Merge commit 'origin'

2010-05-17 22:16:40 +02:00 · 2010-05-17 22:16:40 +02:00 · e953913f30
parent 36ade907c4 d5d2dac621
commit e953913f30
3 changed files with 29 additions and 130 deletions
--- a/world/net/jabber/active.c
+++ b/world/net/jabber/active.c
@ -192,18 +192,8 @@ handle_stream_features(XMLNode node) {
 		 encode_base64(_host_XMPP)
 		 + "</auth>");
 	    return;
-	} else
+	} 
 #endif
-	if (mechs["DIGEST-MD5"] 
-		   && config(XMPP + hostname, "_secret_shared")) { 
-	    PT(("jabber/active requesting to do digest md5\n"))
-	    emit("<auth mechanism='DIGEST-MD5' "
-		 "xmlns='" NS_XMPP "xmpp-sasl>" +
-		 encode_base64(_host_XMPP) +
-		 "</auth>");
-	    return;
-
-	}
    }
 #endif
 #ifdef SWITCH2PSYC
@ -439,51 +429,6 @@ jabberMsg(XMLNode node) {
 	    authenticated = 1;
 	}
 	break;
-    case "challenge":
-	PT(("%O got a sasl challenge\n", ME))
-	if (node["@xmlns"] == NS_XMPP "xmpp-sasl") {
-	    unless(t = node[Cdata]) {
-		// none given
-	    } else unless (t = to_string(decode_base64(t))) {
-		// base64 decode error?
-	    } else {
-		// this one is shared across all those digest md5's
-		mixed data;
-		string secret;
-		string response;
-		PT(("decoded challenge: %O\n", t))
-		data = sasl_parse(t);
-		PT(("extracted %O\n", data))
-
-		data["username"] = _host_XMPP;
-		secret = config(XMPP + hostname, "_secret_shared");
-		unless(secret) {
-		    // mh... this is a problem!
-		    // we only started doing this if we have a secret,
-		    // so this cant be empty
-		}
-		data["cnonce"] = RANDHEXSTRING;
-		data["nc"] = "00000001";
-		data["digest-uri"] = "xmpp/" _host_XMPP;
-
-		response = sasl_calculate_digestMD5(data, secret, 0);
-
-		// ok, the username is our hostname
-		// note: qop must not be quoted, as we are 'client'
-		t = "username=\"" _host_XMPP "\","
-		    "realm=\"" + data["realm"] + "\","
-		    "nonce=\"" + data["nonce"] + "\","
-		    "cnonce=\"" + data["cnonce"] + "\","
-		    "nc=" + data["nc"] + ",qop=auth,"
-		    "digest-uri=\"" + data["digest-uri"] + "\","
-		    "response=" + response + ",charset=utf-8";
-		PT(("%O sent rspauth %O\n", ME, response))
-		emit("<response xmlns='" NS_XMPP "xmpp-sasl'>"
-		     + encode_base64(t) + 
-		     "</response>");
-	    }
-	}
-	break;
    case "failure":
 	// the other side has to close the stream
 	monitor_report("_error_invalid_authentication_XMPP", sprintf("%O got a failure with xml namespace %O\n", ME, node["@xmlns"]));
--- a/world/net/jabber/gateway.c
+++ b/world/net/jabber/gateway.c
@ -199,7 +199,6 @@ jabberMsg(XMLNode node) {
    if (! (source && target 
 		|| node[Tag] == "stream:error"
 		|| node[Tag] == "auth"
-		|| node[Tag] == "response"
 #ifdef SWITCH2PSYC
 		|| node[Tag] == "switching"
 #endif
@ -256,21 +255,32 @@ jabberMsg(XMLNode node) {
 	    remove_interactive(ME);
 	    return;
 	}
-	sendmsg(origin,
-		"_dialback_request_verify", 0,
-		([ "_INTERNAL_target_jabber" : source,
-		   "_INTERNAL_source_jabber" : NAMEPREP(_host_XMPP),
-		   "_dialback_key" : node[Cdata],
-		   "_tag" : streamid
-		   ])
-		);
-	unless (o = find_target_handler(NAMEPREP(origin))) {
-	    // sendmsg should have created it!
-	    P0(("%O could not find target handler for %O "
-		"after sendmsg\n", ME, origin))
-	    return;
+	// dialback without dial-back - if the certificate is valid and the sender 
+	// is contained in the subject take the shortcut and consider the request
+	// valid
+	// paranoia note: as with XEP 0178 we might want to check dns anyway to
+	// 	protect against stolen certificates
+	if (mappingp(certinfo) && certinfo[0] == 0 
+	    && node["@from"] && certificate_check_jabbername(node["@from"], certinfo)) {
+		P2(("dialback without dialback %O\n", certinfo))
+		verify_connection(node["@to"], node["@from"], "valid"); 
+	} else {
+		sendmsg(origin,
+			"_dialback_request_verify", 0,
+			([ "_INTERNAL_target_jabber" : source,
+			   "_INTERNAL_source_jabber" : NAMEPREP(_host_XMPP),
+			   "_dialback_key" : node[Cdata],
+			   "_tag" : streamid
+			   ])
+			);
+		unless (o = find_target_handler(NAMEPREP(origin))) {
+		    // sendmsg should have created it!
+		    P0(("%O could not find target handler for %O "
+			"after sendmsg\n", ME, origin))
+		    return;
+		}
+		active = o -> sGateway(ME, target, streamid);
 	}
-	active = o -> sGateway(ME, target, streamid);
 	return;
    case "db:verify":
 	target = NAMEPREP(target);
@ -380,59 +390,12 @@ jabberMsg(XMLNode node) {
 		QUIT
 	    }
 	    break;
-	case "DIGEST-MD5":
-	    PT(("jabber/gateway got a request to do digest md5\n"))
-	    // if the other side thinks, that is has a shared
-	    // secret with us... well, THEY tried
-	    if (config(XMPP + t, "_secret_shared")) {
-		emit("<challenge xmlns='" NS_XMPP "xmpp-sasl'>" + 
-		     encode_base64(sprintf("realm=\"%s\",nonce=\"%s\","
-					   "qop=\"auth\",charset=utf-8,"
-					   "algorithm=md5-sess", 
-					   _host_XMPP, RANDHEXSTRING)
-				   ) + "</challenge>");
-	    } else {
-		// kind of 'unknown username'
-		SASL_ERROR("not-authorized")
-		QUIT
-	    }
-	    break;
 	default:
 	    SASL_ERROR("invalid-mechanism")
 	    QUIT
 	    break;
 	}
 	return;
-    case "response":
-	P2(("%O got SASL response\n", ME))
-	if ((t2 = node[Cdata])
-		&& (t = to_string(decode_base64(t2)))) {
-	    // this one is very similar to the stuff in active.c
-	    string secret;
-	    mixed data;
-
-	    data = sasl_parse(t);
-
-	    P2(("extracted: %O\n", data))
-
-	    secret = config(XMPP + data["username"], "_secret_shared");
-	    unless(secret) {
-		// tell the host that we dont share a secret with them
-		// currently this happens as not-authorized
-	    }
-	    if (data["response"] == sasl_calculate_digestMD5(data, secret, 0)) {
-		emit("<success xmlns='" NS_XMPP "xmpp-sasl'>"
-		     + encode_base64("rspauth=" + sasl_calculate_digestMD5(data, secret, 1)) + "</success>");
-# ifdef LOG_XMPP_AUTH
-		D0( log_file("XMPP_AUTH", "\n%O has authenticated %O via SASL digest md5", ME, data["username"]); )
-# endif 
-		sAuthenticated(data["username"]);
-	    } else {
-		SASL_ERROR("not-authorized")
-		QUIT
-	    }
-	}
-	return;
 #endif
    }
    su = parse_uniform(origin);
@ -517,22 +480,12 @@ open_stream(XMLNode node) {
 	    } else unless (mappingp(authhosts)) {
 # ifdef WANT_S2S_SASL
 		packet += "<mechanisms xmlns='" NS_XMPP "xmpp-sasl'>";
-		// let the other side decide if it knows a shared secret 
-		// with us
-		// if it it has, it will use it with digest-md5
-#  ifndef _flag_disable_authentication_digest_MD5
-		if (node["@from"] 
-			&& config(XMPP + node["@from"], 
-				  "_secret_shared")) {
-		    packet += "<mechanism>DIGEST-MD5</mechanism>";
-		}
-#  endif
-		
 		// if the other side did present a client certificate
 		// and we have verified it as X509_V_OK (0)
 		// we offer SASL external (authentication via name
 		// presented in x509 certificate
 		P3(("gateway::certinfo %O\n", certinfo))
+#  ifndef DIALBACK_WITHOUT_DIAL_BACK
 		if (mappingp(certinfo) && certinfo[0] == 0) {
 		    // if from attribute is present we only offer
 		    // sasl external if we know that it will succeed
@ -543,6 +496,7 @@ open_stream(XMLNode node) {
 			packet += "<mechanism>EXTERNAL</mechanism>";
 		    }
 		}
+#  endif
 		packet += "</mechanisms>";
 # endif
 	    }
--- a/world/net/jabber/mixin_parse.c
+++ b/world/net/jabber/mixin_parse.c
@ -214,7 +214,7 @@ jabberMsg(XMLNode node, mixed origin, mixed *su, array(mixed) tu) {
 		vars["_nick_place"] = vars["_INTERNAL_identification"] || origin;

 #if __EFUN_DEFINED__(mktime)
-		if ((helper = getchild(node, "x", "jabber:x:delay")) || (helper = getchild(node, "x", "urn:xmpp:delay")) {
+		if ((helper = getchild(node, "x", "jabber:x:delay")) || (helper = getchild(node, "x", "urn:xmpp:delay"))) {
 		    string fmt = helper["@stamp"];
 		    int *time = allocate(TM_MAX);
 		    int res;