mirror of
git://git.psyced.org/git/psyced
synced 2024-08-15 03:25:10 +00:00
Merge commit 'origin'
This commit is contained in:
commit
e953913f30
3 changed files with 29 additions and 130 deletions
|
@ -192,18 +192,8 @@ handle_stream_features(XMLNode node) {
|
||||||
encode_base64(_host_XMPP)
|
encode_base64(_host_XMPP)
|
||||||
+ "</auth>");
|
+ "</auth>");
|
||||||
return;
|
return;
|
||||||
} else
|
|
||||||
#endif
|
|
||||||
if (mechs["DIGEST-MD5"]
|
|
||||||
&& config(XMPP + hostname, "_secret_shared")) {
|
|
||||||
PT(("jabber/active requesting to do digest md5\n"))
|
|
||||||
emit("<auth mechanism='DIGEST-MD5' "
|
|
||||||
"xmlns='" NS_XMPP "xmpp-sasl>" +
|
|
||||||
encode_base64(_host_XMPP) +
|
|
||||||
"</auth>");
|
|
||||||
return;
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#ifdef SWITCH2PSYC
|
#ifdef SWITCH2PSYC
|
||||||
|
@ -439,51 +429,6 @@ jabberMsg(XMLNode node) {
|
||||||
authenticated = 1;
|
authenticated = 1;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case "challenge":
|
|
||||||
PT(("%O got a sasl challenge\n", ME))
|
|
||||||
if (node["@xmlns"] == NS_XMPP "xmpp-sasl") {
|
|
||||||
unless(t = node[Cdata]) {
|
|
||||||
// none given
|
|
||||||
} else unless (t = to_string(decode_base64(t))) {
|
|
||||||
// base64 decode error?
|
|
||||||
} else {
|
|
||||||
// this one is shared across all those digest md5's
|
|
||||||
mixed data;
|
|
||||||
string secret;
|
|
||||||
string response;
|
|
||||||
PT(("decoded challenge: %O\n", t))
|
|
||||||
data = sasl_parse(t);
|
|
||||||
PT(("extracted %O\n", data))
|
|
||||||
|
|
||||||
data["username"] = _host_XMPP;
|
|
||||||
secret = config(XMPP + hostname, "_secret_shared");
|
|
||||||
unless(secret) {
|
|
||||||
// mh... this is a problem!
|
|
||||||
// we only started doing this if we have a secret,
|
|
||||||
// so this cant be empty
|
|
||||||
}
|
|
||||||
data["cnonce"] = RANDHEXSTRING;
|
|
||||||
data["nc"] = "00000001";
|
|
||||||
data["digest-uri"] = "xmpp/" _host_XMPP;
|
|
||||||
|
|
||||||
response = sasl_calculate_digestMD5(data, secret, 0);
|
|
||||||
|
|
||||||
// ok, the username is our hostname
|
|
||||||
// note: qop must not be quoted, as we are 'client'
|
|
||||||
t = "username=\"" _host_XMPP "\","
|
|
||||||
"realm=\"" + data["realm"] + "\","
|
|
||||||
"nonce=\"" + data["nonce"] + "\","
|
|
||||||
"cnonce=\"" + data["cnonce"] + "\","
|
|
||||||
"nc=" + data["nc"] + ",qop=auth,"
|
|
||||||
"digest-uri=\"" + data["digest-uri"] + "\","
|
|
||||||
"response=" + response + ",charset=utf-8";
|
|
||||||
PT(("%O sent rspauth %O\n", ME, response))
|
|
||||||
emit("<response xmlns='" NS_XMPP "xmpp-sasl'>"
|
|
||||||
+ encode_base64(t) +
|
|
||||||
"</response>");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case "failure":
|
case "failure":
|
||||||
// the other side has to close the stream
|
// the other side has to close the stream
|
||||||
monitor_report("_error_invalid_authentication_XMPP", sprintf("%O got a failure with xml namespace %O\n", ME, node["@xmlns"]));
|
monitor_report("_error_invalid_authentication_XMPP", sprintf("%O got a failure with xml namespace %O\n", ME, node["@xmlns"]));
|
||||||
|
|
|
@ -199,7 +199,6 @@ jabberMsg(XMLNode node) {
|
||||||
if (! (source && target
|
if (! (source && target
|
||||||
|| node[Tag] == "stream:error"
|
|| node[Tag] == "stream:error"
|
||||||
|| node[Tag] == "auth"
|
|| node[Tag] == "auth"
|
||||||
|| node[Tag] == "response"
|
|
||||||
#ifdef SWITCH2PSYC
|
#ifdef SWITCH2PSYC
|
||||||
|| node[Tag] == "switching"
|
|| node[Tag] == "switching"
|
||||||
#endif
|
#endif
|
||||||
|
@ -256,6 +255,16 @@ jabberMsg(XMLNode node) {
|
||||||
remove_interactive(ME);
|
remove_interactive(ME);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
// dialback without dial-back - if the certificate is valid and the sender
|
||||||
|
// is contained in the subject take the shortcut and consider the request
|
||||||
|
// valid
|
||||||
|
// paranoia note: as with XEP 0178 we might want to check dns anyway to
|
||||||
|
// protect against stolen certificates
|
||||||
|
if (mappingp(certinfo) && certinfo[0] == 0
|
||||||
|
&& node["@from"] && certificate_check_jabbername(node["@from"], certinfo)) {
|
||||||
|
P2(("dialback without dialback %O\n", certinfo))
|
||||||
|
verify_connection(node["@to"], node["@from"], "valid");
|
||||||
|
} else {
|
||||||
sendmsg(origin,
|
sendmsg(origin,
|
||||||
"_dialback_request_verify", 0,
|
"_dialback_request_verify", 0,
|
||||||
([ "_INTERNAL_target_jabber" : source,
|
([ "_INTERNAL_target_jabber" : source,
|
||||||
|
@ -271,6 +280,7 @@ jabberMsg(XMLNode node) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
active = o -> sGateway(ME, target, streamid);
|
active = o -> sGateway(ME, target, streamid);
|
||||||
|
}
|
||||||
return;
|
return;
|
||||||
case "db:verify":
|
case "db:verify":
|
||||||
target = NAMEPREP(target);
|
target = NAMEPREP(target);
|
||||||
|
@ -380,59 +390,12 @@ jabberMsg(XMLNode node) {
|
||||||
QUIT
|
QUIT
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case "DIGEST-MD5":
|
|
||||||
PT(("jabber/gateway got a request to do digest md5\n"))
|
|
||||||
// if the other side thinks, that is has a shared
|
|
||||||
// secret with us... well, THEY tried
|
|
||||||
if (config(XMPP + t, "_secret_shared")) {
|
|
||||||
emit("<challenge xmlns='" NS_XMPP "xmpp-sasl'>" +
|
|
||||||
encode_base64(sprintf("realm=\"%s\",nonce=\"%s\","
|
|
||||||
"qop=\"auth\",charset=utf-8,"
|
|
||||||
"algorithm=md5-sess",
|
|
||||||
_host_XMPP, RANDHEXSTRING)
|
|
||||||
) + "</challenge>");
|
|
||||||
} else {
|
|
||||||
// kind of 'unknown username'
|
|
||||||
SASL_ERROR("not-authorized")
|
|
||||||
QUIT
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
default:
|
default:
|
||||||
SASL_ERROR("invalid-mechanism")
|
SASL_ERROR("invalid-mechanism")
|
||||||
QUIT
|
QUIT
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
return;
|
return;
|
||||||
case "response":
|
|
||||||
P2(("%O got SASL response\n", ME))
|
|
||||||
if ((t2 = node[Cdata])
|
|
||||||
&& (t = to_string(decode_base64(t2)))) {
|
|
||||||
// this one is very similar to the stuff in active.c
|
|
||||||
string secret;
|
|
||||||
mixed data;
|
|
||||||
|
|
||||||
data = sasl_parse(t);
|
|
||||||
|
|
||||||
P2(("extracted: %O\n", data))
|
|
||||||
|
|
||||||
secret = config(XMPP + data["username"], "_secret_shared");
|
|
||||||
unless(secret) {
|
|
||||||
// tell the host that we dont share a secret with them
|
|
||||||
// currently this happens as not-authorized
|
|
||||||
}
|
|
||||||
if (data["response"] == sasl_calculate_digestMD5(data, secret, 0)) {
|
|
||||||
emit("<success xmlns='" NS_XMPP "xmpp-sasl'>"
|
|
||||||
+ encode_base64("rspauth=" + sasl_calculate_digestMD5(data, secret, 1)) + "</success>");
|
|
||||||
# ifdef LOG_XMPP_AUTH
|
|
||||||
D0( log_file("XMPP_AUTH", "\n%O has authenticated %O via SASL digest md5", ME, data["username"]); )
|
|
||||||
# endif
|
|
||||||
sAuthenticated(data["username"]);
|
|
||||||
} else {
|
|
||||||
SASL_ERROR("not-authorized")
|
|
||||||
QUIT
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return;
|
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
su = parse_uniform(origin);
|
su = parse_uniform(origin);
|
||||||
|
@ -517,22 +480,12 @@ open_stream(XMLNode node) {
|
||||||
} else unless (mappingp(authhosts)) {
|
} else unless (mappingp(authhosts)) {
|
||||||
# ifdef WANT_S2S_SASL
|
# ifdef WANT_S2S_SASL
|
||||||
packet += "<mechanisms xmlns='" NS_XMPP "xmpp-sasl'>";
|
packet += "<mechanisms xmlns='" NS_XMPP "xmpp-sasl'>";
|
||||||
// let the other side decide if it knows a shared secret
|
|
||||||
// with us
|
|
||||||
// if it it has, it will use it with digest-md5
|
|
||||||
# ifndef _flag_disable_authentication_digest_MD5
|
|
||||||
if (node["@from"]
|
|
||||||
&& config(XMPP + node["@from"],
|
|
||||||
"_secret_shared")) {
|
|
||||||
packet += "<mechanism>DIGEST-MD5</mechanism>";
|
|
||||||
}
|
|
||||||
# endif
|
|
||||||
|
|
||||||
// if the other side did present a client certificate
|
// if the other side did present a client certificate
|
||||||
// and we have verified it as X509_V_OK (0)
|
// and we have verified it as X509_V_OK (0)
|
||||||
// we offer SASL external (authentication via name
|
// we offer SASL external (authentication via name
|
||||||
// presented in x509 certificate
|
// presented in x509 certificate
|
||||||
P3(("gateway::certinfo %O\n", certinfo))
|
P3(("gateway::certinfo %O\n", certinfo))
|
||||||
|
# ifndef DIALBACK_WITHOUT_DIAL_BACK
|
||||||
if (mappingp(certinfo) && certinfo[0] == 0) {
|
if (mappingp(certinfo) && certinfo[0] == 0) {
|
||||||
// if from attribute is present we only offer
|
// if from attribute is present we only offer
|
||||||
// sasl external if we know that it will succeed
|
// sasl external if we know that it will succeed
|
||||||
|
@ -543,6 +496,7 @@ open_stream(XMLNode node) {
|
||||||
packet += "<mechanism>EXTERNAL</mechanism>";
|
packet += "<mechanism>EXTERNAL</mechanism>";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
# endif
|
||||||
packet += "</mechanisms>";
|
packet += "</mechanisms>";
|
||||||
# endif
|
# endif
|
||||||
}
|
}
|
||||||
|
|
|
@ -214,7 +214,7 @@ jabberMsg(XMLNode node, mixed origin, mixed *su, array(mixed) tu) {
|
||||||
vars["_nick_place"] = vars["_INTERNAL_identification"] || origin;
|
vars["_nick_place"] = vars["_INTERNAL_identification"] || origin;
|
||||||
|
|
||||||
#if __EFUN_DEFINED__(mktime)
|
#if __EFUN_DEFINED__(mktime)
|
||||||
if ((helper = getchild(node, "x", "jabber:x:delay")) || (helper = getchild(node, "x", "urn:xmpp:delay")) {
|
if ((helper = getchild(node, "x", "jabber:x:delay")) || (helper = getchild(node, "x", "urn:xmpp:delay"))) {
|
||||||
string fmt = helper["@stamp"];
|
string fmt = helper["@stamp"];
|
||||||
int *time = allocate(TM_MAX);
|
int *time = allocate(TM_MAX);
|
||||||
int res;
|
int res;
|
||||||
|
|
Loading…
Reference in a new issue