mirror of
git://git.psyced.org/git/psyced
synced 2024-08-15 03:25:10 +00:00
Merge commit 'origin'
This commit is contained in:
commit
e953913f30
3 changed files with 29 additions and 130 deletions
|
@ -192,18 +192,8 @@ handle_stream_features(XMLNode node) {
|
|||
encode_base64(_host_XMPP)
|
||||
+ "</auth>");
|
||||
return;
|
||||
} else
|
||||
}
|
||||
#endif
|
||||
if (mechs["DIGEST-MD5"]
|
||||
&& config(XMPP + hostname, "_secret_shared")) {
|
||||
PT(("jabber/active requesting to do digest md5\n"))
|
||||
emit("<auth mechanism='DIGEST-MD5' "
|
||||
"xmlns='" NS_XMPP "xmpp-sasl>" +
|
||||
encode_base64(_host_XMPP) +
|
||||
"</auth>");
|
||||
return;
|
||||
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#ifdef SWITCH2PSYC
|
||||
|
@ -439,51 +429,6 @@ jabberMsg(XMLNode node) {
|
|||
authenticated = 1;
|
||||
}
|
||||
break;
|
||||
case "challenge":
|
||||
PT(("%O got a sasl challenge\n", ME))
|
||||
if (node["@xmlns"] == NS_XMPP "xmpp-sasl") {
|
||||
unless(t = node[Cdata]) {
|
||||
// none given
|
||||
} else unless (t = to_string(decode_base64(t))) {
|
||||
// base64 decode error?
|
||||
} else {
|
||||
// this one is shared across all those digest md5's
|
||||
mixed data;
|
||||
string secret;
|
||||
string response;
|
||||
PT(("decoded challenge: %O\n", t))
|
||||
data = sasl_parse(t);
|
||||
PT(("extracted %O\n", data))
|
||||
|
||||
data["username"] = _host_XMPP;
|
||||
secret = config(XMPP + hostname, "_secret_shared");
|
||||
unless(secret) {
|
||||
// mh... this is a problem!
|
||||
// we only started doing this if we have a secret,
|
||||
// so this cant be empty
|
||||
}
|
||||
data["cnonce"] = RANDHEXSTRING;
|
||||
data["nc"] = "00000001";
|
||||
data["digest-uri"] = "xmpp/" _host_XMPP;
|
||||
|
||||
response = sasl_calculate_digestMD5(data, secret, 0);
|
||||
|
||||
// ok, the username is our hostname
|
||||
// note: qop must not be quoted, as we are 'client'
|
||||
t = "username=\"" _host_XMPP "\","
|
||||
"realm=\"" + data["realm"] + "\","
|
||||
"nonce=\"" + data["nonce"] + "\","
|
||||
"cnonce=\"" + data["cnonce"] + "\","
|
||||
"nc=" + data["nc"] + ",qop=auth,"
|
||||
"digest-uri=\"" + data["digest-uri"] + "\","
|
||||
"response=" + response + ",charset=utf-8";
|
||||
PT(("%O sent rspauth %O\n", ME, response))
|
||||
emit("<response xmlns='" NS_XMPP "xmpp-sasl'>"
|
||||
+ encode_base64(t) +
|
||||
"</response>");
|
||||
}
|
||||
}
|
||||
break;
|
||||
case "failure":
|
||||
// the other side has to close the stream
|
||||
monitor_report("_error_invalid_authentication_XMPP", sprintf("%O got a failure with xml namespace %O\n", ME, node["@xmlns"]));
|
||||
|
|
|
@ -199,7 +199,6 @@ jabberMsg(XMLNode node) {
|
|||
if (! (source && target
|
||||
|| node[Tag] == "stream:error"
|
||||
|| node[Tag] == "auth"
|
||||
|| node[Tag] == "response"
|
||||
#ifdef SWITCH2PSYC
|
||||
|| node[Tag] == "switching"
|
||||
#endif
|
||||
|
@ -256,21 +255,32 @@ jabberMsg(XMLNode node) {
|
|||
remove_interactive(ME);
|
||||
return;
|
||||
}
|
||||
sendmsg(origin,
|
||||
"_dialback_request_verify", 0,
|
||||
([ "_INTERNAL_target_jabber" : source,
|
||||
"_INTERNAL_source_jabber" : NAMEPREP(_host_XMPP),
|
||||
"_dialback_key" : node[Cdata],
|
||||
"_tag" : streamid
|
||||
])
|
||||
);
|
||||
unless (o = find_target_handler(NAMEPREP(origin))) {
|
||||
// sendmsg should have created it!
|
||||
P0(("%O could not find target handler for %O "
|
||||
"after sendmsg\n", ME, origin))
|
||||
return;
|
||||
// dialback without dial-back - if the certificate is valid and the sender
|
||||
// is contained in the subject take the shortcut and consider the request
|
||||
// valid
|
||||
// paranoia note: as with XEP 0178 we might want to check dns anyway to
|
||||
// protect against stolen certificates
|
||||
if (mappingp(certinfo) && certinfo[0] == 0
|
||||
&& node["@from"] && certificate_check_jabbername(node["@from"], certinfo)) {
|
||||
P2(("dialback without dialback %O\n", certinfo))
|
||||
verify_connection(node["@to"], node["@from"], "valid");
|
||||
} else {
|
||||
sendmsg(origin,
|
||||
"_dialback_request_verify", 0,
|
||||
([ "_INTERNAL_target_jabber" : source,
|
||||
"_INTERNAL_source_jabber" : NAMEPREP(_host_XMPP),
|
||||
"_dialback_key" : node[Cdata],
|
||||
"_tag" : streamid
|
||||
])
|
||||
);
|
||||
unless (o = find_target_handler(NAMEPREP(origin))) {
|
||||
// sendmsg should have created it!
|
||||
P0(("%O could not find target handler for %O "
|
||||
"after sendmsg\n", ME, origin))
|
||||
return;
|
||||
}
|
||||
active = o -> sGateway(ME, target, streamid);
|
||||
}
|
||||
active = o -> sGateway(ME, target, streamid);
|
||||
return;
|
||||
case "db:verify":
|
||||
target = NAMEPREP(target);
|
||||
|
@ -380,59 +390,12 @@ jabberMsg(XMLNode node) {
|
|||
QUIT
|
||||
}
|
||||
break;
|
||||
case "DIGEST-MD5":
|
||||
PT(("jabber/gateway got a request to do digest md5\n"))
|
||||
// if the other side thinks, that is has a shared
|
||||
// secret with us... well, THEY tried
|
||||
if (config(XMPP + t, "_secret_shared")) {
|
||||
emit("<challenge xmlns='" NS_XMPP "xmpp-sasl'>" +
|
||||
encode_base64(sprintf("realm=\"%s\",nonce=\"%s\","
|
||||
"qop=\"auth\",charset=utf-8,"
|
||||
"algorithm=md5-sess",
|
||||
_host_XMPP, RANDHEXSTRING)
|
||||
) + "</challenge>");
|
||||
} else {
|
||||
// kind of 'unknown username'
|
||||
SASL_ERROR("not-authorized")
|
||||
QUIT
|
||||
}
|
||||
break;
|
||||
default:
|
||||
SASL_ERROR("invalid-mechanism")
|
||||
QUIT
|
||||
break;
|
||||
}
|
||||
return;
|
||||
case "response":
|
||||
P2(("%O got SASL response\n", ME))
|
||||
if ((t2 = node[Cdata])
|
||||
&& (t = to_string(decode_base64(t2)))) {
|
||||
// this one is very similar to the stuff in active.c
|
||||
string secret;
|
||||
mixed data;
|
||||
|
||||
data = sasl_parse(t);
|
||||
|
||||
P2(("extracted: %O\n", data))
|
||||
|
||||
secret = config(XMPP + data["username"], "_secret_shared");
|
||||
unless(secret) {
|
||||
// tell the host that we dont share a secret with them
|
||||
// currently this happens as not-authorized
|
||||
}
|
||||
if (data["response"] == sasl_calculate_digestMD5(data, secret, 0)) {
|
||||
emit("<success xmlns='" NS_XMPP "xmpp-sasl'>"
|
||||
+ encode_base64("rspauth=" + sasl_calculate_digestMD5(data, secret, 1)) + "</success>");
|
||||
# ifdef LOG_XMPP_AUTH
|
||||
D0( log_file("XMPP_AUTH", "\n%O has authenticated %O via SASL digest md5", ME, data["username"]); )
|
||||
# endif
|
||||
sAuthenticated(data["username"]);
|
||||
} else {
|
||||
SASL_ERROR("not-authorized")
|
||||
QUIT
|
||||
}
|
||||
}
|
||||
return;
|
||||
#endif
|
||||
}
|
||||
su = parse_uniform(origin);
|
||||
|
@ -517,22 +480,12 @@ open_stream(XMLNode node) {
|
|||
} else unless (mappingp(authhosts)) {
|
||||
# ifdef WANT_S2S_SASL
|
||||
packet += "<mechanisms xmlns='" NS_XMPP "xmpp-sasl'>";
|
||||
// let the other side decide if it knows a shared secret
|
||||
// with us
|
||||
// if it it has, it will use it with digest-md5
|
||||
# ifndef _flag_disable_authentication_digest_MD5
|
||||
if (node["@from"]
|
||||
&& config(XMPP + node["@from"],
|
||||
"_secret_shared")) {
|
||||
packet += "<mechanism>DIGEST-MD5</mechanism>";
|
||||
}
|
||||
# endif
|
||||
|
||||
// if the other side did present a client certificate
|
||||
// and we have verified it as X509_V_OK (0)
|
||||
// we offer SASL external (authentication via name
|
||||
// presented in x509 certificate
|
||||
P3(("gateway::certinfo %O\n", certinfo))
|
||||
# ifndef DIALBACK_WITHOUT_DIAL_BACK
|
||||
if (mappingp(certinfo) && certinfo[0] == 0) {
|
||||
// if from attribute is present we only offer
|
||||
// sasl external if we know that it will succeed
|
||||
|
@ -543,6 +496,7 @@ open_stream(XMLNode node) {
|
|||
packet += "<mechanism>EXTERNAL</mechanism>";
|
||||
}
|
||||
}
|
||||
# endif
|
||||
packet += "</mechanisms>";
|
||||
# endif
|
||||
}
|
||||
|
|
|
@ -214,7 +214,7 @@ jabberMsg(XMLNode node, mixed origin, mixed *su, array(mixed) tu) {
|
|||
vars["_nick_place"] = vars["_INTERNAL_identification"] || origin;
|
||||
|
||||
#if __EFUN_DEFINED__(mktime)
|
||||
if ((helper = getchild(node, "x", "jabber:x:delay")) || (helper = getchild(node, "x", "urn:xmpp:delay")) {
|
||||
if ((helper = getchild(node, "x", "jabber:x:delay")) || (helper = getchild(node, "x", "urn:xmpp:delay"))) {
|
||||
string fmt = helper["@stamp"];
|
||||
int *time = allocate(TM_MAX);
|
||||
int res;
|
||||
|
|
Loading…
Reference in a new issue