1
0
Fork 0
mirror of git://git.psyced.org/git/psyced synced 2024-08-15 03:25:10 +00:00

Merge commit 'origin'

This commit is contained in:
psyc://psyced.org/~lynX 2010-05-17 22:16:40 +02:00
commit e953913f30
3 changed files with 29 additions and 130 deletions

View file

@ -192,18 +192,8 @@ handle_stream_features(XMLNode node) {
encode_base64(_host_XMPP)
+ "</auth>");
return;
} else
}
#endif
if (mechs["DIGEST-MD5"]
&& config(XMPP + hostname, "_secret_shared")) {
PT(("jabber/active requesting to do digest md5\n"))
emit("<auth mechanism='DIGEST-MD5' "
"xmlns='" NS_XMPP "xmpp-sasl>" +
encode_base64(_host_XMPP) +
"</auth>");
return;
}
}
#endif
#ifdef SWITCH2PSYC
@ -439,51 +429,6 @@ jabberMsg(XMLNode node) {
authenticated = 1;
}
break;
case "challenge":
PT(("%O got a sasl challenge\n", ME))
if (node["@xmlns"] == NS_XMPP "xmpp-sasl") {
unless(t = node[Cdata]) {
// none given
} else unless (t = to_string(decode_base64(t))) {
// base64 decode error?
} else {
// this one is shared across all those digest md5's
mixed data;
string secret;
string response;
PT(("decoded challenge: %O\n", t))
data = sasl_parse(t);
PT(("extracted %O\n", data))
data["username"] = _host_XMPP;
secret = config(XMPP + hostname, "_secret_shared");
unless(secret) {
// mh... this is a problem!
// we only started doing this if we have a secret,
// so this cant be empty
}
data["cnonce"] = RANDHEXSTRING;
data["nc"] = "00000001";
data["digest-uri"] = "xmpp/" _host_XMPP;
response = sasl_calculate_digestMD5(data, secret, 0);
// ok, the username is our hostname
// note: qop must not be quoted, as we are 'client'
t = "username=\"" _host_XMPP "\","
"realm=\"" + data["realm"] + "\","
"nonce=\"" + data["nonce"] + "\","
"cnonce=\"" + data["cnonce"] + "\","
"nc=" + data["nc"] + ",qop=auth,"
"digest-uri=\"" + data["digest-uri"] + "\","
"response=" + response + ",charset=utf-8";
PT(("%O sent rspauth %O\n", ME, response))
emit("<response xmlns='" NS_XMPP "xmpp-sasl'>"
+ encode_base64(t) +
"</response>");
}
}
break;
case "failure":
// the other side has to close the stream
monitor_report("_error_invalid_authentication_XMPP", sprintf("%O got a failure with xml namespace %O\n", ME, node["@xmlns"]));

View file

@ -199,7 +199,6 @@ jabberMsg(XMLNode node) {
if (! (source && target
|| node[Tag] == "stream:error"
|| node[Tag] == "auth"
|| node[Tag] == "response"
#ifdef SWITCH2PSYC
|| node[Tag] == "switching"
#endif
@ -256,21 +255,32 @@ jabberMsg(XMLNode node) {
remove_interactive(ME);
return;
}
sendmsg(origin,
"_dialback_request_verify", 0,
([ "_INTERNAL_target_jabber" : source,
"_INTERNAL_source_jabber" : NAMEPREP(_host_XMPP),
"_dialback_key" : node[Cdata],
"_tag" : streamid
])
);
unless (o = find_target_handler(NAMEPREP(origin))) {
// sendmsg should have created it!
P0(("%O could not find target handler for %O "
"after sendmsg\n", ME, origin))
return;
// dialback without dial-back - if the certificate is valid and the sender
// is contained in the subject take the shortcut and consider the request
// valid
// paranoia note: as with XEP 0178 we might want to check dns anyway to
// protect against stolen certificates
if (mappingp(certinfo) && certinfo[0] == 0
&& node["@from"] && certificate_check_jabbername(node["@from"], certinfo)) {
P2(("dialback without dialback %O\n", certinfo))
verify_connection(node["@to"], node["@from"], "valid");
} else {
sendmsg(origin,
"_dialback_request_verify", 0,
([ "_INTERNAL_target_jabber" : source,
"_INTERNAL_source_jabber" : NAMEPREP(_host_XMPP),
"_dialback_key" : node[Cdata],
"_tag" : streamid
])
);
unless (o = find_target_handler(NAMEPREP(origin))) {
// sendmsg should have created it!
P0(("%O could not find target handler for %O "
"after sendmsg\n", ME, origin))
return;
}
active = o -> sGateway(ME, target, streamid);
}
active = o -> sGateway(ME, target, streamid);
return;
case "db:verify":
target = NAMEPREP(target);
@ -380,59 +390,12 @@ jabberMsg(XMLNode node) {
QUIT
}
break;
case "DIGEST-MD5":
PT(("jabber/gateway got a request to do digest md5\n"))
// if the other side thinks, that is has a shared
// secret with us... well, THEY tried
if (config(XMPP + t, "_secret_shared")) {
emit("<challenge xmlns='" NS_XMPP "xmpp-sasl'>" +
encode_base64(sprintf("realm=\"%s\",nonce=\"%s\","
"qop=\"auth\",charset=utf-8,"
"algorithm=md5-sess",
_host_XMPP, RANDHEXSTRING)
) + "</challenge>");
} else {
// kind of 'unknown username'
SASL_ERROR("not-authorized")
QUIT
}
break;
default:
SASL_ERROR("invalid-mechanism")
QUIT
break;
}
return;
case "response":
P2(("%O got SASL response\n", ME))
if ((t2 = node[Cdata])
&& (t = to_string(decode_base64(t2)))) {
// this one is very similar to the stuff in active.c
string secret;
mixed data;
data = sasl_parse(t);
P2(("extracted: %O\n", data))
secret = config(XMPP + data["username"], "_secret_shared");
unless(secret) {
// tell the host that we dont share a secret with them
// currently this happens as not-authorized
}
if (data["response"] == sasl_calculate_digestMD5(data, secret, 0)) {
emit("<success xmlns='" NS_XMPP "xmpp-sasl'>"
+ encode_base64("rspauth=" + sasl_calculate_digestMD5(data, secret, 1)) + "</success>");
# ifdef LOG_XMPP_AUTH
D0( log_file("XMPP_AUTH", "\n%O has authenticated %O via SASL digest md5", ME, data["username"]); )
# endif
sAuthenticated(data["username"]);
} else {
SASL_ERROR("not-authorized")
QUIT
}
}
return;
#endif
}
su = parse_uniform(origin);
@ -517,22 +480,12 @@ open_stream(XMLNode node) {
} else unless (mappingp(authhosts)) {
# ifdef WANT_S2S_SASL
packet += "<mechanisms xmlns='" NS_XMPP "xmpp-sasl'>";
// let the other side decide if it knows a shared secret
// with us
// if it it has, it will use it with digest-md5
# ifndef _flag_disable_authentication_digest_MD5
if (node["@from"]
&& config(XMPP + node["@from"],
"_secret_shared")) {
packet += "<mechanism>DIGEST-MD5</mechanism>";
}
# endif
// if the other side did present a client certificate
// and we have verified it as X509_V_OK (0)
// we offer SASL external (authentication via name
// presented in x509 certificate
P3(("gateway::certinfo %O\n", certinfo))
# ifndef DIALBACK_WITHOUT_DIAL_BACK
if (mappingp(certinfo) && certinfo[0] == 0) {
// if from attribute is present we only offer
// sasl external if we know that it will succeed
@ -543,6 +496,7 @@ open_stream(XMLNode node) {
packet += "<mechanism>EXTERNAL</mechanism>";
}
}
# endif
packet += "</mechanisms>";
# endif
}

View file

@ -214,7 +214,7 @@ jabberMsg(XMLNode node, mixed origin, mixed *su, array(mixed) tu) {
vars["_nick_place"] = vars["_INTERNAL_identification"] || origin;
#if __EFUN_DEFINED__(mktime)
if ((helper = getchild(node, "x", "jabber:x:delay")) || (helper = getchild(node, "x", "urn:xmpp:delay")) {
if ((helper = getchild(node, "x", "jabber:x:delay")) || (helper = getchild(node, "x", "urn:xmpp:delay"))) {
string fmt = helper["@stamp"];
int *time = allocate(TM_MAX);
int res;