Merge branch 'scram' into patched-master

4 files changed, 48 insertions, 42 deletions

diff --git a/configure b/configure
index 1bd7fef3..39153dc6 100755
--- a/configure
+++ b/configure
@@ -886,6 +886,8 @@ if [ "$protocols" = "PROTOCOLS = " ]; then
 	echo "         BitlBee will run, but you will be unable to connect to IM servers!"
 fi
 
+echo "EFLAGS+=$(pkg-config libidn --libs)" >> Makefile.settings
+
 echo "PROTOCOLS = $protocols" >> Makefile.settings
 echo "PROTOOBJS = $protoobjs" >> Makefile.settings
 
diff --git a/protocols/jabber/jabber.c b/protocols/jabber/jabber.c
index 2fa19c0f..fcd90598 100644
--- a/protocols/jabber/jabber.c
+++ b/protocols/jabber/jabber.c
@@ -116,6 +116,9 @@ static void jabber_init(account_t *acc)
 	s = set_add(&acc->set, "carbons", "true", set_eval_bool, acc);
 	s->flags |= ACC_SET_OFFLINE_ONLY;
 
+	s = set_add(&acc->set, "disable_scram", "false", set_eval_bool, acc);
+	s->flags |= SET_HIDDEN_DEFAULT;
+
 	acc->flags |= ACC_FLAG_AWAY_MESSAGE | ACC_FLAG_STATUS_MESSAGE |
 	              ACC_FLAG_HANDLE_DOMAINS;
 }
@@ -379,6 +382,7 @@ static void jabber_logout(struct im_connection *ic)
 	g_free(jd->me);
 	g_free(jd->challenge.cnonce);
 	g_free(jd->challenge.server_signature);
+	g_free(jd->challenge.cb_header);
 	g_free(jd);
 
 	jabber_connections = g_slist_remove(jabber_connections, ic);
diff --git a/protocols/jabber/jabber.h b/protocols/jabber/jabber.h
index 3445e4d7..c97c5b71 100644
--- a/protocols/jabber/jabber.h
+++ b/protocols/jabber/jabber.h
@@ -109,6 +109,7 @@ struct jabber_data {
 		int scram_algo;
 		char *cnonce;
 		char *server_signature;
+		char *cb_header;
 	} challenge;
 
 	const struct oauth2_service *oauth2_service;
diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c
index 10fbe270..f0381ee8 100644
--- a/protocols/jabber/sasl.c
+++ b/protocols/jabber/sasl.c
@@ -23,6 +23,8 @@
 
 #include <ctype.h>
 #include <gcrypt.h>
+#include <gnutls/gnutls.h>
+#include <stringprep.h>
 
 #include "jabber.h"
 #include "base64.h"
@@ -40,20 +42,6 @@ const struct oauth2_service oauth2_service_google =
 	"6C-Zgf7Tr7gEQTPlBhMUgo7R",
 };
 
-static int is_ascii(const char *str)
-{
-	if (!str) {
-		return 0;
-	}
-
-	while (*str) {
-		if (*str++ & 0x80)
-			return 0;
-	}
-
-	return 1;
-}
-
 xt_status sasl_pkt_mechanisms(struct xt_node *node, gpointer data)
 {
 	struct im_connection *ic = data;
@@ -97,9 +85,9 @@ xt_status sasl_pkt_mechanisms(struct xt_node *node, gpointer data)
 			} else if (g_strcasecmp(c->text, "X-OAUTH2") == 0) {
 				sup_gtalk = 1;
 			} else if (g_strcasecmp(c->text, "SCRAM-SHA-1") == 0) {
-				sup_scram = JSCRAM_SHA1;
+				sup_scram |= JSCRAM_SHA1;
 			} else if (g_strcasecmp(c->text, "SCRAM-SHA-256") == 0) {
-				sup_scram = JSCRAM_SHA256;
+				sup_scram |= JSCRAM_SHA256;
 			}
 
 			g_string_append_printf(mechs, " %s", c->text);
@@ -108,11 +96,6 @@ xt_status sasl_pkt_mechanisms(struct xt_node *node, gpointer data)
 		c = c->next;
 	}
 
-	if (sup_scram && (!is_ascii(jd->username) || !is_ascii(ic->acc->pass))) {
-		imcb_log(ic, "Username/password contains non-ascii characters, SCRAM authentication disabled");
-		sup_scram = 0;
-	}
-
 	if (!want_oauth && !want_anonymous && !sup_plain && !sup_digest && !sup_scram) {
 		if (sup_gtalk) {
 			imcb_error(ic, "This server requires OAuth "
@@ -164,11 +147,10 @@ xt_status sasl_pkt_mechanisms(struct xt_node *node, gpointer data)
 		imc_logout(ic, FALSE);
 		xt_free_node(reply);
 		return XT_ABORT;
-	} else if (sup_scram) {
-		GString *gs;
-		int len;
+	} else if (sup_scram && !set_getbool(&ic->acc->set, "disable_scram")) {
+		int rc;
 		unsigned char cnonce_bin[30];
-		char *cnonce;
+		char *puser = NULL;
 
 		if (sup_scram & JSCRAM_SHA256) {
 			jd->challenge.type = JCHALLENGE_SCRAM;
@@ -183,21 +165,22 @@ xt_status sasl_pkt_mechanisms(struct xt_node *node, gpointer data)
 			return XT_ABORT;
 		}
 
-		gs = g_string_sized_new(128);
+		rc = stringprep_profile(jd->username, &puser, "SASLprep", 0);
+		if (rc != STRINGPREP_OK) {
+			imcb_error(ic, "SASLprep failed: %s", stringprep_strerror(rc));
+			return XT_ABORT;
+		}
 
 		random_bytes(cnonce_bin, sizeof(cnonce_bin));
-		cnonce = base64_encode(cnonce_bin, sizeof(cnonce_bin));
+		jd->challenge.cnonce = base64_encode(cnonce_bin, sizeof(cnonce_bin));
 
-		jd->challenge.cnonce = cnonce;
+		jd->challenge.cb_header = g_strdup("n,,");
 
-		/* XXX: Saslprep username */
-		g_string_append_printf(gs, "n,,n=%s,r=%s", jd->username, cnonce);
-
-		len = gs->len;
-		s = g_string_free(gs, FALSE);
+		s = g_strdup_printf("%sn=%s,r=%s", jd->challenge.cb_header, puser, jd->challenge.cnonce);
 
-		reply->text = base64_encode((unsigned char *)s , len);
+		reply->text = base64_encode((unsigned char *)s , strlen(s));
 		reply->text_len = strlen(reply->text);
+		g_free(puser);
 		g_free(s);
 	} else if (sup_digest && !(jd->ssl && sup_plain)) {
 		/* Only try DIGEST-MD5 if there's no SSL/TLS or if PLAIN isn't supported.
@@ -468,12 +451,13 @@ static xt_status sasl_pkt_challenge_scram(struct xt_node *node, gpointer data)
 	struct xt_node *reply_pkt = NULL;
 	xt_status ret = XT_ABORT;
 	char *random = NULL, *salt64 = NULL, *iter_str = NULL, *encoded_proof = NULL,
-	     *reply = NULL, *client_first_bare = NULL, *server_first = NULL,
-	     *client_final_noproof = NULL, *auth_message = NULL, *client_final = NULL;
+	     *reply = NULL, *client_first_bare = NULL, *server_first = NULL, *cb_header64 = NULL,
+	     *client_final_noproof = NULL, *auth_message = NULL, *client_final = NULL, *puser = NULL, *ppass = NULL;
+
 	unsigned char *salt = NULL;
 	size_t salt_len, iter_count, i;
 
-	int algo = jd->challenge.scram_algo;
+	int algo = jd->challenge.scram_algo, rc;
 	size_t md_len = gcry_md_get_algo_dlen(algo);
 
 	unsigned char client_key[md_len];
@@ -500,15 +484,24 @@ static xt_status sasl_pkt_challenge_scram(struct xt_node *node, gpointer data)
 		goto error;
 	}
 
-	// XXX: Normalize password with saslprep
+	rc = stringprep_profile(jd->username, &puser, "SASLprep", 0);
+	if (rc != STRINGPREP_OK) {
+		imcb_error(ic, "SASLprep failed: %s", stringprep_strerror(rc));
+		goto error;
+	}
+	rc = stringprep_profile(ic->acc->pass, &ppass, "SASLprep", 0);
+	if (rc != STRINGPREP_OK) {
+		imcb_error(ic, "SASLprep failed: %s", stringprep_strerror(rc));
+		goto error;
+	}
 
 	salt_len = base64_decode(salt64, &salt);
 
-	if (gcry_kdf_derive(ic->acc->pass, strlen(ic->acc->pass),
+	if (gcry_kdf_derive(ppass, strlen(ppass),
 			GCRY_KDF_PBKDF2, algo,
 			salt, salt_len, iter_count,
 			sizeof(salted_password), salted_password) != 0) {
-		imcb_error(ic, "gcrypt went booboo :(");
+		imcb_error(ic, "PBKDF failed");
 		goto error;
 	}
 
@@ -516,8 +509,9 @@ static xt_status sasl_pkt_challenge_scram(struct xt_node *node, gpointer data)
 
 	gcry_md_hash_buffer(algo, stored_key, client_key, sizeof(client_key));
 
-	client_first_bare = g_strdup_printf("n=%s,r=%s", jd->username, jd->challenge.cnonce);
-	client_final_noproof = g_strdup_printf("c=biws,r=%s", random);
+	cb_header64 = tobase64(jd->challenge.cb_header);
+	client_first_bare = g_strdup_printf("n=%s,r=%s", puser, jd->challenge.cnonce);
+	client_final_noproof = g_strdup_printf("c=%s,r=%s", cb_header64, random);
 
 	auth_message = g_strdup_printf("%s,%s,%s", client_first_bare, server_first, client_final_noproof);
 
@@ -551,11 +545,14 @@ error:
 	imc_logout(ic, FALSE);
 
 silent_error:
+	g_free(puser);
+	g_free(ppass);
 	g_free(random);
 	g_free(salt64);
 	g_free(salt);
 	g_free(iter_str);
 	g_free(encoded_proof);
+	g_free(cb_header64);
 	g_free(client_first_bare);
 	g_free(client_final_noproof);
 	g_free(client_final);
@@ -563,6 +560,8 @@ silent_error:
 	g_free(reply);
 	g_free(jd->challenge.cnonce);
 	jd->challenge.cnonce = NULL;
+	g_free(jd->challenge.cb_header);
+	jd->challenge.cb_header = NULL;
 	xt_free_node(reply_pkt);
 	return ret;
 }