |
308 g_hash_table_replace(ret, g_strdup(keyval[0]), g_strdup(keyval[1])); | |
309 } | |
310 g_strfreev(keyval); | |
311 } | |
312 | |
313 g_strfreev(pairs); | |
314 | |
315 return ret; | |
316 } | |
317 | |
318 static unsigned char* | |
319 generate_response_value(JabberID *jid, const char *passwd, const char *nonce, | |
7267 | 320 const char *cnonce, const char *a2, const char *realm) |
7014 | 321 { |
322 md5_state_t ctx; | |
323 md5_byte_t result[16]; | |
324 | |
325 char *x, *y, *a1, *ha1, *ha2, *kd, *z; | |
326 | |
7267 | 327 x = g_strdup_printf("%s:%s:%s", jid->node, realm, passwd); |
7014 | 328 md5_init(&ctx); |
329 md5_append(&ctx, x, strlen(x)); | |
330 md5_finish(&ctx, result); | |
331 | |
332 y = g_strndup(result, 16); | |
333 | |
8223 | 334 a1 = g_strdup_printf("%s:%s:%s", y, nonce, cnonce); |
7014 | 335 |
336 md5_init(&ctx); | |
337 md5_append(&ctx, a1, strlen(a1)); | |
338 md5_finish(&ctx, result); | |
339 | |
7106
db6bd3e794d8
[gaim-migrate @ 7671]
Christian Hammond <chipx86@chipx86.com>
parents:
7014
diff
changeset
|
340 ha1 = gaim_base16_encode(result, 16); |
7014 | 341 |
342 md5_init(&ctx); | |
343 md5_append(&ctx, a2, strlen(a2)); | |
344 md5_finish(&ctx, result); | |
345 | |
7106
db6bd3e794d8
[gaim-migrate @ 7671]
Christian Hammond <chipx86@chipx86.com>
parents:
7014
diff
changeset
|
346 ha2 = gaim_base16_encode(result, 16); |
7014 | 347 |
348 kd = g_strdup_printf("%s:%s:00000001:%s:auth:%s", ha1, nonce, cnonce, ha2); | |
349 | |
350 md5_init(&ctx); | |
351 md5_append(&ctx, kd, strlen(kd)); | |
352 md5_finish(&ctx, result); | |
353 | |
7106
db6bd3e794d8
[gaim-migrate @ 7671]
Christian Hammond <chipx86@chipx86.com>
parents:
7014
diff
changeset
|
354 z = gaim_base16_encode(result, 16); |
7014 | 355 |
356 g_free(x); | |
357 g_free(y); | |
358 g_free(a1); | |
359 g_free(ha1); | |
360 g_free(ha2); | |
361 g_free(kd); | |
362 | |
363 return z; | |
364 } | |
365 | |
366 void | |
367 jabber_auth_handle_challenge(JabberStream *js, xmlnode *packet) | |
368 { | |
369 | |
7703 | 370 if(js->auth_type == JABBER_AUTH_DIGEST_MD5) { |
7291 | 371 char *enc_in = xmlnode_get_data(packet); |
372 char *dec_in; | |
373 char *enc_out; | |
374 GHashTable *parts; | |
7014 | 375 |
7395 | 376 if(!enc_in) { |
7981 | 377 gaim_connection_error(js->gc, _("Invalid response from server.")); |
7395 | 378 return; |
379 } | |
380 | |
7291 | 381 gaim_base64_decode(enc_in, &dec_in, NULL); |
7395 | 382 gaim_debug(GAIM_DEBUG_MISC, "jabber", "decoded challenge (%d): %s\n", |
383 strlen(dec_in), dec_in); | |
7291 | 384 |
385 parts = parse_challenge(dec_in); | |
7014 | 386 |
387 | |
7291 | 388 if (g_hash_table_lookup(parts, "rspauth")) { |
389 char *rspauth = g_hash_table_lookup(parts, "rspauth"); | |
7014 | 390 |
391 | |
7291 | 392 if(rspauth && js->expected_rspauth && |
393 !strcmp(rspauth, js->expected_rspauth)) { | |
394 jabber_send_raw(js, | |
7642 | 395 "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl' />", |
396 -1); | |
7291 | 397 } else { |
398 gaim_connection_error(js->gc, _("Invalid challenge from server")); | |
399 } | |
400 g_free(js->expected_rspauth); | |
401 } else { | |
402 /* assemble a response, and send it */ | |
403 /* see RFC 2831 */ | |
404 GString *response = g_string_new(""); | |
405 char *a2; | |
406 char *auth_resp; | |
407 char *buf; | |
408 char *cnonce; | |
409 char *realm; | |
410 char *nonce; | |
7014 | 411 |
7291 | 412 /* we're actually supposed to prompt the user for a realm if |
413 * the server doesn't send one, but that really complicates things, | |
414 * so i'm not gonna worry about it until is poses a problem to | |
415 * someone, or I get really bored */ | |
416 realm = g_hash_table_lookup(parts, "realm"); | |
417 if(!realm) | |
418 realm = js->user->domain; | |
7014 | 419 |
7291 | 420 cnonce = g_strdup_printf("%x%u%x", g_random_int(), (int)time(NULL), |
421 g_random_int()); | |
422 nonce = g_hash_table_lookup(parts, "nonce"); | |
7014 | 423 |
424 | |
7291 | 425 a2 = g_strdup_printf("AUTHENTICATE:xmpp/%s", realm); |
426 auth_resp = generate_response_value(js->user, | |
427 gaim_account_get_password(js->gc->account), nonce, cnonce, a2, realm); | |
428 g_free(a2); | |
429 | |
430 a2 = g_strdup_printf(":xmpp/%s", realm); | |
431 js->expected_rspauth = generate_response_value(js->user, | |
432 gaim_account_get_password(js->gc->account), nonce, cnonce, a2, realm); | |
433 g_free(a2); | |
434 | |
435 | |
436 g_string_append_printf(response, "username=\"%s\"", js->user->node); | |
437 g_string_append_printf(response, ",realm=\"%s\"", realm); | |
438 g_string_append_printf(response, ",nonce=\"%s\"", nonce); | |
439 g_string_append_printf(response, ",cnonce=\"%s\"", cnonce); | |
440 g_string_append_printf(response, ",nc=00000001"); | |
441 g_string_append_printf(response, ",qop=auth"); | |
442 g_string_append_printf(response, ",digest-uri=\"xmpp/%s\"", realm); | |
443 g_string_append_printf(response, ",response=%s", auth_resp); | |
444 g_string_append_printf(response, ",charset=utf-8"); | |
445 | |
446 g_free(auth_resp); | |
447 g_free(cnonce); | |
448 | |
449 enc_out = gaim_base64_encode(response->str, response->len); | |
450 | |
451 gaim_debug(GAIM_DEBUG_MISC, "jabber", "decoded response (%d): %s\n", response->len, response->str); | |
452 | |
453 buf = g_strdup_printf("<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>%s</response>", enc_out); | |
454 | |
7642 | 455 jabber_send_raw(js, buf, -1); |
7291 | 456 |
457 g_free(buf); | |
458 | |
459 g_free(enc_out); | |
460 | |
461 g_string_free(response, TRUE); | |
7014 | 462 } |
7291 | 463 |
464 g_free(enc_in); | |
465 g_free(dec_in); | |
466 g_hash_table_destroy(parts); | |
7014 | 467 } |
468 } | |
469 | |
470 void jabber_auth_handle_success(JabberStream *js, xmlnode *packet) | |
471 { | |
472 const char *ns = xmlnode_get_attrib(packet, "xmlns"); | |
473 | |
474 if(!ns || strcmp(ns, "urn:ietf:params:xml:ns:xmpp-sasl")) { | |
7981 | 475 gaim_connection_error(js->gc, _("Invalid response from server.")); |
7014 | 476 return; |
477 } | |
478 | |
479 jabber_stream_set_state(js, JABBER_STREAM_REINITIALIZING); | |
480 } | |
481 | |
482 void jabber_auth_handle_failure(JabberStream *js, xmlnode *packet) | |
483 { | |
484 const char *ns = xmlnode_get_attrib(packet, "xmlns"); | |
485 | |
486 if(!ns) | |
7981 | 487 gaim_connection_error(js->gc, _("Invalid response from server.")); |
7014 | 488 else if(!strcmp(ns, "urn:ietf:params:xml:ns:xmpp-sasl")) { |
489 if(xmlnode_get_child(packet, "bad-protocol")) { | |
490 gaim_connection_error(js->gc, _("Bad Protocol")); | |
491 } else if(xmlnode_get_child(packet, "encryption-required")) { | |
492 js->gc->wants_to_die = TRUE; | |
493 gaim_connection_error(js->gc, _("Encryption Required")); | |
494 } else if(xmlnode_get_child(packet, "invalid-authzid")) { | |
495 js->gc->wants_to_die = TRUE; | |
496 gaim_connection_error(js->gc, _("Invalid authzid")); | |
497 } else if(xmlnode_get_child(packet, "invalid-mechanism")) { | |
498 js->gc->wants_to_die = TRUE; | |
499 gaim_connection_error(js->gc, _("Invalid Mechanism")); | |
500 } else if(xmlnode_get_child(packet, "invalid-realm")) { | |
501 gaim_connection_error(js->gc, _("Invalid Realm")); | |
502 } else if(xmlnode_get_child(packet, "mechanism-too-weak")) { | |
503 js->gc->wants_to_die = TRUE; | |
504 gaim_connection_error(js->gc, _("Mechanism Too Weak")); | |
505 } else if(xmlnode_get_child(packet, "not-authorized")) { | |
506 js->gc->wants_to_die = TRUE; | |
507 gaim_connection_error(js->gc, _("Not Authorized")); | |
508 } else if(xmlnode_get_child(packet, "temporary-auth-failure")) { | |
509 gaim_connection_error(js->gc, | |
510 _("Temporary Authentication Failure")); | |
511 } else { | |
512 gaim_connection_error(js->gc, _("Authentication Failure")); | |
513 } | |
514 } | |
515 } |