2 * purple - Jabber Protocol Plugin
4 * Purple is the legal property of its developers, whose names are too numerous
5 * to list here. Please refer to the COPYRIGHT file distributed with this
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA
28 #include "conversation.h"
41 static GSList
*auth_mechs
= NULL
;
43 static void auth_old_result_cb(JabberStream
*js
, const char *from
,
44 JabberIqType type
, const char *id
,
45 PurpleXmlNode
*packet
, gpointer data
);
47 static void finish_plaintext_authentication(JabberStream
*js
)
50 PurpleXmlNode
*query
, *x
;
52 iq
= jabber_iq_new_query(js
, JABBER_IQ_SET
, "jabber:iq:auth");
53 query
= purple_xmlnode_get_child(iq
->node
, "query");
54 x
= purple_xmlnode_new_child(query
, "username");
55 purple_xmlnode_insert_data(x
, js
->user
->node
, -1);
56 x
= purple_xmlnode_new_child(query
, "resource");
57 purple_xmlnode_insert_data(x
, js
->user
->resource
, -1);
58 x
= purple_xmlnode_new_child(query
, "password");
59 purple_xmlnode_insert_data(x
, purple_connection_get_password(js
->gc
), -1);
60 jabber_iq_set_callback(iq
, auth_old_result_cb
, NULL
);
64 static void allow_plaintext_auth(PurpleAccount
*account
)
69 purple_account_set_bool(account
, "auth_plain_in_clear", TRUE
);
71 gc
= purple_account_get_connection(account
);
72 js
= purple_connection_get_protocol_data(gc
);
74 finish_plaintext_authentication(js
);
77 static void disallow_plaintext_auth(PurpleAccount
*account
)
79 purple_connection_error(purple_account_get_connection(account
),
80 PURPLE_CONNECTION_ERROR_ENCRYPTION_ERROR
,
81 _("Server requires plaintext authentication over an unencrypted stream"));
84 #ifdef HAVE_CYRUS_SASL
86 auth_old_pass_cb(PurpleConnection
*gc
, PurpleRequestFields
*fields
)
88 PurpleAccount
*account
;
93 /* TODO: the password prompt dialog doesn't get disposed if the account disconnects */
94 PURPLE_ASSERT_CONNECTION_IS_VALID(gc
);
96 account
= purple_connection_get_account(gc
);
97 js
= purple_connection_get_protocol_data(gc
);
99 entry
= purple_request_fields_get_string(fields
, "password");
100 remember
= purple_request_fields_get_bool(fields
, "remember");
102 if (!entry
|| !*entry
)
104 purple_notify_error(account
, NULL
,
105 _("Password is required to sign on."), NULL
,
106 purple_request_cpar_from_connection(gc
));
111 purple_account_set_remember_password(account
, TRUE
);
113 purple_account_set_password(account
, entry
, NULL
, NULL
);
115 /* Restart our connection */
116 jabber_auth_start_old(js
);
120 auth_no_pass_cb(PurpleConnection
*gc
, PurpleRequestFields
*fields
)
122 /* TODO: the password prompt dialog doesn't get disposed if the account disconnects */
123 PURPLE_ASSERT_CONNECTION_IS_VALID(gc
);
125 /* Disable the account as the user has cancelled connecting */
126 purple_account_set_enabled(purple_connection_get_account(gc
), purple_core_get_ui(), FALSE
);
131 jabber_auth_start(JabberStream
*js
, PurpleXmlNode
*packet
)
133 GSList
*mechanisms
= NULL
;
135 PurpleXmlNode
*response
= NULL
;
136 PurpleXmlNode
*mechs
, *mechnode
;
137 JabberSaslState state
;
140 if(js
->registration
) {
141 jabber_register_start(js
);
145 mechs
= purple_xmlnode_get_child(packet
, "mechanisms");
147 purple_connection_error(js
->gc
,
148 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
,
149 _("Invalid response from server"));
153 for(mechnode
= purple_xmlnode_get_child(mechs
, "mechanism"); mechnode
;
154 mechnode
= purple_xmlnode_get_next_twin(mechnode
))
156 char *mech_name
= purple_xmlnode_get_data(mechnode
);
158 if (mech_name
&& *mech_name
)
159 mechanisms
= g_slist_prepend(mechanisms
, mech_name
);
165 for (l
= auth_mechs
; l
; l
= l
->next
) {
166 JabberSaslMech
*possible
= l
->data
;
168 /* Is this the Cyrus SASL mechanism? */
169 if (purple_strequal(possible
->name
, "*")) {
170 js
->auth_mech
= possible
;
174 /* Can we find this mechanism in the server's list? */
175 if (g_slist_find_custom(mechanisms
, possible
->name
, (GCompareFunc
)strcmp
)) {
176 js
->auth_mech
= possible
;
181 g_slist_free_full(mechanisms
, g_free
);
183 if (js
->auth_mech
== NULL
) {
184 /* Found no good mechanisms... */
185 purple_connection_error(js
->gc
,
186 PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE
,
187 _("Server does not use any supported authentication method"));
191 state
= js
->auth_mech
->start(js
, mechs
, &response
, &msg
);
192 if (state
== JABBER_SASL_STATE_FAIL
) {
193 purple_connection_error(js
->gc
,
194 PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE
,
195 msg
? msg
: _("Unknown Error"));
196 } else if (response
) {
197 jabber_send(js
, response
);
198 purple_xmlnode_free(response
);
204 static void auth_old_result_cb(JabberStream
*js
, const char *from
,
205 JabberIqType type
, const char *id
,
206 PurpleXmlNode
*packet
, gpointer data
)
208 if (type
== JABBER_IQ_RESULT
) {
209 jabber_stream_set_state(js
, JABBER_STREAM_POST_AUTH
);
210 jabber_disco_items_server(js
);
212 PurpleAccount
*account
;
213 PurpleConnectionError reason
= PURPLE_CONNECTION_ERROR_NETWORK_ERROR
;
214 char *msg
= jabber_parse_error(js
, packet
, &reason
);
215 PurpleXmlNode
*error
;
216 const char *err_code
;
218 account
= purple_connection_get_account(js
->gc
);
220 /* FIXME: Why is this not in jabber_parse_error? */
221 if((error
= purple_xmlnode_get_child(packet
, "error")) &&
222 (err_code
= purple_xmlnode_get_attrib(error
, "code")) &&
223 purple_strequal(err_code
, "401")) {
224 reason
= PURPLE_CONNECTION_ERROR_AUTHENTICATION_FAILED
;
225 /* Clear the pasword if it isn't being saved */
226 if (!purple_account_get_remember_password(account
))
227 purple_account_set_password(account
, NULL
, NULL
, NULL
);
230 purple_connection_error(js
->gc
, reason
, msg
);
235 static void auth_old_cb(JabberStream
*js
, const char *from
,
236 JabberIqType type
, const char *id
,
237 PurpleXmlNode
*packet
, gpointer data
)
240 PurpleXmlNode
*query
, *x
;
241 const char *pw
= purple_connection_get_password(js
->gc
);
243 if (type
== JABBER_IQ_ERROR
) {
244 PurpleConnectionError reason
= PURPLE_CONNECTION_ERROR_NETWORK_ERROR
;
245 char *msg
= jabber_parse_error(js
, packet
, &reason
);
246 purple_connection_error(js
->gc
, reason
, msg
);
248 } else if (type
== JABBER_IQ_RESULT
) {
249 query
= purple_xmlnode_get_child(packet
, "query");
250 if (js
->stream_id
&& *js
->stream_id
&&
251 purple_xmlnode_get_child(query
, "digest")) {
254 iq
= jabber_iq_new_query(js
, JABBER_IQ_SET
, "jabber:iq:auth");
255 query
= purple_xmlnode_get_child(iq
->node
, "query");
256 x
= purple_xmlnode_new_child(query
, "username");
257 purple_xmlnode_insert_data(x
, js
->user
->node
, -1);
258 x
= purple_xmlnode_new_child(query
, "resource");
259 purple_xmlnode_insert_data(x
, js
->user
->resource
, -1);
261 x
= purple_xmlnode_new_child(query
, "digest");
262 s
= g_strdup_printf("%s%s", js
->stream_id
, pw
);
263 hash
= g_compute_checksum_for_string(G_CHECKSUM_SHA1
,
265 purple_xmlnode_insert_data(x
, hash
, -1);
268 jabber_iq_set_callback(iq
, auth_old_result_cb
, NULL
);
270 } else if ((x
= purple_xmlnode_get_child(query
, "crammd5"))) {
271 /* For future reference, this appears to be a custom OS X extension
272 * to non-SASL authentication.
274 const char *challenge
;
277 /* Calculate the MHAC-MD5 digest */
278 challenge
= purple_xmlnode_get_attrib(x
, "challenge");
279 digest
= g_compute_hmac_for_string(G_CHECKSUM_MD5
,
280 (guchar
*)pw
, strlen(pw
),
283 g_return_if_fail(digest
!= NULL
);
285 /* Create the response query */
286 iq
= jabber_iq_new_query(js
, JABBER_IQ_SET
, "jabber:iq:auth");
287 query
= purple_xmlnode_get_child(iq
->node
, "query");
289 x
= purple_xmlnode_new_child(query
, "username");
290 purple_xmlnode_insert_data(x
, js
->user
->node
, -1);
291 x
= purple_xmlnode_new_child(query
, "resource");
292 purple_xmlnode_insert_data(x
, js
->user
->resource
, -1);
294 x
= purple_xmlnode_new_child(query
, "crammd5");
296 purple_xmlnode_insert_data(x
, digest
, 32);
299 jabber_iq_set_callback(iq
, auth_old_result_cb
, NULL
);
302 } else if(purple_xmlnode_get_child(query
, "password")) {
303 PurpleAccount
*account
= purple_connection_get_account(js
->gc
);
304 if(!jabber_stream_is_ssl(js
) && !purple_account_get_bool(account
,
305 "auth_plain_in_clear", FALSE
)) {
306 char *msg
= g_strdup_printf(_("%s requires plaintext authentication over an unencrypted connection. Allow this and continue authentication?"),
307 purple_account_get_username(account
));
308 purple_request_yes_no(js
->gc
, _("Plaintext Authentication"),
309 _("Plaintext Authentication"),
312 purple_request_cpar_from_account(account
),
313 account
, allow_plaintext_auth
,
314 disallow_plaintext_auth
);
318 finish_plaintext_authentication(js
);
320 purple_connection_error(js
->gc
,
321 PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE
,
322 _("Server does not use any supported authentication method"));
328 void jabber_auth_start_old(JabberStream
*js
)
330 PurpleAccount
*account
;
332 PurpleXmlNode
*query
, *username
;
334 account
= purple_connection_get_account(js
->gc
);
337 * We can end up here without encryption if the server doesn't support
338 * <stream:features/> and we're not using old-style SSL. If the user
339 * is requiring SSL/TLS, we need to enforce it.
341 if (!jabber_stream_is_ssl(js
) &&
342 purple_strequal("require_tls",
343 purple_account_get_string(account
, "connection_security", JABBER_DEFAULT_REQUIRE_TLS
))) {
344 purple_connection_error(js
->gc
,
345 PURPLE_CONNECTION_ERROR_ENCRYPTION_ERROR
,
346 _("You require encryption, but it is not available on this server."));
350 if (js
->registration
) {
351 jabber_register_start(js
);
356 * IQ Auth doesn't have support for resource binding, so we need to pick a
357 * default resource so it will work properly. jabberd14 throws an error and
358 * iChat server just fails silently.
360 if (!js
->user
->resource
|| *js
->user
->resource
== '\0') {
361 g_free(js
->user
->resource
);
362 js
->user
->resource
= g_strdup("Home");
365 #ifdef HAVE_CYRUS_SASL
366 /* If we have Cyrus SASL, then passwords will have been set
367 * to OPTIONAL for this protocol. So, we need to do our own
368 * password prompting here
371 if (!purple_connection_get_password(js
->gc
)) {
372 purple_account_request_password(account
, G_CALLBACK(auth_old_pass_cb
), G_CALLBACK(auth_no_pass_cb
), js
->gc
);
376 iq
= jabber_iq_new_query(js
, JABBER_IQ_GET
, "jabber:iq:auth");
378 query
= purple_xmlnode_get_child(iq
->node
, "query");
379 username
= purple_xmlnode_new_child(query
, "username");
380 purple_xmlnode_insert_data(username
, js
->user
->node
, -1);
382 jabber_iq_set_callback(iq
, auth_old_cb
, NULL
);
388 jabber_auth_handle_challenge(JabberStream
*js
, PurpleXmlNode
*packet
)
390 const char *ns
= purple_xmlnode_get_namespace(packet
);
392 if (!purple_strequal(ns
, NS_XMPP_SASL
)) {
393 purple_connection_error(js
->gc
,
394 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
,
395 _("Invalid response from server"));
399 if (js
->auth_mech
&& js
->auth_mech
->handle_challenge
) {
400 PurpleXmlNode
*response
= NULL
;
402 JabberSaslState state
= js
->auth_mech
->handle_challenge(js
, packet
, &response
, &msg
);
403 if (state
== JABBER_SASL_STATE_FAIL
) {
404 purple_connection_error(js
->gc
,
405 PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE
,
406 msg
? msg
: _("Invalid challenge from server"));
407 } else if (response
) {
408 jabber_send(js
, response
);
409 purple_xmlnode_free(response
);
414 purple_debug_warning("jabber", "Received unexpected (and unhandled) <challenge/>\n");
417 void jabber_auth_handle_success(JabberStream
*js
, PurpleXmlNode
*packet
)
419 const char *ns
= purple_xmlnode_get_namespace(packet
);
421 if (!purple_strequal(ns
, NS_XMPP_SASL
)) {
422 purple_connection_error(js
->gc
,
423 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
,
424 _("Invalid response from server"));
428 if (js
->auth_mech
&& js
->auth_mech
->handle_success
) {
430 JabberSaslState state
= js
->auth_mech
->handle_success(js
, packet
, &msg
);
432 if (state
== JABBER_SASL_STATE_FAIL
) {
433 purple_connection_error(js
->gc
,
434 PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE
,
435 msg
? msg
: _("Invalid response from server"));
437 } else if (state
== JABBER_SASL_STATE_CONTINUE
) {
438 purple_connection_error(js
->gc
,
439 PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE
,
440 msg
? msg
: _("Server thinks authentication is complete, but client does not"));
448 * The stream will be reinitialized later in jabber_recv_cb_ssl() or
449 * jabber_bosh_connection_send.
452 jabber_stream_set_state(js
, JABBER_STREAM_POST_AUTH
);
455 void jabber_auth_handle_failure(JabberStream
*js
, PurpleXmlNode
*packet
)
457 PurpleConnectionError reason
= PURPLE_CONNECTION_ERROR_NETWORK_ERROR
;
460 if (js
->auth_mech
&& js
->auth_mech
->handle_failure
) {
461 PurpleXmlNode
*stanza
= NULL
;
462 JabberSaslState state
= js
->auth_mech
->handle_failure(js
, packet
, &stanza
, &msg
);
464 if (state
!= JABBER_SASL_STATE_FAIL
) {
466 jabber_send(js
, stanza
);
467 purple_xmlnode_free(stanza
);
475 msg
= jabber_parse_error(js
, packet
, &reason
);
478 purple_connection_error(js
->gc
,
479 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
,
480 _("Invalid response from server"));
482 purple_connection_error(js
->gc
, reason
, msg
);
487 static gint
compare_mech(gconstpointer a
, gconstpointer b
)
489 const JabberSaslMech
*mech_a
= a
;
490 const JabberSaslMech
*mech_b
= b
;
492 /* higher priority comes *before* lower priority in the list */
493 if (mech_a
->priority
> mech_b
->priority
)
495 else if (mech_a
->priority
< mech_b
->priority
)
497 /* This really shouldn't happen */
501 void jabber_auth_add_mech(JabberSaslMech
*mech
)
503 auth_mechs
= g_slist_insert_sorted(auth_mechs
, mech
, compare_mech
);
506 void jabber_auth_remove_mech(JabberSaslMech
*mech
)
508 auth_mechs
= g_slist_remove(auth_mechs
, mech
);
511 void jabber_auth_init(void)
513 JabberSaslMech
**tmp
;
516 jabber_auth_add_mech(jabber_auth_get_plain_mech());
517 jabber_auth_add_mech(jabber_auth_get_digest_md5_mech());
518 #ifdef HAVE_CYRUS_SASL
519 jabber_auth_add_mech(jabber_auth_get_cyrus_mech());
521 #ifdef HAVE_WEBEX_TOKEN
522 jabber_auth_add_mech(jabber_auth_get_webex_token_mech());
525 tmp
= jabber_auth_get_scram_mechs(&count
);
526 for (i
= 0; i
< count
; ++i
)
527 jabber_auth_add_mech(tmp
[i
]);
530 void jabber_auth_uninit(void)
532 g_slist_free(auth_mechs
);