src/core/sip-sec.c

   1 /**
   2  * @file sip-sec.c
   3  *
   4  * pidgin-sipe
   5  *
   6  * Copyright (C) 2010-2013 SIPE Project <http://sipe.sourceforge.net/>
   7  * Copyright (C) 2009 pier11 <pier11@operamail.com>
   8  *
   9  *
  10  * This program is free software; you can redistribute it and/or modify
  11  * it under the terms of the GNU General Public License as published by
  12  * the Free Software Foundation; either version 2 of the License, or
  13  * (at your option) any later version.
  14  *
  15  * This program is distributed in the hope that it will be useful,
  16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18  * GNU General Public License for more details.
  19  *
  20  * You should have received a copy of the GNU General Public License
  21  * along with this program; if not, write to the Free Software
  22  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  23  */
  24
  25 #ifdef HAVE_CONFIG_H
  26 #include "config.h"
  27 #endif
  28
  29 #include <stdlib.h>
  30 #include <string.h>
  31 #include <stdio.h>
  32 #include <time.h>
  33
  34 #include <glib.h>
  35
  36 #include "sipe-common.h"
  37 #include "sip-sec.h"
  38 #include "sipe-backend.h"
  39 #include "sipe-core.h"
  40 #include "sipe-utils.h"
  41
  42 #include "sip-sec-mech.h"
  43
  44 /* SSPI is only supported on Windows platform */
  45 #if defined(_WIN32) && defined(HAVE_SSPI)
  46 #include "sip-sec-sspi.h"
  47 #define SIP_SEC_WINDOWS_SSPI 1
  48 #else
  49 #define SIP_SEC_WINDOWS_SSPI 0
  50 #endif
  51
  52 #ifdef HAVE_GSSAPI_GSSAPI_H
  53 #include "sip-sec-gssapi.h"
  54 #endif
  55
  56 /* SIPE_AUTHENTICATION_TYPE_BASIC */
  57 #include "sip-sec-basic.h"
  58 #define sip_sec_create_context__Basic      sip_sec_create_context__basic
  59 /* Basic is only used for HTTP, not for SIP */
  60 #define sip_sec_password__Basic            sip_sec_password__NONE
  61
  62 /* SIPE_AUTHENTICATION_TYPE_NTLM */
  63 #if SIP_SEC_WINDOWS_SSPI
  64 #define sip_sec_create_context__NTLM       sip_sec_create_context__sspi
  65 #define sip_sec_password__NTLM             sip_sec_password__sspi
  66 #elif defined(HAVE_GSSAPI_ONLY)
  67 #define sip_sec_create_context__NTLM       sip_sec_create_context__gssapi
  68 #define sip_sec_password__NTLM             sip_sec_password__gssapi
  69 #else
  70 #include "sip-sec-ntlm.h"
  71 #define sip_sec_create_context__NTLM       sip_sec_create_context__ntlm
  72 #define sip_sec_password__NTLM             sip_sec_password__ntlm
  73 #endif
  74
  75 /* SIPE_AUTHENTICATION_TYPE_KERBEROS */
  76 #if SIP_SEC_WINDOWS_SSPI
  77 #define sip_sec_create_context__Kerberos   sip_sec_create_context__sspi
  78 #define sip_sec_password__Kerberos         sip_sec_password__sspi
  79 #elif defined(HAVE_GSSAPI_GSSAPI_H)
  80 #define sip_sec_create_context__Kerberos   sip_sec_create_context__gssapi
  81 #define sip_sec_password__Kerberos         sip_sec_password__gssapi
  82 #else
  83 #define sip_sec_create_context__Kerberos   sip_sec_create_context__NONE
  84 #define sip_sec_password__Kerberos         sip_sec_password__NONE
  85 #endif
  86
  87 /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
  88 #if SIP_SEC_WINDOWS_SSPI
  89 #define sip_sec_create_context__Negotiate  sip_sec_create_context__sspi
  90 #elif defined(HAVE_GSSAPI_GSSAPI_H)
  91 #include "sip-sec-negotiate.h"
  92 #define sip_sec_create_context__Negotiate  sip_sec_create_context__negotiate
  93 #else
  94 #define sip_sec_create_context__Negotiate  sip_sec_create_context__NONE
  95 #endif
  96 /* Negotiate is only used for HTTP, not for SIP */
  97 #define sip_sec_password__Negotiate        sip_sec_password__NONE
  98
  99 /* SIPE_AUTHENTICATION_TYPE_TLS_DSK */
 100 #include "sip-sec-tls-dsk.h"
 101 #define sip_sec_create_context__TLS_DSK    sip_sec_create_context__tls_dsk
 102 #define sip_sec_password__TLS_DSK          sip_sec_password__tls_dsk
 103
 104 /* Dummy initialization hook */
 105 static SipSecContext
 106 sip_sec_create_context__NONE(SIPE_UNUSED_PARAMETER guint type)
 107 {
 108         return(NULL);
 109 }
 110
 111 /* Dummy SIP password hook */
 112 static gboolean sip_sec_password__NONE(void)
 113 {
 114         return(TRUE);
 115 }
 116
 117 /* sip_sec API methods */
 118 SipSecContext
 119 sip_sec_create_context(guint type,
 120                        gboolean sso,
 121                        gboolean http,
 122                        const gchar *domain,
 123                        const gchar *username,
 124                        const gchar *password)
 125 {
 126         SipSecContext context = NULL;
 127
 128         /* Map authentication type to module initialization hook & name */
 129         static sip_sec_create_context_func const auth_to_hook[] = {
 130                 sip_sec_create_context__NONE,      /* SIPE_AUTHENTICATION_TYPE_UNSET     */
 131                 sip_sec_create_context__Basic,     /* SIPE_AUTHENTICATION_TYPE_BASIC     */
 132                 sip_sec_create_context__NTLM,      /* SIPE_AUTHENTICATION_TYPE_NTLM      */
 133                 sip_sec_create_context__Kerberos,  /* SIPE_AUTHENTICATION_TYPE_KERBEROS  */
 134                 sip_sec_create_context__Negotiate, /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
 135                 sip_sec_create_context__TLS_DSK,   /* SIPE_AUTHENTICATION_TYPE_TLS_DSK   */
 136         };
 137
 138         SIPE_DEBUG_INFO("sip_sec_create_context: type: %d, Single Sign-On: %s, protocol: %s",
 139                         type, sso ? "yes" : "no", http ? "HTTP" : "SIP");
 140
 141         context = (*(auth_to_hook[type]))(type);
 142         if (context) {
 143
 144                 context->type = type;
 145
 146                 /* NOTE: mechanism must set private flags acquire_cred_func()! */
 147                 context->flags = 0;
 148
 149                 /* set common flags */
 150                 if (sso)
 151                         context->flags |= SIP_SEC_FLAG_COMMON_SSO;
 152                 if (http)
 153                         context->flags |= SIP_SEC_FLAG_COMMON_HTTP;
 154
 155                 if (!(*context->acquire_cred_func)(context, domain, username, password)) {
 156                         SIPE_DEBUG_INFO_NOFORMAT("ERROR: sip_sec_create_context: failed to acquire credentials.");
 157                         (*context->destroy_context_func)(context);
 158                         context = NULL;
 159                 }
 160         }
 161
 162         return(context);
 163 }
 164
 165 gboolean
 166 sip_sec_init_context_step(SipSecContext context,
 167                           const gchar *target,
 168                           const gchar *input_toked_base64,
 169                           gchar **output_toked_base64,
 170                           guint *expires)
 171 {
 172         gboolean ret = FALSE;
 173
 174         if (context) {
 175                 SipSecBuffer in_buff  = {0, NULL};
 176                 SipSecBuffer out_buff = {0, NULL};
 177
 178                 /* Not NULL for NTLM Type 2 or TLS-DSK */
 179                 if (input_toked_base64)
 180                         in_buff.value = g_base64_decode(input_toked_base64, &in_buff.length);
 181
 182                 ret = (*context->init_context_func)(context, in_buff, &out_buff, target);
 183
 184                 if (input_toked_base64)
 185                         g_free(in_buff.value);
 186
 187                 if (ret) {
 188
 189                         if (out_buff.value) {
 190                                 if (out_buff.length > 0) {
 191                                         *output_toked_base64 = g_base64_encode(out_buff.value, out_buff.length);
 192                                 } else {
 193                                         /* special string: caller takes ownership */
 194                                         *output_toked_base64 = (gchar *) out_buff.value;
 195                                         out_buff.value = NULL;
 196                                 }
 197                         }
 198
 199                         g_free(out_buff.value);
 200                 }
 201
 202                 if (expires) {
 203                         *expires = context->expires;
 204                 }
 205         }
 206
 207         return ret;
 208 }
 209
 210 gboolean sip_sec_context_is_ready(SipSecContext context)
 211 {
 212         return(context && (context->flags & SIP_SEC_FLAG_COMMON_READY));
 213 }
 214
 215 const gchar *sip_sec_context_name(SipSecContext context)
 216 {
 217         if (context)
 218                 return((*context->context_name_func)(context));
 219         else
 220                 return(NULL);
 221 }
 222
 223 guint sip_sec_context_type(SipSecContext context)
 224 {
 225         if (context)
 226                 return(context->type);
 227         else
 228                 return(SIPE_AUTHENTICATION_TYPE_UNSET);
 229 }
 230
 231 void sip_sec_destroy_context(SipSecContext context)
 232 {
 233         if (context) (*context->destroy_context_func)(context);
 234 }
 235
 236 gchar *sip_sec_make_signature(SipSecContext context, const gchar *message)
 237 {
 238         SipSecBuffer signature;
 239         gchar *signature_hex;
 240
 241         if (!(*context->make_signature_func)(context, message, &signature)) {
 242                 SIPE_DEBUG_INFO_NOFORMAT("ERROR: sip_sec_make_signature failed. Unable to sign message!");
 243                 return NULL;
 244         }
 245         signature_hex = buff_to_hex_str(signature.value, signature.length);
 246         g_free(signature.value);
 247         return signature_hex;
 248 }
 249
 250 gboolean sip_sec_verify_signature(SipSecContext context,
 251                                   const gchar *message,
 252                                   const gchar *signature_hex)
 253 {
 254         SipSecBuffer signature;
 255         gboolean res;
 256
 257         SIPE_DEBUG_INFO("sip_sec_verify_signature: message is:%s signature to verify is:%s",
 258                         message ? message : "", signature_hex ? signature_hex : "");
 259
 260         if (!message || !signature_hex)
 261                 return FALSE;
 262
 263         signature.length = hex_str_to_buff(signature_hex, &signature.value);
 264         res = (*context->verify_signature_func)(context, message, signature);
 265         g_free(signature.value);
 266         return res;
 267 }
 268
 269 /* Does authentication type require a password? */
 270 gboolean sip_sec_requires_password(guint authentication,
 271                                    gboolean sso)
 272 {
 273         /* Map authentication type to module initialization hook & name */
 274         static sip_sec_password_func const auth_to_hook[] = {
 275                 sip_sec_password__NONE,      /* SIPE_AUTHENTICATION_TYPE_UNSET     */
 276                 sip_sec_password__Basic,     /* SIPE_AUTHENTICATION_TYPE_BASIC     */
 277                 sip_sec_password__NTLM,      /* SIPE_AUTHENTICATION_TYPE_NTLM      */
 278                 sip_sec_password__Kerberos,  /* SIPE_AUTHENTICATION_TYPE_KERBEROS  */
 279                 sip_sec_password__Negotiate, /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
 280                 sip_sec_password__TLS_DSK,   /* SIPE_AUTHENTICATION_TYPE_TLS_DSK   */
 281         };
 282
 283         /* If Single-Sign On is disabled then a password is required */
 284         if (!sso)
 285                 return(TRUE);
 286
 287         /* Check if authentation method supports Single-Sign On */
 288         return((*(auth_to_hook[authentication]))());
 289 }
 290
 291 /* Initialize & Destroy */
 292 void sip_sec_init(void)
 293 {
 294 #if !defined(HAVE_GSSAPI_ONLY) && !defined(HAVE_SSPI)
 295         sip_sec_init__ntlm();
 296 #endif
 297 }
 298
 299 void sip_sec_destroy(void)
 300 {
 301 #if !defined(HAVE_GSSAPI_ONLY) && !defined(HAVE_SSPI)
 302         sip_sec_destroy__ntlm();
 303 #endif
 304 }
 305
 306 /*
 307   Local Variables:
 308   mode: c
 309   c-file-style: "bsd"
 310   indent-tabs-mode: t
 311   tab-width: 8
 312   End:
 313 */