14192
|
1 /*
|
|
2 * gaim - Jabber Protocol Plugin
|
|
3 *
|
|
4 * Copyright (C) 2003, Nathan Walp <faceprint@faceprint.com>
|
|
5 *
|
|
6 * This program is free software; you can redistribute it and/or modify
|
|
7 * it under the terms of the GNU General Public License as published by
|
|
8 * the Free Software Foundation; either version 2 of the License, or
|
|
9 * (at your option) any later version.
|
|
10 *
|
|
11 * This program is distributed in the hope that it will be useful,
|
|
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
14 * GNU General Public License for more details.
|
|
15 *
|
|
16 * You should have received a copy of the GNU General Public License
|
|
17 * along with this program; if not, write to the Free Software
|
|
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
19 *
|
|
20 */
|
|
21 #include "internal.h"
|
|
22
|
|
23 #include "jutil.h"
|
|
24 #include "auth.h"
|
|
25 #include "xmlnode.h"
|
|
26 #include "jabber.h"
|
|
27 #include "iq.h"
|
|
28
|
|
29 #include "debug.h"
|
|
30 #include "util.h"
|
|
31 #include "cipher.h"
|
|
32 #include "sslconn.h"
|
|
33 #include "request.h"
|
|
34
|
|
35 static void auth_old_result_cb(JabberStream *js, xmlnode *packet,
|
|
36 gpointer data);
|
|
37
|
|
38 gboolean
|
|
39 jabber_process_starttls(JabberStream *js, xmlnode *packet)
|
|
40 {
|
|
41 xmlnode *starttls;
|
|
42
|
|
43 if((starttls = xmlnode_get_child(packet, "starttls"))) {
|
14598
|
44 if(gaim_ssl_is_supported()) {
|
14192
|
45 jabber_send_raw(js,
|
|
46 "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>", -1);
|
|
47 return TRUE;
|
|
48 } else if(xmlnode_get_child(starttls, "required")) {
|
14598
|
49 gaim_connection_error(js->gc, _("Server requires TLS/SSL for login. No TLS/SSL support found."));
|
14192
|
50 return TRUE;
|
|
51 }
|
|
52 }
|
|
53
|
|
54 return FALSE;
|
|
55 }
|
|
56
|
|
57 static void finish_plaintext_authentication(JabberStream *js)
|
|
58 {
|
|
59 if(js->auth_type == JABBER_AUTH_PLAIN) {
|
|
60 xmlnode *auth;
|
|
61 GString *response;
|
|
62 gchar *enc_out;
|
|
63
|
|
64 auth = xmlnode_new("auth");
|
|
65 xmlnode_set_namespace(auth, "urn:ietf:params:xml:ns:xmpp-sasl");
|
15209
|
66
|
|
67 xmlnode_set_attrib(auth, "xmlns:ga", "http://www.google.com/talk/protocol/auth");
|
15231
|
68 xmlnode_set_attrib(auth, "ga:client-uses-full-bind-result", "true");
|
15209
|
69
|
14192
|
70 response = g_string_new("");
|
|
71 response = g_string_append_len(response, "\0", 1);
|
|
72 response = g_string_append(response, js->user->node);
|
|
73 response = g_string_append_len(response, "\0", 1);
|
|
74 response = g_string_append(response,
|
|
75 gaim_connection_get_password(js->gc));
|
|
76
|
|
77 enc_out = gaim_base64_encode((guchar *)response->str, response->len);
|
|
78
|
|
79 xmlnode_set_attrib(auth, "mechanism", "PLAIN");
|
|
80 xmlnode_insert_data(auth, enc_out, -1);
|
|
81 g_free(enc_out);
|
|
82 g_string_free(response, TRUE);
|
|
83
|
|
84 jabber_send(js, auth);
|
|
85 xmlnode_free(auth);
|
|
86 } else if(js->auth_type == JABBER_AUTH_IQ_AUTH) {
|
|
87 JabberIq *iq;
|
|
88 xmlnode *query, *x;
|
|
89
|
|
90 iq = jabber_iq_new_query(js, JABBER_IQ_SET, "jabber:iq:auth");
|
|
91 query = xmlnode_get_child(iq->node, "query");
|
|
92 x = xmlnode_new_child(query, "username");
|
|
93 xmlnode_insert_data(x, js->user->node, -1);
|
|
94 x = xmlnode_new_child(query, "resource");
|
|
95 xmlnode_insert_data(x, js->user->resource, -1);
|
|
96 x = xmlnode_new_child(query, "password");
|
|
97 xmlnode_insert_data(x, gaim_connection_get_password(js->gc), -1);
|
|
98 jabber_iq_set_callback(iq, auth_old_result_cb, NULL);
|
|
99 jabber_iq_send(iq);
|
|
100 }
|
|
101 }
|
|
102
|
|
103 static void allow_plaintext_auth(GaimAccount *account)
|
|
104 {
|
|
105 gaim_account_set_bool(account, "auth_plain_in_clear", TRUE);
|
|
106
|
|
107 finish_plaintext_authentication(account->gc->proto_data);
|
|
108 }
|
|
109
|
|
110 static void disallow_plaintext_auth(GaimAccount *account)
|
|
111 {
|
|
112 gaim_connection_error(account->gc, _("Server requires plaintext authentication over an unencrypted stream"));
|
|
113 }
|
|
114
|
|
115 #ifdef HAVE_CYRUS_SASL
|
|
116
|
|
117 static void jabber_auth_start_cyrus(JabberStream *);
|
|
118
|
|
119 /* Callbacks for Cyrus SASL */
|
|
120
|
|
121 static int jabber_sasl_cb_realm(void *ctx, int id, const char **avail, const char **result)
|
|
122 {
|
|
123 JabberStream *js = (JabberStream *)ctx;
|
|
124
|
|
125 if (id != SASL_CB_GETREALM || !result) return SASL_BADPARAM;
|
|
126
|
|
127 *result = js->user->domain;
|
|
128
|
|
129 return SASL_OK;
|
|
130 }
|
|
131
|
|
132 static int jabber_sasl_cb_simple(void *ctx, int id, const char **res, unsigned *len)
|
|
133 {
|
|
134 JabberStream *js = (JabberStream *)ctx;
|
|
135
|
|
136 switch(id) {
|
|
137 case SASL_CB_AUTHNAME:
|
|
138 *res = js->user->node;
|
|
139 break;
|
|
140 case SASL_CB_USER:
|
|
141 *res = "";
|
|
142 break;
|
|
143 default:
|
|
144 return SASL_BADPARAM;
|
|
145 }
|
|
146 if (len) *len = strlen((char *)*res);
|
|
147 return SASL_OK;
|
|
148 }
|
|
149
|
|
150 static int jabber_sasl_cb_secret(sasl_conn_t *conn, void *ctx, int id, sasl_secret_t **secret)
|
|
151 {
|
|
152 JabberStream *js = (JabberStream *)ctx;
|
|
153 const char *pw = gaim_account_get_password(js->gc->account);
|
|
154 size_t len;
|
|
155 static sasl_secret_t *x = NULL;
|
|
156
|
|
157 if (!conn || !secret || id != SASL_CB_PASS)
|
|
158 return SASL_BADPARAM;
|
|
159
|
|
160 len = strlen(pw);
|
|
161 x = (sasl_secret_t *) realloc(x, sizeof(sasl_secret_t) + len);
|
|
162
|
|
163 if (!x)
|
|
164 return SASL_NOMEM;
|
|
165
|
|
166 x->len = len;
|
|
167 strcpy((char*)x->data, pw);
|
|
168
|
|
169 *secret = x;
|
|
170 return SASL_OK;
|
|
171 }
|
|
172
|
|
173 static void allow_cyrus_plaintext_auth(GaimAccount *account)
|
|
174 {
|
|
175 gaim_account_set_bool(account, "auth_plain_in_clear", TRUE);
|
|
176
|
|
177 jabber_auth_start_cyrus(account->gc->proto_data);
|
|
178 }
|
|
179
|
|
180 static void jabber_auth_start_cyrus(JabberStream *js)
|
|
181 {
|
|
182 const char *clientout = NULL, *mech = NULL;
|
|
183 char *enc_out;
|
|
184 unsigned coutlen = 0;
|
|
185 xmlnode *auth;
|
|
186 sasl_security_properties_t secprops;
|
|
187 gboolean again;
|
|
188 gboolean plaintext = TRUE;
|
|
189
|
|
190 /* Set up security properties and options */
|
|
191 secprops.min_ssf = 0;
|
|
192 secprops.security_flags = SASL_SEC_NOANONYMOUS;
|
|
193
|
|
194 if (!js->gsc) {
|
|
195 secprops.max_ssf = -1;
|
|
196 secprops.maxbufsize = 4096;
|
|
197 plaintext = gaim_account_get_bool(js->gc->account, "auth_plain_in_clear", FALSE);
|
|
198 if (!plaintext)
|
|
199 secprops.security_flags |= SASL_SEC_NOPLAINTEXT;
|
|
200 } else {
|
|
201 secprops.max_ssf = 0;
|
|
202 secprops.maxbufsize = 0;
|
|
203 plaintext = TRUE;
|
|
204 }
|
|
205 secprops.property_names = 0;
|
|
206 secprops.property_values = 0;
|
|
207
|
|
208 do {
|
|
209 again = FALSE;
|
|
210 /* Use the user's domain for compatibility with the old
|
|
211 * DIGESTMD5 code. Note that this may cause problems where
|
|
212 * the user's domain doesn't match the FQDN of the jabber
|
|
213 * service
|
|
214 */
|
|
215
|
|
216 js->sasl_state = sasl_client_new("xmpp", js->user->domain, NULL, NULL, js->sasl_cb, 0, &js->sasl);
|
|
217 if (js->sasl_state==SASL_OK) {
|
|
218 sasl_setprop(js->sasl, SASL_SEC_PROPS, &secprops);
|
|
219 gaim_debug_info("sasl", "Mechs found: %s\n", js->sasl_mechs->str);
|
|
220 js->sasl_state = sasl_client_start(js->sasl, js->sasl_mechs->str, NULL, &clientout, &coutlen, &mech);
|
|
221 }
|
|
222 switch (js->sasl_state) {
|
|
223 /* Success */
|
|
224 case SASL_OK:
|
|
225 case SASL_CONTINUE:
|
|
226 break;
|
|
227 case SASL_NOMECH:
|
|
228 /* No mechanisms do what we want. See if we can add
|
|
229 * plaintext ones to the list. */
|
|
230
|
|
231 if (!gaim_account_get_password(js->gc->account)) {
|
|
232 gaim_connection_error(js->gc, _("Server couldn't authenticate you without a password"));
|
|
233 return;
|
|
234 } else if (!plaintext) {
|
|
235 gaim_request_yes_no(js->gc, _("Plaintext Authentication"),
|
|
236 _("Plaintext Authentication"),
|
|
237 _("This server requires plaintext authentication over an unencrypted connection. Allow this and continue authentication?"),
|
|
238 2, js->gc->account,
|
|
239 allow_cyrus_plaintext_auth,
|
|
240 disallow_plaintext_auth);
|
|
241 return;
|
|
242 } else {
|
|
243 gaim_connection_error(js->gc, _("Server does not use any supported authentication method"));
|
|
244 return;
|
|
245 }
|
|
246 /* not reached */
|
|
247 break;
|
|
248
|
|
249 /* Fatal errors. Give up and go home */
|
|
250 case SASL_BADPARAM:
|
|
251 case SASL_NOMEM:
|
|
252 break;
|
|
253
|
|
254 /* For everything else, fail the mechanism and try again */
|
|
255 default:
|
|
256 gaim_debug_info("sasl", "sasl_state is %d, failing the mech and trying again\n", js->sasl_state);
|
|
257
|
|
258 /*
|
|
259 * DAA: is this right?
|
|
260 * The manpage says that "mech" will contain the chosen mechanism on success.
|
|
261 * Presumably, if we get here that isn't the case and we shouldn't try again?
|
|
262 * I suspect that this never happens.
|
|
263 */
|
|
264 if (mech && strlen(mech) > 0) {
|
|
265 char *pos;
|
|
266 if ((pos = strstr(js->sasl_mechs->str, mech))) {
|
|
267 g_string_erase(js->sasl_mechs, pos-js->sasl_mechs->str, strlen(mech));
|
|
268 }
|
|
269 again = TRUE;
|
|
270 }
|
|
271
|
|
272 sasl_dispose(&js->sasl);
|
|
273 }
|
|
274 } while (again);
|
|
275
|
|
276 if (js->sasl_state == SASL_CONTINUE || js->sasl_state == SASL_OK) {
|
|
277 auth = xmlnode_new("auth");
|
|
278 xmlnode_set_namespace(auth, "urn:ietf:params:xml:ns:xmpp-sasl");
|
|
279 xmlnode_set_attrib(auth, "mechanism", mech);
|
|
280 if (clientout) {
|
|
281 if (coutlen == 0) {
|
|
282 xmlnode_insert_data(auth, "=", -1);
|
|
283 } else {
|
|
284 enc_out = gaim_base64_encode((unsigned char*)clientout, coutlen);
|
|
285 xmlnode_insert_data(auth, enc_out, -1);
|
|
286 g_free(enc_out);
|
|
287 }
|
|
288 }
|
|
289 jabber_send(js, auth);
|
|
290 xmlnode_free(auth);
|
|
291 } else {
|
|
292 gaim_connection_error(js->gc, "SASL authentication failed\n");
|
|
293 }
|
|
294 }
|
|
295
|
|
296 static int
|
|
297 jabber_sasl_cb_log(void *context, int level, const char *message)
|
|
298 {
|
|
299 if(level <= SASL_LOG_TRACE)
|
|
300 gaim_debug_info("sasl", "%s\n", message);
|
|
301
|
|
302 return SASL_OK;
|
|
303 }
|
|
304
|
|
305 #endif
|
|
306
|
|
307 void
|
|
308 jabber_auth_start(JabberStream *js, xmlnode *packet)
|
|
309 {
|
|
310 #ifdef HAVE_CYRUS_SASL
|
|
311 int id;
|
|
312 #else
|
|
313 gboolean digest_md5 = FALSE, plain=FALSE;
|
|
314 #endif
|
|
315
|
|
316 xmlnode *mechs, *mechnode;
|
|
317
|
|
318
|
|
319 if(js->registration) {
|
|
320 jabber_register_start(js);
|
|
321 return;
|
|
322 }
|
|
323
|
|
324 mechs = xmlnode_get_child(packet, "mechanisms");
|
|
325
|
|
326 if(!mechs) {
|
|
327 gaim_connection_error(js->gc, _("Invalid response from server."));
|
|
328 return;
|
|
329 }
|
|
330
|
|
331 #ifdef HAVE_CYRUS_SASL
|
|
332 js->sasl_mechs = g_string_new("");
|
|
333 #endif
|
|
334
|
|
335 for(mechnode = xmlnode_get_child(mechs, "mechanism"); mechnode;
|
|
336 mechnode = xmlnode_get_next_twin(mechnode))
|
|
337 {
|
|
338 char *mech_name = xmlnode_get_data(mechnode);
|
|
339 #ifdef HAVE_CYRUS_SASL
|
|
340 g_string_append(js->sasl_mechs, mech_name);
|
|
341 g_string_append_c(js->sasl_mechs, ' ');
|
|
342 #else
|
|
343 if(mech_name && !strcmp(mech_name, "DIGEST-MD5"))
|
|
344 digest_md5 = TRUE;
|
|
345 else if(mech_name && !strcmp(mech_name, "PLAIN"))
|
|
346 plain = TRUE;
|
|
347 #endif
|
|
348 g_free(mech_name);
|
|
349 }
|
|
350
|
|
351 #ifdef HAVE_CYRUS_SASL
|
|
352 js->auth_type = JABBER_AUTH_CYRUS;
|
|
353
|
|
354 /* Set up our callbacks structure */
|
|
355 js->sasl_cb = g_new0(sasl_callback_t,6);
|
|
356
|
|
357 id = 0;
|
|
358 js->sasl_cb[id].id = SASL_CB_GETREALM;
|
|
359 js->sasl_cb[id].proc = jabber_sasl_cb_realm;
|
|
360 js->sasl_cb[id].context = (void *)js;
|
|
361 id++;
|
|
362
|
|
363 js->sasl_cb[id].id = SASL_CB_AUTHNAME;
|
|
364 js->sasl_cb[id].proc = jabber_sasl_cb_simple;
|
|
365 js->sasl_cb[id].context = (void *)js;
|
|
366 id++;
|
|
367
|
|
368 js->sasl_cb[id].id = SASL_CB_USER;
|
|
369 js->sasl_cb[id].proc = jabber_sasl_cb_simple;
|
|
370 js->sasl_cb[id].context = (void *)js;
|
|
371 id++;
|
|
372
|
|
373 if (gaim_account_get_password(js->gc->account)) {
|
|
374 js->sasl_cb[id].id = SASL_CB_PASS;
|
|
375 js->sasl_cb[id].proc = jabber_sasl_cb_secret;
|
|
376 js->sasl_cb[id].context = (void *)js;
|
|
377 id++;
|
|
378 }
|
|
379
|
|
380 js->sasl_cb[id].id = SASL_CB_LOG;
|
|
381 js->sasl_cb[id].proc = jabber_sasl_cb_log;
|
|
382 js->sasl_cb[id].context = (void*)js;
|
|
383 id++;
|
|
384
|
|
385 js->sasl_cb[id].id = SASL_CB_LIST_END;
|
|
386
|
|
387 jabber_auth_start_cyrus(js);
|
|
388 #else
|
|
389
|
|
390 if(digest_md5) {
|
|
391 xmlnode *auth;
|
|
392
|
|
393 js->auth_type = JABBER_AUTH_DIGEST_MD5;
|
|
394 auth = xmlnode_new("auth");
|
|
395 xmlnode_set_namespace(auth, "urn:ietf:params:xml:ns:xmpp-sasl");
|
|
396 xmlnode_set_attrib(auth, "mechanism", "DIGEST-MD5");
|
|
397
|
|
398 jabber_send(js, auth);
|
|
399 xmlnode_free(auth);
|
|
400 } else if(plain) {
|
|
401 js->auth_type = JABBER_AUTH_PLAIN;
|
|
402
|
|
403 if(js->gsc == NULL && !gaim_account_get_bool(js->gc->account, "auth_plain_in_clear", FALSE)) {
|
|
404 gaim_request_yes_no(js->gc, _("Plaintext Authentication"),
|
|
405 _("Plaintext Authentication"),
|
|
406 _("This server requires plaintext authentication over an unencrypted connection. Allow this and continue authentication?"),
|
|
407 2, js->gc->account, allow_plaintext_auth,
|
|
408 disallow_plaintext_auth);
|
|
409 return;
|
|
410 }
|
|
411 finish_plaintext_authentication(js);
|
|
412 } else {
|
|
413 gaim_connection_error(js->gc,
|
|
414 _("Server does not use any supported authentication method"));
|
|
415 }
|
|
416 #endif
|
|
417 }
|
|
418
|
|
419 static void auth_old_result_cb(JabberStream *js, xmlnode *packet, gpointer data)
|
|
420 {
|
|
421 const char *type = xmlnode_get_attrib(packet, "type");
|
|
422
|
|
423 if(type && !strcmp(type, "result")) {
|
|
424 jabber_stream_set_state(js, JABBER_STREAM_CONNECTED);
|
|
425 } else {
|
|
426 char *msg = jabber_parse_error(js, packet);
|
|
427 xmlnode *error;
|
|
428 const char *err_code;
|
|
429
|
|
430 if((error = xmlnode_get_child(packet, "error")) &&
|
|
431 (err_code = xmlnode_get_attrib(error, "code")) &&
|
|
432 !strcmp(err_code, "401")) {
|
|
433 js->gc->wants_to_die = TRUE;
|
|
434 }
|
|
435
|
|
436 gaim_connection_error(js->gc, msg);
|
|
437 g_free(msg);
|
|
438 }
|
|
439 }
|
|
440
|
|
441 static void auth_old_cb(JabberStream *js, xmlnode *packet, gpointer data)
|
|
442 {
|
|
443 JabberIq *iq;
|
|
444 xmlnode *query, *x;
|
|
445 const char *type = xmlnode_get_attrib(packet, "type");
|
|
446 const char *pw = gaim_connection_get_password(js->gc);
|
|
447
|
|
448 if(!type) {
|
|
449 gaim_connection_error(js->gc, _("Invalid response from server."));
|
|
450 return;
|
|
451 } else if(!strcmp(type, "error")) {
|
|
452 char *msg = jabber_parse_error(js, packet);
|
|
453 gaim_connection_error(js->gc, msg);
|
|
454 g_free(msg);
|
|
455 } else if(!strcmp(type, "result")) {
|
|
456 query = xmlnode_get_child(packet, "query");
|
|
457 if(js->stream_id && xmlnode_get_child(query, "digest")) {
|
|
458 unsigned char hashval[20];
|
|
459 char *s, h[41], *p;
|
|
460 int i;
|
|
461
|
|
462 iq = jabber_iq_new_query(js, JABBER_IQ_SET, "jabber:iq:auth");
|
|
463 query = xmlnode_get_child(iq->node, "query");
|
|
464 x = xmlnode_new_child(query, "username");
|
|
465 xmlnode_insert_data(x, js->user->node, -1);
|
|
466 x = xmlnode_new_child(query, "resource");
|
|
467 xmlnode_insert_data(x, js->user->resource, -1);
|
|
468
|
|
469 x = xmlnode_new_child(query, "digest");
|
|
470 s = g_strdup_printf("%s%s", js->stream_id, pw);
|
|
471
|
|
472 gaim_cipher_digest_region("sha1", (guchar *)s, strlen(s),
|
|
473 sizeof(hashval), hashval, NULL);
|
|
474
|
|
475 p = h;
|
|
476 for(i=0; i<20; i++, p+=2)
|
|
477 snprintf(p, 3, "%02x", hashval[i]);
|
|
478 xmlnode_insert_data(x, h, -1);
|
|
479 g_free(s);
|
|
480 jabber_iq_set_callback(iq, auth_old_result_cb, NULL);
|
|
481 jabber_iq_send(iq);
|
|
482
|
|
483 } else if(xmlnode_get_child(query, "password")) {
|
|
484 if(js->gsc == NULL && !gaim_account_get_bool(js->gc->account,
|
|
485 "auth_plain_in_clear", FALSE)) {
|
|
486 gaim_request_yes_no(js->gc, _("Plaintext Authentication"),
|
|
487 _("Plaintext Authentication"),
|
|
488 _("This server requires plaintext authentication over an unencrypted connection. Allow this and continue authentication?"),
|
|
489 2, js->gc->account, allow_plaintext_auth,
|
|
490 disallow_plaintext_auth);
|
|
491 return;
|
|
492 }
|
|
493 finish_plaintext_authentication(js);
|
|
494 } else {
|
|
495 gaim_connection_error(js->gc,
|
|
496 _("Server does not use any supported authentication method"));
|
|
497 return;
|
|
498 }
|
|
499 }
|
|
500 }
|
|
501
|
|
502 void jabber_auth_start_old(JabberStream *js)
|
|
503 {
|
|
504 JabberIq *iq;
|
|
505 xmlnode *query, *username;
|
|
506
|
|
507 iq = jabber_iq_new_query(js, JABBER_IQ_GET, "jabber:iq:auth");
|
|
508
|
|
509 query = xmlnode_get_child(iq->node, "query");
|
|
510 username = xmlnode_new_child(query, "username");
|
|
511 xmlnode_insert_data(username, js->user->node, -1);
|
|
512
|
|
513 jabber_iq_set_callback(iq, auth_old_cb, NULL);
|
|
514
|
|
515 jabber_iq_send(iq);
|
|
516 }
|
|
517
|
|
518 static GHashTable* parse_challenge(const char *challenge)
|
|
519 {
|
|
520 GHashTable *ret = g_hash_table_new_full(g_str_hash, g_str_equal,
|
|
521 g_free, g_free);
|
|
522 char **pairs;
|
|
523 int i;
|
|
524
|
|
525 pairs = g_strsplit(challenge, ",", -1);
|
|
526
|
|
527 for(i=0; pairs[i]; i++) {
|
|
528 char **keyval = g_strsplit(pairs[i], "=", 2);
|
|
529 if(keyval[0] && keyval[1]) {
|
|
530 if(keyval[1][0] == '"' && keyval[1][strlen(keyval[1])-1] == '"')
|
|
531 g_hash_table_replace(ret, g_strdup(keyval[0]), g_strndup(keyval[1]+1, strlen(keyval[1])-2));
|
|
532 else
|
|
533 g_hash_table_replace(ret, g_strdup(keyval[0]), g_strdup(keyval[1]));
|
|
534 }
|
|
535 g_strfreev(keyval);
|
|
536 }
|
|
537
|
|
538 g_strfreev(pairs);
|
|
539
|
|
540 return ret;
|
|
541 }
|
|
542
|
|
543 static char *
|
|
544 generate_response_value(JabberID *jid, const char *passwd, const char *nonce,
|
|
545 const char *cnonce, const char *a2, const char *realm)
|
|
546 {
|
|
547 GaimCipher *cipher;
|
|
548 GaimCipherContext *context;
|
|
549 guchar result[16];
|
|
550 size_t a1len;
|
|
551
|
|
552 gchar *a1, *convnode=NULL, *convpasswd = NULL, *ha1, *ha2, *kd, *x, *z;
|
|
553
|
|
554 if((convnode = g_convert(jid->node, strlen(jid->node), "iso-8859-1", "utf-8",
|
|
555 NULL, NULL, NULL)) == NULL) {
|
|
556 convnode = g_strdup(jid->node);
|
|
557 }
|
|
558 if(passwd && ((convpasswd = g_convert(passwd, strlen(passwd), "iso-8859-1",
|
|
559 "utf-8", NULL, NULL, NULL)) == NULL)) {
|
|
560 convpasswd = g_strdup(passwd);
|
|
561 }
|
|
562
|
|
563 cipher = gaim_ciphers_find_cipher("md5");
|
|
564 context = gaim_cipher_context_new(cipher, NULL);
|
|
565
|
|
566 x = g_strdup_printf("%s:%s:%s", convnode, realm, convpasswd ? convpasswd : "");
|
|
567 gaim_cipher_context_append(context, (const guchar *)x, strlen(x));
|
|
568 gaim_cipher_context_digest(context, sizeof(result), result, NULL);
|
|
569
|
|
570 a1 = g_strdup_printf("xxxxxxxxxxxxxxxx:%s:%s", nonce, cnonce);
|
|
571 a1len = strlen(a1);
|
|
572 g_memmove(a1, result, 16);
|
|
573
|
|
574 gaim_cipher_context_reset(context, NULL);
|
|
575 gaim_cipher_context_append(context, (const guchar *)a1, a1len);
|
|
576 gaim_cipher_context_digest(context, sizeof(result), result, NULL);
|
|
577
|
|
578 ha1 = gaim_base16_encode(result, 16);
|
|
579
|
|
580 gaim_cipher_context_reset(context, NULL);
|
|
581 gaim_cipher_context_append(context, (const guchar *)a2, strlen(a2));
|
|
582 gaim_cipher_context_digest(context, sizeof(result), result, NULL);
|
|
583
|
|
584 ha2 = gaim_base16_encode(result, 16);
|
|
585
|
|
586 kd = g_strdup_printf("%s:%s:00000001:%s:auth:%s", ha1, nonce, cnonce, ha2);
|
|
587
|
|
588 gaim_cipher_context_reset(context, NULL);
|
|
589 gaim_cipher_context_append(context, (const guchar *)kd, strlen(kd));
|
|
590 gaim_cipher_context_digest(context, sizeof(result), result, NULL);
|
|
591 gaim_cipher_context_destroy(context);
|
|
592
|
|
593 z = gaim_base16_encode(result, 16);
|
|
594
|
|
595 g_free(convnode);
|
|
596 g_free(convpasswd);
|
|
597 g_free(x);
|
|
598 g_free(a1);
|
|
599 g_free(ha1);
|
|
600 g_free(ha2);
|
|
601 g_free(kd);
|
|
602
|
|
603 return z;
|
|
604 }
|
|
605
|
|
606 void
|
|
607 jabber_auth_handle_challenge(JabberStream *js, xmlnode *packet)
|
|
608 {
|
|
609
|
|
610 if(js->auth_type == JABBER_AUTH_DIGEST_MD5) {
|
|
611 char *enc_in = xmlnode_get_data(packet);
|
|
612 char *dec_in;
|
|
613 char *enc_out;
|
|
614 GHashTable *parts;
|
|
615
|
|
616 if(!enc_in) {
|
|
617 gaim_connection_error(js->gc, _("Invalid response from server."));
|
|
618 return;
|
|
619 }
|
|
620
|
|
621 dec_in = (char *)gaim_base64_decode(enc_in, NULL);
|
|
622 gaim_debug(GAIM_DEBUG_MISC, "jabber", "decoded challenge (%d): %s\n",
|
|
623 strlen(dec_in), dec_in);
|
|
624
|
|
625 parts = parse_challenge(dec_in);
|
|
626
|
|
627
|
|
628 if (g_hash_table_lookup(parts, "rspauth")) {
|
|
629 char *rspauth = g_hash_table_lookup(parts, "rspauth");
|
|
630
|
|
631
|
|
632 if(rspauth && js->expected_rspauth &&
|
|
633 !strcmp(rspauth, js->expected_rspauth)) {
|
|
634 jabber_send_raw(js,
|
|
635 "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl' />",
|
|
636 -1);
|
|
637 } else {
|
|
638 gaim_connection_error(js->gc, _("Invalid challenge from server"));
|
|
639 }
|
|
640 g_free(js->expected_rspauth);
|
|
641 } else {
|
|
642 /* assemble a response, and send it */
|
|
643 /* see RFC 2831 */
|
|
644 GString *response = g_string_new("");
|
|
645 char *a2;
|
|
646 char *auth_resp;
|
|
647 char *buf;
|
|
648 char *cnonce;
|
|
649 char *realm;
|
|
650 char *nonce;
|
|
651
|
|
652 /* we're actually supposed to prompt the user for a realm if
|
|
653 * the server doesn't send one, but that really complicates things,
|
|
654 * so i'm not gonna worry about it until is poses a problem to
|
|
655 * someone, or I get really bored */
|
|
656 realm = g_hash_table_lookup(parts, "realm");
|
|
657 if(!realm)
|
|
658 realm = js->user->domain;
|
|
659
|
|
660 cnonce = g_strdup_printf("%x%u%x", g_random_int(), (int)time(NULL),
|
|
661 g_random_int());
|
|
662 nonce = g_hash_table_lookup(parts, "nonce");
|
|
663
|
|
664
|
|
665 a2 = g_strdup_printf("AUTHENTICATE:xmpp/%s", realm);
|
|
666 auth_resp = generate_response_value(js->user,
|
|
667 gaim_connection_get_password(js->gc), nonce, cnonce, a2, realm);
|
|
668 g_free(a2);
|
|
669
|
|
670 a2 = g_strdup_printf(":xmpp/%s", realm);
|
|
671 js->expected_rspauth = generate_response_value(js->user,
|
|
672 gaim_connection_get_password(js->gc), nonce, cnonce, a2, realm);
|
|
673 g_free(a2);
|
|
674
|
|
675
|
|
676 g_string_append_printf(response, "username=\"%s\"", js->user->node);
|
|
677 g_string_append_printf(response, ",realm=\"%s\"", realm);
|
|
678 g_string_append_printf(response, ",nonce=\"%s\"", nonce);
|
|
679 g_string_append_printf(response, ",cnonce=\"%s\"", cnonce);
|
|
680 g_string_append_printf(response, ",nc=00000001");
|
|
681 g_string_append_printf(response, ",qop=auth");
|
|
682 g_string_append_printf(response, ",digest-uri=\"xmpp/%s\"", realm);
|
|
683 g_string_append_printf(response, ",response=%s", auth_resp);
|
|
684 g_string_append_printf(response, ",charset=utf-8");
|
|
685
|
|
686 g_free(auth_resp);
|
|
687 g_free(cnonce);
|
|
688
|
|
689 enc_out = gaim_base64_encode((guchar *)response->str, response->len);
|
|
690
|
|
691 gaim_debug(GAIM_DEBUG_MISC, "jabber", "decoded response (%d): %s\n", response->len, response->str);
|
|
692
|
|
693 buf = g_strdup_printf("<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>%s</response>", enc_out);
|
|
694
|
|
695 jabber_send_raw(js, buf, -1);
|
|
696
|
|
697 g_free(buf);
|
|
698
|
|
699 g_free(enc_out);
|
|
700
|
|
701 g_string_free(response, TRUE);
|
|
702 }
|
|
703
|
|
704 g_free(enc_in);
|
|
705 g_free(dec_in);
|
|
706 g_hash_table_destroy(parts);
|
|
707 }
|
|
708 #ifdef HAVE_CYRUS_SASL
|
|
709 else if (js->auth_type == JABBER_AUTH_CYRUS) {
|
|
710 char *enc_in = xmlnode_get_data(packet);
|
|
711 unsigned char *dec_in;
|
|
712 char *enc_out;
|
|
713 const char *c_out;
|
|
714 unsigned int clen;
|
|
715 gsize declen;
|
|
716 xmlnode *response;
|
|
717
|
|
718 dec_in = gaim_base64_decode(enc_in, &declen);
|
|
719
|
|
720 js->sasl_state = sasl_client_step(js->sasl, (char*)dec_in, declen,
|
|
721 NULL, &c_out, &clen);
|
15108
|
722 g_free(enc_in);
|
14192
|
723 g_free(dec_in);
|
|
724 if (js->sasl_state != SASL_CONTINUE && js->sasl_state != SASL_OK) {
|
|
725 gaim_debug_error("jabber", "Error is %d : %s\n",js->sasl_state,sasl_errdetail(js->sasl));
|
|
726 gaim_connection_error(js->gc, _("SASL error"));
|
|
727 return;
|
|
728 } else {
|
|
729 response = xmlnode_new("response");
|
|
730 xmlnode_set_namespace(response, "urn:ietf:params:xml:ns:xmpp-sasl");
|
|
731 if (c_out) {
|
|
732 enc_out = gaim_base64_encode((unsigned char*)c_out, clen);
|
|
733 xmlnode_insert_data(response, enc_out, -1);
|
|
734 g_free(enc_out);
|
|
735 }
|
|
736 jabber_send(js, response);
|
|
737 xmlnode_free(response);
|
|
738 }
|
|
739 }
|
|
740 #endif
|
|
741 }
|
|
742
|
|
743 void jabber_auth_handle_success(JabberStream *js, xmlnode *packet)
|
|
744 {
|
|
745 const char *ns = xmlnode_get_namespace(packet);
|
|
746 #ifdef HAVE_CYRUS_SASL
|
15081
|
747 const int *x;
|
14192
|
748 #endif
|
|
749
|
|
750 if(!ns || strcmp(ns, "urn:ietf:params:xml:ns:xmpp-sasl")) {
|
|
751 gaim_connection_error(js->gc, _("Invalid response from server."));
|
|
752 return;
|
|
753 }
|
|
754
|
|
755 #ifdef HAVE_CYRUS_SASL
|
|
756 /* The SASL docs say that if the client hasn't returned OK yet, we
|
|
757 * should try one more round against it
|
|
758 */
|
|
759 if (js->sasl_state != SASL_OK) {
|
15108
|
760 char *enc_in = xmlnode_get_data(packet);
|
|
761 unsigned char *dec_in = NULL;
|
15050
|
762 const char *c_out;
|
|
763 unsigned int clen;
|
15108
|
764 gsize declen = 0;
|
|
765
|
|
766 if(enc_in != NULL)
|
|
767 dec_in = gaim_base64_decode(enc_in, &declen);
|
|
768
|
|
769 js->sasl_state = sasl_client_step(js->sasl, (char*)dec_in, declen, NULL, &c_out, &clen);
|
|
770
|
|
771 g_free(enc_in);
|
|
772 g_free(dec_in);
|
|
773
|
14192
|
774 if (js->sasl_state != SASL_OK) {
|
|
775 /* This should never happen! */
|
|
776 gaim_connection_error(js->gc, _("Invalid response from server."));
|
|
777 }
|
|
778 }
|
|
779 /* If we've negotiated a security layer, we need to enable it */
|
15081
|
780 sasl_getprop(js->sasl, SASL_SSF, &x);
|
|
781 if (*x > 0) {
|
|
782 sasl_getprop(js->sasl, SASL_MAXOUTBUF, &x);
|
14192
|
783 js->sasl_maxbuf = *x;
|
|
784 }
|
|
785 #endif
|
|
786
|
|
787 jabber_stream_set_state(js, JABBER_STREAM_REINITIALIZING);
|
|
788 }
|
|
789
|
|
790 void jabber_auth_handle_failure(JabberStream *js, xmlnode *packet)
|
|
791 {
|
|
792 char *msg = jabber_parse_error(js, packet);
|
|
793
|
|
794 if(!msg) {
|
|
795 gaim_connection_error(js->gc, _("Invalid response from server."));
|
|
796 } else {
|
|
797 gaim_connection_error(js->gc, msg);
|
|
798 g_free(msg);
|
|
799 }
|
|
800 }
|