Use GSList functions instead of manual iterations
[pidgin-git.git] / libpurple / protocols / jabber / auth.c
blob57db2580747d8d2738613818b1fc25b6b857e309
1 /*
2 * purple - Jabber Protocol Plugin
4 * Purple is the legal property of its developers, whose names are too numerous
5 * to list here. Please refer to the COPYRIGHT file distributed with this
6 * source distribution.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA
23 #include "internal.h"
25 #include "account.h"
26 #include "debug.h"
27 #include "core.h"
28 #include "conversation.h"
29 #include "request.h"
30 #include "sslconn.h"
31 #include "util.h"
32 #include "xmlnode.h"
34 #include "auth.h"
35 #include "disco.h"
36 #include "jabber.h"
37 #include "jutil.h"
38 #include "iq.h"
39 #include "notify.h"
41 static GSList *auth_mechs = NULL;
43 static void auth_old_result_cb(JabberStream *js, const char *from,
44 JabberIqType type, const char *id,
45 PurpleXmlNode *packet, gpointer data);
47 static void finish_plaintext_authentication(JabberStream *js)
49 JabberIq *iq;
50 PurpleXmlNode *query, *x;
52 iq = jabber_iq_new_query(js, JABBER_IQ_SET, "jabber:iq:auth");
53 query = purple_xmlnode_get_child(iq->node, "query");
54 x = purple_xmlnode_new_child(query, "username");
55 purple_xmlnode_insert_data(x, js->user->node, -1);
56 x = purple_xmlnode_new_child(query, "resource");
57 purple_xmlnode_insert_data(x, js->user->resource, -1);
58 x = purple_xmlnode_new_child(query, "password");
59 purple_xmlnode_insert_data(x, purple_connection_get_password(js->gc), -1);
60 jabber_iq_set_callback(iq, auth_old_result_cb, NULL);
61 jabber_iq_send(iq);
64 static void allow_plaintext_auth(PurpleAccount *account)
66 PurpleConnection *gc;
67 JabberStream *js;
69 purple_account_set_bool(account, "auth_plain_in_clear", TRUE);
71 gc = purple_account_get_connection(account);
72 js = purple_connection_get_protocol_data(gc);
74 finish_plaintext_authentication(js);
77 static void disallow_plaintext_auth(PurpleAccount *account)
79 purple_connection_error(purple_account_get_connection(account),
80 PURPLE_CONNECTION_ERROR_ENCRYPTION_ERROR,
81 _("Server requires plaintext authentication over an unencrypted stream"));
84 #ifdef HAVE_CYRUS_SASL
85 static void
86 auth_old_pass_cb(PurpleConnection *gc, PurpleRequestFields *fields)
88 PurpleAccount *account;
89 JabberStream *js;
90 const char *entry;
91 gboolean remember;
93 /* TODO: the password prompt dialog doesn't get disposed if the account disconnects */
94 PURPLE_ASSERT_CONNECTION_IS_VALID(gc);
96 account = purple_connection_get_account(gc);
97 js = purple_connection_get_protocol_data(gc);
99 entry = purple_request_fields_get_string(fields, "password");
100 remember = purple_request_fields_get_bool(fields, "remember");
102 if (!entry || !*entry)
104 purple_notify_error(account, NULL,
105 _("Password is required to sign on."), NULL,
106 purple_request_cpar_from_connection(gc));
107 return;
110 if (remember)
111 purple_account_set_remember_password(account, TRUE);
113 purple_account_set_password(account, entry, NULL, NULL);
115 /* Restart our connection */
116 jabber_auth_start_old(js);
119 static void
120 auth_no_pass_cb(PurpleConnection *gc, PurpleRequestFields *fields)
122 /* TODO: the password prompt dialog doesn't get disposed if the account disconnects */
123 PURPLE_ASSERT_CONNECTION_IS_VALID(gc);
125 /* Disable the account as the user has cancelled connecting */
126 purple_account_set_enabled(purple_connection_get_account(gc), purple_core_get_ui(), FALSE);
128 #endif
130 void
131 jabber_auth_start(JabberStream *js, PurpleXmlNode *packet)
133 GSList *mechanisms = NULL;
134 GSList *l;
135 PurpleXmlNode *response = NULL;
136 PurpleXmlNode *mechs, *mechnode;
137 JabberSaslState state;
138 char *msg = NULL;
140 if(js->registration) {
141 jabber_register_start(js);
142 return;
145 mechs = purple_xmlnode_get_child(packet, "mechanisms");
146 if(!mechs) {
147 purple_connection_error(js->gc,
148 PURPLE_CONNECTION_ERROR_NETWORK_ERROR,
149 _("Invalid response from server"));
150 return;
153 for(mechnode = purple_xmlnode_get_child(mechs, "mechanism"); mechnode;
154 mechnode = purple_xmlnode_get_next_twin(mechnode))
156 char *mech_name = purple_xmlnode_get_data(mechnode);
158 if (mech_name && *mech_name)
159 mechanisms = g_slist_prepend(mechanisms, mech_name);
160 else
161 g_free(mech_name);
165 for (l = auth_mechs; l; l = l->next) {
166 JabberSaslMech *possible = l->data;
168 /* Is this the Cyrus SASL mechanism? */
169 if (purple_strequal(possible->name, "*")) {
170 js->auth_mech = possible;
171 break;
174 /* Can we find this mechanism in the server's list? */
175 if (g_slist_find_custom(mechanisms, possible->name, (GCompareFunc)strcmp)) {
176 js->auth_mech = possible;
177 break;
181 g_slist_free_full(mechanisms, g_free);
183 if (js->auth_mech == NULL) {
184 /* Found no good mechanisms... */
185 purple_connection_error(js->gc,
186 PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE,
187 _("Server does not use any supported authentication method"));
188 return;
191 state = js->auth_mech->start(js, mechs, &response, &msg);
192 if (state == JABBER_SASL_STATE_FAIL) {
193 purple_connection_error(js->gc,
194 PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE,
195 msg ? msg : _("Unknown Error"));
196 } else if (response) {
197 jabber_send(js, response);
198 purple_xmlnode_free(response);
201 g_free(msg);
204 static void auth_old_result_cb(JabberStream *js, const char *from,
205 JabberIqType type, const char *id,
206 PurpleXmlNode *packet, gpointer data)
208 if (type == JABBER_IQ_RESULT) {
209 jabber_stream_set_state(js, JABBER_STREAM_POST_AUTH);
210 jabber_disco_items_server(js);
211 } else {
212 PurpleAccount *account;
213 PurpleConnectionError reason = PURPLE_CONNECTION_ERROR_NETWORK_ERROR;
214 char *msg = jabber_parse_error(js, packet, &reason);
215 PurpleXmlNode *error;
216 const char *err_code;
218 account = purple_connection_get_account(js->gc);
220 /* FIXME: Why is this not in jabber_parse_error? */
221 if((error = purple_xmlnode_get_child(packet, "error")) &&
222 (err_code = purple_xmlnode_get_attrib(error, "code")) &&
223 purple_strequal(err_code, "401")) {
224 reason = PURPLE_CONNECTION_ERROR_AUTHENTICATION_FAILED;
225 /* Clear the pasword if it isn't being saved */
226 if (!purple_account_get_remember_password(account))
227 purple_account_set_password(account, NULL, NULL, NULL);
230 purple_connection_error(js->gc, reason, msg);
231 g_free(msg);
235 static void auth_old_cb(JabberStream *js, const char *from,
236 JabberIqType type, const char *id,
237 PurpleXmlNode *packet, gpointer data)
239 JabberIq *iq;
240 PurpleXmlNode *query, *x;
241 const char *pw = purple_connection_get_password(js->gc);
243 if (type == JABBER_IQ_ERROR) {
244 PurpleConnectionError reason = PURPLE_CONNECTION_ERROR_NETWORK_ERROR;
245 char *msg = jabber_parse_error(js, packet, &reason);
246 purple_connection_error(js->gc, reason, msg);
247 g_free(msg);
248 } else if (type == JABBER_IQ_RESULT) {
249 query = purple_xmlnode_get_child(packet, "query");
250 if (js->stream_id && *js->stream_id &&
251 purple_xmlnode_get_child(query, "digest")) {
252 char *s, *hash;
254 iq = jabber_iq_new_query(js, JABBER_IQ_SET, "jabber:iq:auth");
255 query = purple_xmlnode_get_child(iq->node, "query");
256 x = purple_xmlnode_new_child(query, "username");
257 purple_xmlnode_insert_data(x, js->user->node, -1);
258 x = purple_xmlnode_new_child(query, "resource");
259 purple_xmlnode_insert_data(x, js->user->resource, -1);
261 x = purple_xmlnode_new_child(query, "digest");
262 s = g_strdup_printf("%s%s", js->stream_id, pw);
263 hash = g_compute_checksum_for_string(G_CHECKSUM_SHA1,
264 s, -1);
265 purple_xmlnode_insert_data(x, hash, -1);
266 g_free(hash);
267 g_free(s);
268 jabber_iq_set_callback(iq, auth_old_result_cb, NULL);
269 jabber_iq_send(iq);
270 } else if ((x = purple_xmlnode_get_child(query, "crammd5"))) {
271 /* For future reference, this appears to be a custom OS X extension
272 * to non-SASL authentication.
274 const char *challenge;
275 gchar *digest;
277 /* Calculate the MHAC-MD5 digest */
278 challenge = purple_xmlnode_get_attrib(x, "challenge");
279 digest = g_compute_hmac_for_string(G_CHECKSUM_MD5,
280 (guchar *)pw, strlen(pw),
281 challenge, -1);
283 g_return_if_fail(digest != NULL);
285 /* Create the response query */
286 iq = jabber_iq_new_query(js, JABBER_IQ_SET, "jabber:iq:auth");
287 query = purple_xmlnode_get_child(iq->node, "query");
289 x = purple_xmlnode_new_child(query, "username");
290 purple_xmlnode_insert_data(x, js->user->node, -1);
291 x = purple_xmlnode_new_child(query, "resource");
292 purple_xmlnode_insert_data(x, js->user->resource, -1);
294 x = purple_xmlnode_new_child(query, "crammd5");
296 purple_xmlnode_insert_data(x, digest, 32);
297 g_free(digest);
299 jabber_iq_set_callback(iq, auth_old_result_cb, NULL);
300 jabber_iq_send(iq);
302 } else if(purple_xmlnode_get_child(query, "password")) {
303 PurpleAccount *account = purple_connection_get_account(js->gc);
304 if(!jabber_stream_is_ssl(js) && !purple_account_get_bool(account,
305 "auth_plain_in_clear", FALSE)) {
306 char *msg = g_strdup_printf(_("%s requires plaintext authentication over an unencrypted connection. Allow this and continue authentication?"),
307 purple_account_get_username(account));
308 purple_request_yes_no(js->gc, _("Plaintext Authentication"),
309 _("Plaintext Authentication"),
310 msg,
312 purple_request_cpar_from_account(account),
313 account, allow_plaintext_auth,
314 disallow_plaintext_auth);
315 g_free(msg);
316 return;
318 finish_plaintext_authentication(js);
319 } else {
320 purple_connection_error(js->gc,
321 PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE,
322 _("Server does not use any supported authentication method"));
323 return;
328 void jabber_auth_start_old(JabberStream *js)
330 PurpleAccount *account;
331 JabberIq *iq;
332 PurpleXmlNode *query, *username;
334 account = purple_connection_get_account(js->gc);
337 * We can end up here without encryption if the server doesn't support
338 * <stream:features/> and we're not using old-style SSL. If the user
339 * is requiring SSL/TLS, we need to enforce it.
341 if (!jabber_stream_is_ssl(js) &&
342 purple_strequal("require_tls",
343 purple_account_get_string(account, "connection_security", JABBER_DEFAULT_REQUIRE_TLS))) {
344 purple_connection_error(js->gc,
345 PURPLE_CONNECTION_ERROR_ENCRYPTION_ERROR,
346 _("You require encryption, but it is not available on this server."));
347 return;
350 if (js->registration) {
351 jabber_register_start(js);
352 return;
356 * IQ Auth doesn't have support for resource binding, so we need to pick a
357 * default resource so it will work properly. jabberd14 throws an error and
358 * iChat server just fails silently.
360 if (!js->user->resource || *js->user->resource == '\0') {
361 g_free(js->user->resource);
362 js->user->resource = g_strdup("Home");
365 #ifdef HAVE_CYRUS_SASL
366 /* If we have Cyrus SASL, then passwords will have been set
367 * to OPTIONAL for this protocol. So, we need to do our own
368 * password prompting here
371 if (!purple_connection_get_password(js->gc)) {
372 purple_account_request_password(account, G_CALLBACK(auth_old_pass_cb), G_CALLBACK(auth_no_pass_cb), js->gc);
373 return;
375 #endif
376 iq = jabber_iq_new_query(js, JABBER_IQ_GET, "jabber:iq:auth");
378 query = purple_xmlnode_get_child(iq->node, "query");
379 username = purple_xmlnode_new_child(query, "username");
380 purple_xmlnode_insert_data(username, js->user->node, -1);
382 jabber_iq_set_callback(iq, auth_old_cb, NULL);
384 jabber_iq_send(iq);
387 void
388 jabber_auth_handle_challenge(JabberStream *js, PurpleXmlNode *packet)
390 const char *ns = purple_xmlnode_get_namespace(packet);
392 if (!purple_strequal(ns, NS_XMPP_SASL)) {
393 purple_connection_error(js->gc,
394 PURPLE_CONNECTION_ERROR_NETWORK_ERROR,
395 _("Invalid response from server"));
396 return;
399 if (js->auth_mech && js->auth_mech->handle_challenge) {
400 PurpleXmlNode *response = NULL;
401 char *msg = NULL;
402 JabberSaslState state = js->auth_mech->handle_challenge(js, packet, &response, &msg);
403 if (state == JABBER_SASL_STATE_FAIL) {
404 purple_connection_error(js->gc,
405 PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE,
406 msg ? msg : _("Invalid challenge from server"));
407 } else if (response) {
408 jabber_send(js, response);
409 purple_xmlnode_free(response);
412 g_free(msg);
413 } else
414 purple_debug_warning("jabber", "Received unexpected (and unhandled) <challenge/>\n");
417 void jabber_auth_handle_success(JabberStream *js, PurpleXmlNode *packet)
419 const char *ns = purple_xmlnode_get_namespace(packet);
421 if (!purple_strequal(ns, NS_XMPP_SASL)) {
422 purple_connection_error(js->gc,
423 PURPLE_CONNECTION_ERROR_NETWORK_ERROR,
424 _("Invalid response from server"));
425 return;
428 if (js->auth_mech && js->auth_mech->handle_success) {
429 char *msg = NULL;
430 JabberSaslState state = js->auth_mech->handle_success(js, packet, &msg);
432 if (state == JABBER_SASL_STATE_FAIL) {
433 purple_connection_error(js->gc,
434 PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE,
435 msg ? msg : _("Invalid response from server"));
436 return;
437 } else if (state == JABBER_SASL_STATE_CONTINUE) {
438 purple_connection_error(js->gc,
439 PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE,
440 msg ? msg : _("Server thinks authentication is complete, but client does not"));
441 return;
444 g_free(msg);
448 * The stream will be reinitialized later in jabber_recv_cb_ssl() or
449 * jabber_bosh_connection_send.
451 js->reinit = TRUE;
452 jabber_stream_set_state(js, JABBER_STREAM_POST_AUTH);
455 void jabber_auth_handle_failure(JabberStream *js, PurpleXmlNode *packet)
457 PurpleConnectionError reason = PURPLE_CONNECTION_ERROR_NETWORK_ERROR;
458 char *msg = NULL;
460 if (js->auth_mech && js->auth_mech->handle_failure) {
461 PurpleXmlNode *stanza = NULL;
462 JabberSaslState state = js->auth_mech->handle_failure(js, packet, &stanza, &msg);
464 if (state != JABBER_SASL_STATE_FAIL) {
465 if (stanza) {
466 jabber_send(js, stanza);
467 purple_xmlnode_free(stanza);
470 return;
474 if (!msg)
475 msg = jabber_parse_error(js, packet, &reason);
477 if (!msg) {
478 purple_connection_error(js->gc,
479 PURPLE_CONNECTION_ERROR_NETWORK_ERROR,
480 _("Invalid response from server"));
481 } else {
482 purple_connection_error(js->gc, reason, msg);
483 g_free(msg);
487 static gint compare_mech(gconstpointer a, gconstpointer b)
489 const JabberSaslMech *mech_a = a;
490 const JabberSaslMech *mech_b = b;
492 /* higher priority comes *before* lower priority in the list */
493 if (mech_a->priority > mech_b->priority)
494 return -1;
495 else if (mech_a->priority < mech_b->priority)
496 return 1;
497 /* This really shouldn't happen */
498 return 0;
501 void jabber_auth_add_mech(JabberSaslMech *mech)
503 auth_mechs = g_slist_insert_sorted(auth_mechs, mech, compare_mech);
506 void jabber_auth_remove_mech(JabberSaslMech *mech)
508 auth_mechs = g_slist_remove(auth_mechs, mech);
511 void jabber_auth_init(void)
513 JabberSaslMech **tmp;
514 gint count, i;
516 jabber_auth_add_mech(jabber_auth_get_plain_mech());
517 jabber_auth_add_mech(jabber_auth_get_digest_md5_mech());
518 #ifdef HAVE_CYRUS_SASL
519 jabber_auth_add_mech(jabber_auth_get_cyrus_mech());
520 #endif
521 #ifdef HAVE_WEBEX_TOKEN
522 jabber_auth_add_mech(jabber_auth_get_webex_token_mech());
523 #endif
525 tmp = jabber_auth_get_scram_mechs(&count);
526 for (i = 0; i < count; ++i)
527 jabber_auth_add_mech(tmp[i]);
530 void jabber_auth_uninit(void)
532 g_slist_free(auth_mechs);
533 auth_mechs = NULL;