mirror of
				git://git.psyced.org/git/psyced
				synced 2024-08-15 03:25:10 +00:00 
			
		
		
		
	Merge commit 'origin'
This commit is contained in:
		
						commit
						e953913f30
					
				
					 3 changed files with 29 additions and 130 deletions
				
			
		|  | @ -192,18 +192,8 @@ handle_stream_features(XMLNode node) { | |||
| 		 encode_base64(_host_XMPP) | ||||
| 		 + "</auth>"); | ||||
| 	    return; | ||||
| 	} else | ||||
| 	}  | ||||
| #endif | ||||
| 	if (mechs["DIGEST-MD5"]  | ||||
| 		   && config(XMPP + hostname, "_secret_shared")) {  | ||||
| 	    PT(("jabber/active requesting to do digest md5\n")) | ||||
| 	    emit("<auth mechanism='DIGEST-MD5' " | ||||
| 		 "xmlns='" NS_XMPP "xmpp-sasl>" + | ||||
| 		 encode_base64(_host_XMPP) + | ||||
| 		 "</auth>"); | ||||
| 	    return; | ||||
| 
 | ||||
| 	} | ||||
|     } | ||||
| #endif | ||||
| #ifdef SWITCH2PSYC | ||||
|  | @ -439,51 +429,6 @@ jabberMsg(XMLNode node) { | |||
| 	    authenticated = 1; | ||||
| 	} | ||||
| 	break; | ||||
|     case "challenge": | ||||
| 	PT(("%O got a sasl challenge\n", ME)) | ||||
| 	if (node["@xmlns"] == NS_XMPP "xmpp-sasl") { | ||||
| 	    unless(t = node[Cdata]) { | ||||
| 		// none given
 | ||||
| 	    } else unless (t = to_string(decode_base64(t))) { | ||||
| 		// base64 decode error?
 | ||||
| 	    } else { | ||||
| 		// this one is shared across all those digest md5's
 | ||||
| 		mixed data; | ||||
| 		string secret; | ||||
| 		string response; | ||||
| 		PT(("decoded challenge: %O\n", t)) | ||||
| 		data = sasl_parse(t); | ||||
| 		PT(("extracted %O\n", data)) | ||||
| 
 | ||||
| 		data["username"] = _host_XMPP; | ||||
| 		secret = config(XMPP + hostname, "_secret_shared"); | ||||
| 		unless(secret) { | ||||
| 		    // mh... this is a problem!
 | ||||
| 		    // we only started doing this if we have a secret,
 | ||||
| 		    // so this cant be empty
 | ||||
| 		} | ||||
| 		data["cnonce"] = RANDHEXSTRING; | ||||
| 		data["nc"] = "00000001"; | ||||
| 		data["digest-uri"] = "xmpp/" _host_XMPP; | ||||
| 
 | ||||
| 		response = sasl_calculate_digestMD5(data, secret, 0); | ||||
| 
 | ||||
| 		// ok, the username is our hostname
 | ||||
| 		// note: qop must not be quoted, as we are 'client'
 | ||||
| 		t = "username=\"" _host_XMPP "\"," | ||||
| 		    "realm=\"" + data["realm"] + "\"," | ||||
| 		    "nonce=\"" + data["nonce"] + "\"," | ||||
| 		    "cnonce=\"" + data["cnonce"] + "\"," | ||||
| 		    "nc=" + data["nc"] + ",qop=auth," | ||||
| 		    "digest-uri=\"" + data["digest-uri"] + "\"," | ||||
| 		    "response=" + response + ",charset=utf-8"; | ||||
| 		PT(("%O sent rspauth %O\n", ME, response)) | ||||
| 		emit("<response xmlns='" NS_XMPP "xmpp-sasl'>" | ||||
| 		     + encode_base64(t) +  | ||||
| 		     "</response>"); | ||||
| 	    } | ||||
| 	} | ||||
| 	break; | ||||
|     case "failure": | ||||
| 	// the other side has to close the stream
 | ||||
| 	monitor_report("_error_invalid_authentication_XMPP", sprintf("%O got a failure with xml namespace %O\n", ME, node["@xmlns"])); | ||||
|  |  | |||
|  | @ -199,7 +199,6 @@ jabberMsg(XMLNode node) { | |||
|     if (! (source && target  | ||||
| 		|| node[Tag] == "stream:error" | ||||
| 		|| node[Tag] == "auth" | ||||
| 		|| node[Tag] == "response" | ||||
| #ifdef SWITCH2PSYC | ||||
| 		|| node[Tag] == "switching" | ||||
| #endif | ||||
|  | @ -256,21 +255,32 @@ jabberMsg(XMLNode node) { | |||
| 	    remove_interactive(ME); | ||||
| 	    return; | ||||
| 	} | ||||
| 	sendmsg(origin, | ||||
| 		"_dialback_request_verify", 0, | ||||
| 		([ "_INTERNAL_target_jabber" : source, | ||||
| 		   "_INTERNAL_source_jabber" : NAMEPREP(_host_XMPP), | ||||
| 		   "_dialback_key" : node[Cdata], | ||||
| 		   "_tag" : streamid | ||||
| 		   ]) | ||||
| 		); | ||||
| 	unless (o = find_target_handler(NAMEPREP(origin))) { | ||||
| 	    // sendmsg should have created it!
 | ||||
| 	    P0(("%O could not find target handler for %O " | ||||
| 		"after sendmsg\n", ME, origin)) | ||||
| 	    return; | ||||
| 	// dialback without dial-back - if the certificate is valid and the sender 
 | ||||
| 	// is contained in the subject take the shortcut and consider the request
 | ||||
| 	// valid
 | ||||
| 	// paranoia note: as with XEP 0178 we might want to check dns anyway to
 | ||||
| 	// 	protect against stolen certificates
 | ||||
| 	if (mappingp(certinfo) && certinfo[0] == 0  | ||||
| 	    && node["@from"] && certificate_check_jabbername(node["@from"], certinfo)) { | ||||
| 		P2(("dialback without dialback %O\n", certinfo)) | ||||
| 		verify_connection(node["@to"], node["@from"], "valid");  | ||||
| 	} else { | ||||
| 		sendmsg(origin, | ||||
| 			"_dialback_request_verify", 0, | ||||
| 			([ "_INTERNAL_target_jabber" : source, | ||||
| 			   "_INTERNAL_source_jabber" : NAMEPREP(_host_XMPP), | ||||
| 			   "_dialback_key" : node[Cdata], | ||||
| 			   "_tag" : streamid | ||||
| 			   ]) | ||||
| 			); | ||||
| 		unless (o = find_target_handler(NAMEPREP(origin))) { | ||||
| 		    // sendmsg should have created it!
 | ||||
| 		    P0(("%O could not find target handler for %O " | ||||
| 			"after sendmsg\n", ME, origin)) | ||||
| 		    return; | ||||
| 		} | ||||
| 		active = o -> sGateway(ME, target, streamid); | ||||
| 	} | ||||
| 	active = o -> sGateway(ME, target, streamid); | ||||
| 	return; | ||||
|     case "db:verify": | ||||
| 	target = NAMEPREP(target); | ||||
|  | @ -380,59 +390,12 @@ jabberMsg(XMLNode node) { | |||
| 		QUIT | ||||
| 	    } | ||||
| 	    break; | ||||
| 	case "DIGEST-MD5": | ||||
| 	    PT(("jabber/gateway got a request to do digest md5\n")) | ||||
| 	    // if the other side thinks, that is has a shared
 | ||||
| 	    // secret with us... well, THEY tried
 | ||||
| 	    if (config(XMPP + t, "_secret_shared")) { | ||||
| 		emit("<challenge xmlns='" NS_XMPP "xmpp-sasl'>" +  | ||||
| 		     encode_base64(sprintf("realm=\"%s\",nonce=\"%s\"," | ||||
| 					   "qop=\"auth\",charset=utf-8," | ||||
| 					   "algorithm=md5-sess",  | ||||
| 					   _host_XMPP, RANDHEXSTRING) | ||||
| 				   ) + "</challenge>"); | ||||
| 	    } else { | ||||
| 		// kind of 'unknown username'
 | ||||
| 		SASL_ERROR("not-authorized") | ||||
| 		QUIT | ||||
| 	    } | ||||
| 	    break; | ||||
| 	default: | ||||
| 	    SASL_ERROR("invalid-mechanism") | ||||
| 	    QUIT | ||||
| 	    break; | ||||
| 	} | ||||
| 	return; | ||||
|     case "response": | ||||
| 	P2(("%O got SASL response\n", ME)) | ||||
| 	if ((t2 = node[Cdata]) | ||||
| 		&& (t = to_string(decode_base64(t2)))) { | ||||
| 	    // this one is very similar to the stuff in active.c
 | ||||
| 	    string secret; | ||||
| 	    mixed data; | ||||
| 
 | ||||
| 	    data = sasl_parse(t); | ||||
| 
 | ||||
| 	    P2(("extracted: %O\n", data)) | ||||
| 
 | ||||
| 	    secret = config(XMPP + data["username"], "_secret_shared"); | ||||
| 	    unless(secret) { | ||||
| 		// tell the host that we dont share a secret with them
 | ||||
| 		// currently this happens as not-authorized
 | ||||
| 	    } | ||||
| 	    if (data["response"] == sasl_calculate_digestMD5(data, secret, 0)) { | ||||
| 		emit("<success xmlns='" NS_XMPP "xmpp-sasl'>" | ||||
| 		     + encode_base64("rspauth=" + sasl_calculate_digestMD5(data, secret, 1)) + "</success>"); | ||||
| # ifdef LOG_XMPP_AUTH | ||||
| 		D0( log_file("XMPP_AUTH", "\n%O has authenticated %O via SASL digest md5", ME, data["username"]); ) | ||||
| # endif  | ||||
| 		sAuthenticated(data["username"]); | ||||
| 	    } else { | ||||
| 		SASL_ERROR("not-authorized") | ||||
| 		QUIT | ||||
| 	    } | ||||
| 	} | ||||
| 	return; | ||||
| #endif | ||||
|     } | ||||
|     su = parse_uniform(origin); | ||||
|  | @ -517,22 +480,12 @@ open_stream(XMLNode node) { | |||
| 	    } else unless (mappingp(authhosts)) { | ||||
| # ifdef WANT_S2S_SASL | ||||
| 		packet += "<mechanisms xmlns='" NS_XMPP "xmpp-sasl'>"; | ||||
| 		// let the other side decide if it knows a shared secret 
 | ||||
| 		// with us
 | ||||
| 		// if it it has, it will use it with digest-md5
 | ||||
| #  ifndef _flag_disable_authentication_digest_MD5 | ||||
| 		if (node["@from"]  | ||||
| 			&& config(XMPP + node["@from"],  | ||||
| 				  "_secret_shared")) { | ||||
| 		    packet += "<mechanism>DIGEST-MD5</mechanism>"; | ||||
| 		} | ||||
| #  endif | ||||
| 		 | ||||
| 		// if the other side did present a client certificate
 | ||||
| 		// and we have verified it as X509_V_OK (0)
 | ||||
| 		// we offer SASL external (authentication via name
 | ||||
| 		// presented in x509 certificate
 | ||||
| 		P3(("gateway::certinfo %O\n", certinfo)) | ||||
| #  ifndef DIALBACK_WITHOUT_DIAL_BACK | ||||
| 		if (mappingp(certinfo) && certinfo[0] == 0) { | ||||
| 		    // if from attribute is present we only offer
 | ||||
| 		    // sasl external if we know that it will succeed
 | ||||
|  | @ -543,6 +496,7 @@ open_stream(XMLNode node) { | |||
| 			packet += "<mechanism>EXTERNAL</mechanism>"; | ||||
| 		    } | ||||
| 		} | ||||
| #  endif | ||||
| 		packet += "</mechanisms>"; | ||||
| # endif | ||||
| 	    } | ||||
|  |  | |||
|  | @ -214,7 +214,7 @@ jabberMsg(XMLNode node, mixed origin, mixed *su, array(mixed) tu) { | |||
| 		vars["_nick_place"] = vars["_INTERNAL_identification"] || origin; | ||||
| 
 | ||||
| #if __EFUN_DEFINED__(mktime) | ||||
| 		if ((helper = getchild(node, "x", "jabber:x:delay")) || (helper = getchild(node, "x", "urn:xmpp:delay")) { | ||||
| 		if ((helper = getchild(node, "x", "jabber:x:delay")) || (helper = getchild(node, "x", "urn:xmpp:delay"))) { | ||||
| 		    string fmt = helper["@stamp"]; | ||||
| 		    int *time = allocate(TM_MAX); | ||||
| 		    int res; | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue