Mercurial > pidgin3 / file comparison

comparison: libgaim/protocols/jabber/auth.c

libgaim/protocols/jabber/auth.c

branch
gaim
changeset 20470
77693555855f
parent 12549
0fc163c4927a
parent 15293
6e1d6e29cd99
child 20471
1966704b3e42
equal deleted inserted replaced
13071:b98e72d4089a 20470:77693555855f
1 /*
2 * gaim - Jabber Protocol Plugin
3 *
4 * Copyright (C) 2003, Nathan Walp <faceprint@faceprint.com>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 *
20 */
21 #include "internal.h"
22
23 #include "jutil.h"
24 #include "auth.h"
25 #include "xmlnode.h"
26 #include "jabber.h"
27 #include "iq.h"
28
29 #include "debug.h"
30 #include "util.h"
31 #include "cipher.h"
32 #include "sslconn.h"
33 #include "request.h"
34
35 static void auth_old_result_cb(JabberStream *js, xmlnode *packet,
36 gpointer data);
37
38 gboolean
39 jabber_process_starttls(JabberStream *js, xmlnode *packet)
40 {
41 xmlnode *starttls;
42
43 if((starttls = xmlnode_get_child(packet, "starttls"))) {
44 if(gaim_ssl_is_supported()) {
45 jabber_send_raw(js,
46 "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>", -1);
47 return TRUE;
48 } else if(xmlnode_get_child(starttls, "required")) {
49 gaim_connection_error(js->gc, _("Server requires TLS/SSL for login. No TLS/SSL support found."));
50 return TRUE;
51 }
52 }
53
54 return FALSE;
55 }
56
57 static void finish_plaintext_authentication(JabberStream *js)
58 {
59 if(js->auth_type == JABBER_AUTH_PLAIN) {
60 xmlnode *auth;
61 GString *response;
62 gchar *enc_out;
63
64 auth = xmlnode_new("auth");
65 xmlnode_set_namespace(auth, "urn:ietf:params:xml:ns:xmpp-sasl");
66
67 xmlnode_set_attrib(auth, "xmlns:ga", "http://www.google.com/talk/protocol/auth");
68 xmlnode_set_attrib(auth, "ga:client-uses-full-bind-result", "true");
69
70 response = g_string_new("");
71 response = g_string_append_len(response, "\0", 1);
72 response = g_string_append(response, js->user->node);
73 response = g_string_append_len(response, "\0", 1);
74 response = g_string_append(response,
75 gaim_connection_get_password(js->gc));
76
77 enc_out = gaim_base64_encode((guchar *)response->str, response->len);
78
79 xmlnode_set_attrib(auth, "mechanism", "PLAIN");
80 xmlnode_insert_data(auth, enc_out, -1);
81 g_free(enc_out);
82 g_string_free(response, TRUE);
83
84 jabber_send(js, auth);
85 xmlnode_free(auth);
86 } else if(js->auth_type == JABBER_AUTH_IQ_AUTH) {
87 JabberIq *iq;
88 xmlnode *query, *x;
89
90 iq = jabber_iq_new_query(js, JABBER_IQ_SET, "jabber:iq:auth");
91 query = xmlnode_get_child(iq->node, "query");
92 x = xmlnode_new_child(query, "username");
93 xmlnode_insert_data(x, js->user->node, -1);
94 x = xmlnode_new_child(query, "resource");
95 xmlnode_insert_data(x, js->user->resource, -1);
96 x = xmlnode_new_child(query, "password");
97 xmlnode_insert_data(x, gaim_connection_get_password(js->gc), -1);
98 jabber_iq_set_callback(iq, auth_old_result_cb, NULL);
99 jabber_iq_send(iq);
100 }
101 }
102
103 static void allow_plaintext_auth(GaimAccount *account)
104 {
105 gaim_account_set_bool(account, "auth_plain_in_clear", TRUE);
106
107 finish_plaintext_authentication(account->gc->proto_data);
108 }
109
110 static void disallow_plaintext_auth(GaimAccount *account)
111 {
112 gaim_connection_error(account->gc, _("Server requires plaintext authentication over an unencrypted stream"));
113 }
114
115 #ifdef HAVE_CYRUS_SASL
116
117 static void jabber_auth_start_cyrus(JabberStream *);
118
119 /* Callbacks for Cyrus SASL */
120
121 static int jabber_sasl_cb_realm(void *ctx, int id, const char **avail, const char **result)
122 {
123 JabberStream *js = (JabberStream *)ctx;
124
125 if (id != SASL_CB_GETREALM || !result) return SASL_BADPARAM;
126
127 *result = js->user->domain;
128
129 return SASL_OK;
130 }
131
132 static int jabber_sasl_cb_simple(void *ctx, int id, const char **res, unsigned *len)
133 {
134 JabberStream *js = (JabberStream *)ctx;
135
136 switch(id) {
137 case SASL_CB_AUTHNAME:
138 *res = js->user->node;
139 break;
140 case SASL_CB_USER:
141 *res = "";
142 break;
143 default:
144 return SASL_BADPARAM;
145 }
146 if (len) *len = strlen((char *)*res);
147 return SASL_OK;
148 }
149
150 static int jabber_sasl_cb_secret(sasl_conn_t *conn, void *ctx, int id, sasl_secret_t **secret)
151 {
152 JabberStream *js = (JabberStream *)ctx;
153 const char *pw = gaim_account_get_password(js->gc->account);
154 size_t len;
155 static sasl_secret_t *x = NULL;
156
157 if (!conn || !secret || id != SASL_CB_PASS)
158 return SASL_BADPARAM;
159
160 len = strlen(pw);
161 x = (sasl_secret_t *) realloc(x, sizeof(sasl_secret_t) + len);
162
163 if (!x)
164 return SASL_NOMEM;
165
166 x->len = len;
167 strcpy((char*)x->data, pw);
168
169 *secret = x;
170 return SASL_OK;
171 }
172
173 static void allow_cyrus_plaintext_auth(GaimAccount *account)
174 {
175 gaim_account_set_bool(account, "auth_plain_in_clear", TRUE);
176
177 jabber_auth_start_cyrus(account->gc->proto_data);
178 }
179
180 static void jabber_auth_start_cyrus(JabberStream *js)
181 {
182 const char *clientout = NULL, *mech = NULL;
183 char *enc_out;
184 unsigned coutlen = 0;
185 xmlnode *auth;
186 sasl_security_properties_t secprops;
187 gboolean again;
188 gboolean plaintext = TRUE;
189
190 /* Set up security properties and options */
191 secprops.min_ssf = 0;
192 secprops.security_flags = SASL_SEC_NOANONYMOUS;
193
194 if (!js->gsc) {
195 secprops.max_ssf = -1;
196 secprops.maxbufsize = 4096;
197 plaintext = gaim_account_get_bool(js->gc->account, "auth_plain_in_clear", FALSE);
198 if (!plaintext)
199 secprops.security_flags |= SASL_SEC_NOPLAINTEXT;
200 } else {
201 secprops.max_ssf = 0;
202 secprops.maxbufsize = 0;
203 plaintext = TRUE;
204 }
205 secprops.property_names = 0;
206 secprops.property_values = 0;
207
208 do {
209 again = FALSE;
210 /* Use the user's domain for compatibility with the old
211 * DIGESTMD5 code. Note that this may cause problems where
212 * the user's domain doesn't match the FQDN of the jabber
213 * service
214 */
215
216 js->sasl_state = sasl_client_new("xmpp", js->user->domain, NULL, NULL, js->sasl_cb, 0, &js->sasl);
217 if (js->sasl_state==SASL_OK) {
218 sasl_setprop(js->sasl, SASL_SEC_PROPS, &secprops);
219 gaim_debug_info("sasl", "Mechs found: %s\n", js->sasl_mechs->str);
220 js->sasl_state = sasl_client_start(js->sasl, js->sasl_mechs->str, NULL, &clientout, &coutlen, &mech);
221 }
222 switch (js->sasl_state) {
223 /* Success */
224 case SASL_OK:
225 case SASL_CONTINUE:
226 break;
227 case SASL_NOMECH:
228 /* No mechanisms do what we want. See if we can add
229 * plaintext ones to the list. */
230
231 if (!gaim_account_get_password(js->gc->account)) {
232 gaim_connection_error(js->gc, _("Server couldn't authenticate you without a password"));
233 return;
234 } else if (!plaintext) {
235 gaim_request_yes_no(js->gc, _("Plaintext Authentication"),
236 _("Plaintext Authentication"),
237 _("This server requires plaintext authentication over an unencrypted connection. Allow this and continue authentication?"),
238 2, js->gc->account,
239 allow_cyrus_plaintext_auth,
240 disallow_plaintext_auth);
241 return;
242 } else {
243 gaim_connection_error(js->gc, _("Server does not use any supported authentication method"));
244 return;
245 }
246 /* not reached */
247 break;
248
249 /* Fatal errors. Give up and go home */
250 case SASL_BADPARAM:
251 case SASL_NOMEM:
252 break;
253
254 /* For everything else, fail the mechanism and try again */
255 default:
256 gaim_debug_info("sasl", "sasl_state is %d, failing the mech and trying again\n", js->sasl_state);
257
258 /*
259 * DAA: is this right?
260 * The manpage says that "mech" will contain the chosen mechanism on success.
261 * Presumably, if we get here that isn't the case and we shouldn't try again?
262 * I suspect that this never happens.
263 */
264 if (mech && strlen(mech) > 0) {
265 char *pos;
266 if ((pos = strstr(js->sasl_mechs->str, mech))) {
267 g_string_erase(js->sasl_mechs, pos-js->sasl_mechs->str, strlen(mech));
268 }
269 again = TRUE;
270 }
271
272 sasl_dispose(&js->sasl);
273 }
274 } while (again);
275
276 if (js->sasl_state == SASL_CONTINUE || js->sasl_state == SASL_OK) {
277 auth = xmlnode_new("auth");
278 xmlnode_set_namespace(auth, "urn:ietf:params:xml:ns:xmpp-sasl");
279 xmlnode_set_attrib(auth, "mechanism", mech);
280 if (clientout) {
281 if (coutlen == 0) {
282 xmlnode_insert_data(auth, "=", -1);
283 } else {
284 enc_out = gaim_base64_encode((unsigned char*)clientout, coutlen);
285 xmlnode_insert_data(auth, enc_out, -1);
286 g_free(enc_out);
287 }
288 }
289 jabber_send(js, auth);
290 xmlnode_free(auth);
291 } else {
292 gaim_connection_error(js->gc, "SASL authentication failed\n");
293 }
294 }
295
296 static int
297 jabber_sasl_cb_log(void *context, int level, const char *message)
298 {
299 if(level <= SASL_LOG_TRACE)
300 gaim_debug_info("sasl", "%s\n", message);
301
302 return SASL_OK;
303 }
304
305 #endif
306
307 void
308 jabber_auth_start(JabberStream *js, xmlnode *packet)
309 {
310 #ifdef HAVE_CYRUS_SASL
311 int id;
312 #else
313 gboolean digest_md5 = FALSE, plain=FALSE;
314 #endif
315
316 xmlnode *mechs, *mechnode;
317
318
319 if(js->registration) {
320 jabber_register_start(js);
321 return;
322 }
323
324 mechs = xmlnode_get_child(packet, "mechanisms");
325
326 if(!mechs) {
327 gaim_connection_error(js->gc, _("Invalid response from server."));
328 return;
329 }
330
331 #ifdef HAVE_CYRUS_SASL
332 js->sasl_mechs = g_string_new("");
333 #endif
334
335 for(mechnode = xmlnode_get_child(mechs, "mechanism"); mechnode;
336 mechnode = xmlnode_get_next_twin(mechnode))
337 {
338 char *mech_name = xmlnode_get_data(mechnode);
339 #ifdef HAVE_CYRUS_SASL
340 g_string_append(js->sasl_mechs, mech_name);
341 g_string_append_c(js->sasl_mechs, ' ');
342 #else
343 if(mech_name && !strcmp(mech_name, "DIGEST-MD5"))
344 digest_md5 = TRUE;
345 else if(mech_name && !strcmp(mech_name, "PLAIN"))
346 plain = TRUE;
347 #endif
348 g_free(mech_name);
349 }
350
351 #ifdef HAVE_CYRUS_SASL
352 js->auth_type = JABBER_AUTH_CYRUS;
353
354 /* Set up our callbacks structure */
355 js->sasl_cb = g_new0(sasl_callback_t,6);
356
357 id = 0;
358 js->sasl_cb[id].id = SASL_CB_GETREALM;
359 js->sasl_cb[id].proc = jabber_sasl_cb_realm;
360 js->sasl_cb[id].context = (void *)js;
361 id++;
362
363 js->sasl_cb[id].id = SASL_CB_AUTHNAME;
364 js->sasl_cb[id].proc = jabber_sasl_cb_simple;
365 js->sasl_cb[id].context = (void *)js;
366 id++;
367
368 js->sasl_cb[id].id = SASL_CB_USER;
369 js->sasl_cb[id].proc = jabber_sasl_cb_simple;
370 js->sasl_cb[id].context = (void *)js;
371 id++;
372
373 if (gaim_account_get_password(js->gc->account)) {
374 js->sasl_cb[id].id = SASL_CB_PASS;
375 js->sasl_cb[id].proc = jabber_sasl_cb_secret;
376 js->sasl_cb[id].context = (void *)js;
377 id++;
378 }
379
380 js->sasl_cb[id].id = SASL_CB_LOG;
381 js->sasl_cb[id].proc = jabber_sasl_cb_log;
382 js->sasl_cb[id].context = (void*)js;
383 id++;
384
385 js->sasl_cb[id].id = SASL_CB_LIST_END;
386
387 jabber_auth_start_cyrus(js);
388 #else
389
390 if(digest_md5) {
391 xmlnode *auth;
392
393 js->auth_type = JABBER_AUTH_DIGEST_MD5;
394 auth = xmlnode_new("auth");
395 xmlnode_set_namespace(auth, "urn:ietf:params:xml:ns:xmpp-sasl");
396 xmlnode_set_attrib(auth, "mechanism", "DIGEST-MD5");
397
398 jabber_send(js, auth);
399 xmlnode_free(auth);
400 } else if(plain) {
401 js->auth_type = JABBER_AUTH_PLAIN;
402
403 if(js->gsc == NULL && !gaim_account_get_bool(js->gc->account, "auth_plain_in_clear", FALSE)) {
404 gaim_request_yes_no(js->gc, _("Plaintext Authentication"),
405 _("Plaintext Authentication"),
406 _("This server requires plaintext authentication over an unencrypted connection. Allow this and continue authentication?"),
407 2, js->gc->account, allow_plaintext_auth,
408 disallow_plaintext_auth);
409 return;
410 }
411 finish_plaintext_authentication(js);
412 } else {
413 gaim_connection_error(js->gc,
414 _("Server does not use any supported authentication method"));
415 }
416 #endif
417 }
418
419 static void auth_old_result_cb(JabberStream *js, xmlnode *packet, gpointer data)
420 {
421 const char *type = xmlnode_get_attrib(packet, "type");
422
423 if(type && !strcmp(type, "result")) {
424 jabber_stream_set_state(js, JABBER_STREAM_CONNECTED);
425 } else {
426 char *msg = jabber_parse_error(js, packet);
427 xmlnode *error;
428 const char *err_code;
429
430 if((error = xmlnode_get_child(packet, "error")) &&
431 (err_code = xmlnode_get_attrib(error, "code")) &&
432 !strcmp(err_code, "401")) {
433 js->gc->wants_to_die = TRUE;
434 }
435
436 gaim_connection_error(js->gc, msg);
437 g_free(msg);
438 }
439 }
440
441 static void auth_old_cb(JabberStream *js, xmlnode *packet, gpointer data)
442 {
443 JabberIq *iq;
444 xmlnode *query, *x;
445 const char *type = xmlnode_get_attrib(packet, "type");
446 const char *pw = gaim_connection_get_password(js->gc);
447
448 if(!type) {
449 gaim_connection_error(js->gc, _("Invalid response from server."));
450 return;
451 } else if(!strcmp(type, "error")) {
452 char *msg = jabber_parse_error(js, packet);
453 gaim_connection_error(js->gc, msg);
454 g_free(msg);
455 } else if(!strcmp(type, "result")) {
456 query = xmlnode_get_child(packet, "query");
457 if(js->stream_id && xmlnode_get_child(query, "digest")) {
458 unsigned char hashval[20];
459 char *s, h[41], *p;
460 int i;
461
462 iq = jabber_iq_new_query(js, JABBER_IQ_SET, "jabber:iq:auth");
463 query = xmlnode_get_child(iq->node, "query");
464 x = xmlnode_new_child(query, "username");
465 xmlnode_insert_data(x, js->user->node, -1);
466 x = xmlnode_new_child(query, "resource");
467 xmlnode_insert_data(x, js->user->resource, -1);
468
469 x = xmlnode_new_child(query, "digest");
470 s = g_strdup_printf("%s%s", js->stream_id, pw);
471
472 gaim_cipher_digest_region("sha1", (guchar *)s, strlen(s),
473 sizeof(hashval), hashval, NULL);
474
475 p = h;
476 for(i=0; i<20; i++, p+=2)
477 snprintf(p, 3, "%02x", hashval[i]);
478 xmlnode_insert_data(x, h, -1);
479 g_free(s);
480 jabber_iq_set_callback(iq, auth_old_result_cb, NULL);
481 jabber_iq_send(iq);
482
483 } else if(xmlnode_get_child(query, "password")) {
484 if(js->gsc == NULL && !gaim_account_get_bool(js->gc->account,
485 "auth_plain_in_clear", FALSE)) {
486 gaim_request_yes_no(js->gc, _("Plaintext Authentication"),
487 _("Plaintext Authentication"),
488 _("This server requires plaintext authentication over an unencrypted connection. Allow this and continue authentication?"),
489 2, js->gc->account, allow_plaintext_auth,
490 disallow_plaintext_auth);
491 return;
492 }
493 finish_plaintext_authentication(js);
494 } else {
495 gaim_connection_error(js->gc,
496 _("Server does not use any supported authentication method"));
497 return;
498 }
499 }
500 }
501
502 void jabber_auth_start_old(JabberStream *js)
503 {
504 JabberIq *iq;
505 xmlnode *query, *username;
506
507 iq = jabber_iq_new_query(js, JABBER_IQ_GET, "jabber:iq:auth");
508
509 query = xmlnode_get_child(iq->node, "query");
510 username = xmlnode_new_child(query, "username");
511 xmlnode_insert_data(username, js->user->node, -1);
512
513 jabber_iq_set_callback(iq, auth_old_cb, NULL);
514
515 jabber_iq_send(iq);
516 }
517
518 static GHashTable* parse_challenge(const char *challenge)
519 {
520 GHashTable *ret = g_hash_table_new_full(g_str_hash, g_str_equal,
521 g_free, g_free);
522 char **pairs;
523 int i;
524
525 pairs = g_strsplit(challenge, ",", -1);
526
527 for(i=0; pairs[i]; i++) {
528 char **keyval = g_strsplit(pairs[i], "=", 2);
529 if(keyval[0] && keyval[1]) {
530 if(keyval[1][0] == '"' && keyval[1][strlen(keyval[1])-1] == '"')
531 g_hash_table_replace(ret, g_strdup(keyval[0]), g_strndup(keyval[1]+1, strlen(keyval[1])-2));
532 else
533 g_hash_table_replace(ret, g_strdup(keyval[0]), g_strdup(keyval[1]));
534 }
535 g_strfreev(keyval);
536 }
537
538 g_strfreev(pairs);
539
540 return ret;
541 }
542
543 static char *
544 generate_response_value(JabberID *jid, const char *passwd, const char *nonce,
545 const char *cnonce, const char *a2, const char *realm)
546 {
547 GaimCipher *cipher;
548 GaimCipherContext *context;
549 guchar result[16];
550 size_t a1len;
551
552 gchar *a1, *convnode=NULL, *convpasswd = NULL, *ha1, *ha2, *kd, *x, *z;
553
554 if((convnode = g_convert(jid->node, strlen(jid->node), "iso-8859-1", "utf-8",
555 NULL, NULL, NULL)) == NULL) {
556 convnode = g_strdup(jid->node);
557 }
558 if(passwd && ((convpasswd = g_convert(passwd, strlen(passwd), "iso-8859-1",
559 "utf-8", NULL, NULL, NULL)) == NULL)) {
560 convpasswd = g_strdup(passwd);
561 }
562
563 cipher = gaim_ciphers_find_cipher("md5");
564 context = gaim_cipher_context_new(cipher, NULL);
565
566 x = g_strdup_printf("%s:%s:%s", convnode, realm, convpasswd ? convpasswd : "");
567 gaim_cipher_context_append(context, (const guchar *)x, strlen(x));
568 gaim_cipher_context_digest(context, sizeof(result), result, NULL);
569
570 a1 = g_strdup_printf("xxxxxxxxxxxxxxxx:%s:%s", nonce, cnonce);
571 a1len = strlen(a1);
572 g_memmove(a1, result, 16);
573
574 gaim_cipher_context_reset(context, NULL);
575 gaim_cipher_context_append(context, (const guchar *)a1, a1len);
576 gaim_cipher_context_digest(context, sizeof(result), result, NULL);
577
578 ha1 = gaim_base16_encode(result, 16);
579
580 gaim_cipher_context_reset(context, NULL);
581 gaim_cipher_context_append(context, (const guchar *)a2, strlen(a2));
582 gaim_cipher_context_digest(context, sizeof(result), result, NULL);
583
584 ha2 = gaim_base16_encode(result, 16);
585
586 kd = g_strdup_printf("%s:%s:00000001:%s:auth:%s", ha1, nonce, cnonce, ha2);
587
588 gaim_cipher_context_reset(context, NULL);
589 gaim_cipher_context_append(context, (const guchar *)kd, strlen(kd));
590 gaim_cipher_context_digest(context, sizeof(result), result, NULL);
591 gaim_cipher_context_destroy(context);
592
593 z = gaim_base16_encode(result, 16);
594
595 g_free(convnode);
596 g_free(convpasswd);
597 g_free(x);
598 g_free(a1);
599 g_free(ha1);
600 g_free(ha2);
601 g_free(kd);
602
603 return z;
604 }
605
606 void
607 jabber_auth_handle_challenge(JabberStream *js, xmlnode *packet)
608 {
609
610 if(js->auth_type == JABBER_AUTH_DIGEST_MD5) {
611 char *enc_in = xmlnode_get_data(packet);
612 char *dec_in;
613 char *enc_out;
614 GHashTable *parts;
615
616 if(!enc_in) {
617 gaim_connection_error(js->gc, _("Invalid response from server."));
618 return;
619 }
620
621 dec_in = (char *)gaim_base64_decode(enc_in, NULL);
622 gaim_debug(GAIM_DEBUG_MISC, "jabber", "decoded challenge (%d): %s\n",
623 strlen(dec_in), dec_in);
624
625 parts = parse_challenge(dec_in);
626
627
628 if (g_hash_table_lookup(parts, "rspauth")) {
629 char *rspauth = g_hash_table_lookup(parts, "rspauth");
630
631
632 if(rspauth && js->expected_rspauth &&
633 !strcmp(rspauth, js->expected_rspauth)) {
634 jabber_send_raw(js,
635 "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl' />",
636 -1);
637 } else {
638 gaim_connection_error(js->gc, _("Invalid challenge from server"));
639 }
640 g_free(js->expected_rspauth);
641 } else {
642 /* assemble a response, and send it */
643 /* see RFC 2831 */
644 GString *response = g_string_new("");
645 char *a2;
646 char *auth_resp;
647 char *buf;
648 char *cnonce;
649 char *realm;
650 char *nonce;
651
652 /* we're actually supposed to prompt the user for a realm if
653 * the server doesn't send one, but that really complicates things,
654 * so i'm not gonna worry about it until is poses a problem to
655 * someone, or I get really bored */
656 realm = g_hash_table_lookup(parts, "realm");
657 if(!realm)
658 realm = js->user->domain;
659
660 cnonce = g_strdup_printf("%x%u%x", g_random_int(), (int)time(NULL),
661 g_random_int());
662 nonce = g_hash_table_lookup(parts, "nonce");
663
664
665 a2 = g_strdup_printf("AUTHENTICATE:xmpp/%s", realm);
666 auth_resp = generate_response_value(js->user,
667 gaim_connection_get_password(js->gc), nonce, cnonce, a2, realm);
668 g_free(a2);
669
670 a2 = g_strdup_printf(":xmpp/%s", realm);
671 js->expected_rspauth = generate_response_value(js->user,
672 gaim_connection_get_password(js->gc), nonce, cnonce, a2, realm);
673 g_free(a2);
674
675
676 g_string_append_printf(response, "username=\"%s\"", js->user->node);
677 g_string_append_printf(response, ",realm=\"%s\"", realm);
678 g_string_append_printf(response, ",nonce=\"%s\"", nonce);
679 g_string_append_printf(response, ",cnonce=\"%s\"", cnonce);
680 g_string_append_printf(response, ",nc=00000001");
681 g_string_append_printf(response, ",qop=auth");
682 g_string_append_printf(response, ",digest-uri=\"xmpp/%s\"", realm);
683 g_string_append_printf(response, ",response=%s", auth_resp);
684 g_string_append_printf(response, ",charset=utf-8");
685
686 g_free(auth_resp);
687 g_free(cnonce);
688
689 enc_out = gaim_base64_encode((guchar *)response->str, response->len);
690
691 gaim_debug(GAIM_DEBUG_MISC, "jabber", "decoded response (%d): %s\n", response->len, response->str);
692
693 buf = g_strdup_printf("<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>%s</response>", enc_out);
694
695 jabber_send_raw(js, buf, -1);
696
697 g_free(buf);
698
699 g_free(enc_out);
700
701 g_string_free(response, TRUE);
702 }
703
704 g_free(enc_in);
705 g_free(dec_in);
706 g_hash_table_destroy(parts);
707 }
708 #ifdef HAVE_CYRUS_SASL
709 else if (js->auth_type == JABBER_AUTH_CYRUS) {
710 char *enc_in = xmlnode_get_data(packet);
711 unsigned char *dec_in;
712 char *enc_out;
713 const char *c_out;
714 unsigned int clen;
715 gsize declen;
716 xmlnode *response;
717
718 dec_in = gaim_base64_decode(enc_in, &declen);
719
720 js->sasl_state = sasl_client_step(js->sasl, (char*)dec_in, declen,
721 NULL, &c_out, &clen);
722 g_free(enc_in);
723 g_free(dec_in);
724 if (js->sasl_state != SASL_CONTINUE && js->sasl_state != SASL_OK) {
725 gaim_debug_error("jabber", "Error is %d : %s\n",js->sasl_state,sasl_errdetail(js->sasl));
726 gaim_connection_error(js->gc, _("SASL error"));
727 return;
728 } else {
729 response = xmlnode_new("response");
730 xmlnode_set_namespace(response, "urn:ietf:params:xml:ns:xmpp-sasl");
731 if (c_out) {
732 enc_out = gaim_base64_encode((unsigned char*)c_out, clen);
733 xmlnode_insert_data(response, enc_out, -1);
734 g_free(enc_out);
735 }
736 jabber_send(js, response);
737 xmlnode_free(response);
738 }
739 }
740 #endif
741 }
742
743 void jabber_auth_handle_success(JabberStream *js, xmlnode *packet)
744 {
745 const char *ns = xmlnode_get_namespace(packet);
746 #ifdef HAVE_CYRUS_SASL
747 const int *x;
748 #endif
749
750 if(!ns || strcmp(ns, "urn:ietf:params:xml:ns:xmpp-sasl")) {
751 gaim_connection_error(js->gc, _("Invalid response from server."));
752 return;
753 }
754
755 #ifdef HAVE_CYRUS_SASL
756 /* The SASL docs say that if the client hasn't returned OK yet, we
757 * should try one more round against it
758 */
759 if (js->sasl_state != SASL_OK) {
760 char *enc_in = xmlnode_get_data(packet);
761 unsigned char *dec_in = NULL;
762 const char *c_out;
763 unsigned int clen;
764 gsize declen = 0;
765
766 if(enc_in != NULL)
767 dec_in = gaim_base64_decode(enc_in, &declen);
768
769 js->sasl_state = sasl_client_step(js->sasl, (char*)dec_in, declen, NULL, &c_out, &clen);
770
771 g_free(enc_in);
772 g_free(dec_in);
773
774 if (js->sasl_state != SASL_OK) {
775 /* This should never happen! */
776 gaim_connection_error(js->gc, _("Invalid response from server."));
777 }
778 }
779 /* If we've negotiated a security layer, we need to enable it */
780 sasl_getprop(js->sasl, SASL_SSF, &x);
781 if (*x > 0) {
782 sasl_getprop(js->sasl, SASL_MAXOUTBUF, &x);
783 js->sasl_maxbuf = *x;
784 }
785 #endif
786
787 jabber_stream_set_state(js, JABBER_STREAM_REINITIALIZING);
788 }
789
790 void jabber_auth_handle_failure(JabberStream *js, xmlnode *packet)
791 {
792 char *msg = jabber_parse_error(js, packet);
793
794 if(!msg) {
795 gaim_connection_error(js->gc, _("Invalid response from server."));
796 } else {
797 gaim_connection_error(js->gc, msg);
798 g_free(msg);
799 }
800 }

Mercurial Repository: pidgin3

mercurial