diff options
Diffstat (limited to 'protocols/jabber')
| -rw-r--r-- | protocols/jabber/sasl.c | 106 |
1 files changed, 23 insertions, 83 deletions
diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index e3467d86..f0381ee8 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -42,27 +42,13 @@ const struct oauth2_service oauth2_service_google = "6C-Zgf7Tr7gEQTPlBhMUgo7R", }; -/*static int is_ascii(const char *str) -{ - if (!str) { - return 0; - } - - while (*str) { - if (*str++ & 0x80) - return 0; - } - - return 1; -}*/ - xt_status sasl_pkt_mechanisms(struct xt_node *node, gpointer data) { struct im_connection *ic = data; struct jabber_data *jd = ic->proto_data; struct xt_node *c, *reply; char *s; - int sup_plain = 0, sup_digest = 0, sup_gtalk = 0, sup_anonymous = 0, sup_scram = 0, sup_scram_cb = 0; + int sup_plain = 0, sup_digest = 0, sup_gtalk = 0, sup_anonymous = 0, sup_scram = 0; int want_oauth = FALSE, want_hipchat = FALSE, want_anonymous = FALSE; GString *mechs; @@ -100,14 +86,8 @@ xt_status sasl_pkt_mechanisms(struct xt_node *node, gpointer data) sup_gtalk = 1; } else if (g_strcasecmp(c->text, "SCRAM-SHA-1") == 0) { sup_scram |= JSCRAM_SHA1; - } else if (g_strcasecmp(c->text, "SCRAM-SHA-1-PLUS") == 0) { - sup_scram |= JSCRAM_SHA1; - sup_scram_cb |= JSCRAM_SHA1; } else if (g_strcasecmp(c->text, "SCRAM-SHA-256") == 0) { sup_scram |= JSCRAM_SHA256; - } else if (g_strcasecmp(c->text, "SCRAM-SHA-256-PLUS") == 0) { - sup_scram |= JSCRAM_SHA256; - sup_scram_cb |= JSCRAM_SHA256; } g_string_append_printf(mechs, " %s", c->text); @@ -116,16 +96,6 @@ xt_status sasl_pkt_mechanisms(struct xt_node *node, gpointer data) c = c->next; } - /*if (sup_scram && (!is_ascii(jd->username) || !is_ascii(ic->acc->pass))) { - imcb_log(ic, "Username/password contains non-ascii characters, SCRAM authentication disabled"); - sup_scram = 0; - }*/ - - if (sup_scram_cb && !jd->ssl) { - imcb_log(ic, "Not connected over TLS, SCRAM Channel bindings disabled"); - sup_scram_cb = 0; - } - if (!want_oauth && !want_anonymous && !sup_plain && !sup_digest && !sup_scram) { if (sup_gtalk) { imcb_error(ic, "This server requires OAuth " @@ -178,53 +148,37 @@ xt_status sasl_pkt_mechanisms(struct xt_node *node, gpointer data) xt_free_node(reply); return XT_ABORT; } else if (sup_scram && !set_getbool(&ic->acc->set, "disable_scram")) { - GString *gs; - int len, r; + int rc; unsigned char cnonce_bin[30]; - char *cnonce, *puser = NULL; + char *puser = NULL; - if (sup_scram & JSCRAM_SHA256 && (!sup_scram_cb || (sup_scram_cb & JSCRAM_SHA256))) { + if (sup_scram & JSCRAM_SHA256) { jd->challenge.type = JCHALLENGE_SCRAM; jd->challenge.scram_algo = GCRY_MD_SHA256; - if (sup_scram_cb) { - xt_add_attr(reply, "mechanism", "SCRAM-SHA-256-PLUS"); - } else { - xt_add_attr(reply, "mechanism", "SCRAM-SHA-256"); - } - } else if (sup_scram & JSCRAM_SHA1 && (!sup_scram_cb || (sup_scram_cb & JSCRAM_SHA1))) { + xt_add_attr(reply, "mechanism", "SCRAM-SHA-256"); + } else if (sup_scram & JSCRAM_SHA1) { jd->challenge.type = JCHALLENGE_SCRAM; jd->challenge.scram_algo = GCRY_MD_SHA1; - if (sup_scram_cb) { - xt_add_attr(reply, "mechanism", "SCRAM-SHA-1-PLUS"); - } else { - xt_add_attr(reply, "mechanism", "SCRAM-SHA-1"); - } + xt_add_attr(reply, "mechanism", "SCRAM-SHA-1"); } else { imcb_error(ic, "Unknown scram method"); /* Just in case, but we should not get here */ return XT_ABORT; } - gs = g_string_sized_new(128); - - random_bytes(cnonce_bin, sizeof(cnonce_bin)); - cnonce = base64_encode(cnonce_bin, sizeof(cnonce_bin)); - - jd->challenge.cnonce = cnonce; - - r = stringprep_profile(jd->username, &puser, "SASLprep", 0); - if (r != STRINGPREP_OK) { - imcb_error(ic, "SASLprep failed: %s", stringprep_strerror(r)); + rc = stringprep_profile(jd->username, &puser, "SASLprep", 0); + if (rc != STRINGPREP_OK) { + imcb_error(ic, "SASLprep failed: %s", stringprep_strerror(rc)); return XT_ABORT; } - //jd->challenge.cb_header = g_strdup_printf("%s,,", sup_scram_cb ? "y" : "p=tls-unique"); - jd->challenge.cb_header = g_strdup_printf("%s,,", "n"); - g_string_append_printf(gs, "%sn=%s,r=%s", jd->challenge.cb_header, puser, cnonce); + random_bytes(cnonce_bin, sizeof(cnonce_bin)); + jd->challenge.cnonce = base64_encode(cnonce_bin, sizeof(cnonce_bin)); + + jd->challenge.cb_header = g_strdup("n,,"); - len = gs->len; - s = g_string_free(gs, FALSE); + s = g_strdup_printf("%sn=%s,r=%s", jd->challenge.cb_header, puser, jd->challenge.cnonce); - reply->text = base64_encode((unsigned char *)s , len); + reply->text = base64_encode((unsigned char *)s , strlen(s)); reply->text_len = strlen(reply->text); g_free(puser); g_free(s); @@ -503,7 +457,7 @@ static xt_status sasl_pkt_challenge_scram(struct xt_node *node, gpointer data) unsigned char *salt = NULL; size_t salt_len, iter_count, i; - int algo = jd->challenge.scram_algo, r; + int algo = jd->challenge.scram_algo, rc; size_t md_len = gcry_md_get_algo_dlen(algo); unsigned char client_key[md_len]; @@ -530,14 +484,14 @@ static xt_status sasl_pkt_challenge_scram(struct xt_node *node, gpointer data) goto error; } - r = stringprep_profile(jd->username, &puser, "SASLprep", 0); - if (r != STRINGPREP_OK) { - imcb_error(ic, "SASLprep failed: %s", stringprep_strerror(r)); + rc = stringprep_profile(jd->username, &puser, "SASLprep", 0); + if (rc != STRINGPREP_OK) { + imcb_error(ic, "SASLprep failed: %s", stringprep_strerror(rc)); goto error; } - r = stringprep_profile(ic->acc->pass, &ppass, "SASLprep", 0); - if (r != STRINGPREP_OK) { - imcb_error(ic, "SASLprep failed: %s", stringprep_strerror(r)); + rc = stringprep_profile(ic->acc->pass, &ppass, "SASLprep", 0); + if (rc != STRINGPREP_OK) { + imcb_error(ic, "SASLprep failed: %s", stringprep_strerror(rc)); goto error; } @@ -555,20 +509,6 @@ static xt_status sasl_pkt_challenge_scram(struct xt_node *node, gpointer data) gcry_md_hash_buffer(algo, stored_key, client_key, sizeof(client_key)); - /*if (jd->challenge.cb_header[0] == 'p') { - gnutls_datum_t cb; - int rc; - - rc = gnutls_session_channel_binding(jd->ssl, GNUTLS_CB_TLS_UNIQUE, &cb); - if (rc) { - imcb_log(ic, "Chanel binding error: %s", gnutls_strerror(rc)); - return XT_ABORT; - } - - for (size_t i = 0; i < cb.size; i++) - fprintf(stderr, "%02x", cb.data[i]); - fprintf(stderr, "\n"); - }*/ cb_header64 = tobase64(jd->challenge.cb_header); client_first_bare = g_strdup_printf("n=%s,r=%s", puser, jd->challenge.cnonce); client_final_noproof = g_strdup_printf("c=%s,r=%s", cb_header64, random); |