search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
digest: add support for OpenSSL 1.1.0
[siplcs.git] / src / core / sip-sec.c
blobffb10545261eca636aa8ef6f317c858ffb2065c1
1 /**
2 * @file sip-sec.c
3 *
4 * pidgin-sipe
5 *
6 * Copyright (C) 2010-2015 SIPE Project <http://sipe.sourceforge.net/>
7 * Copyright (C) 2009 pier11 <pier11@operamail.com>
8 *
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 */
24
25 #ifdef HAVE_CONFIG_H
26 #include "config.h"
27 #endif
28
29 #include <stdlib.h>
30 #include <string.h>
31 #include <stdio.h>
32 #include <time.h>
33
34 #include <glib.h>
35
36 #include "sipe-common.h"
37 #include "sip-sec.h"
38 #include "sipe-backend.h"
39 #include "sipe-core.h"
40 #include "sipe-utils.h"
41
42 #include "sip-sec-mech.h"
43
44 /* SSPI is only supported on Windows platform */
45 #if defined(_WIN32) && defined(HAVE_SSPI)
46 #include "sip-sec-sspi.h"
47 #define SIP_SEC_WINDOWS_SSPI 1
48 #else
49 #define SIP_SEC_WINDOWS_SSPI 0
50 #endif
51
52 #ifdef HAVE_GSSAPI_GSSAPI_H
53 #include "sip-sec-gssapi.h"
54 #endif
55
56 /* SIPE_AUTHENTICATION_TYPE_BASIC */
57 #include "sip-sec-basic.h"
58 #define sip_sec_create_context__Basic sip_sec_create_context__basic
59 /* Basic is only used for HTTP, not for SIP */
60 #define sip_sec_password__Basic sip_sec_password__NONE
61
62 /* SIPE_AUTHENTICATION_TYPE_NTLM */
63 #if SIP_SEC_WINDOWS_SSPI
64 #define sip_sec_create_context__NTLM sip_sec_create_context__sspi
65 #define sip_sec_password__NTLM sip_sec_password__sspi
66 #elif defined(HAVE_GSSAPI_ONLY)
67 #define sip_sec_create_context__NTLM sip_sec_create_context__gssapi
68 #define sip_sec_password__NTLM sip_sec_password__gssapi
69 #else
70 #include "sip-sec-ntlm.h"
71 #define sip_sec_create_context__NTLM sip_sec_create_context__ntlm
72 #define sip_sec_password__NTLM sip_sec_password__ntlm
73 #endif
74
75 /* SIPE_AUTHENTICATION_TYPE_KERBEROS */
76 #if SIP_SEC_WINDOWS_SSPI
77 #define sip_sec_create_context__Kerberos sip_sec_create_context__sspi
78 #define sip_sec_password__Kerberos sip_sec_password__sspi
79 #elif defined(HAVE_GSSAPI_GSSAPI_H)
80 #define sip_sec_create_context__Kerberos sip_sec_create_context__gssapi
81 #define sip_sec_password__Kerberos sip_sec_password__gssapi
82 #else
83 #define sip_sec_create_context__Kerberos sip_sec_create_context__NONE
84 #define sip_sec_password__Kerberos sip_sec_password__NONE
85 #endif
86
87 /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
88 #if SIP_SEC_WINDOWS_SSPI
89 #define sip_sec_create_context__Negotiate sip_sec_create_context__sspi
90 #elif defined(HAVE_GSSAPI_ONLY)
91 #define sip_sec_create_context__Negotiate sip_sec_create_context__gssapi
92 #elif defined(HAVE_GSSAPI_GSSAPI_H)
93 #include "sip-sec-negotiate.h"
94 #define sip_sec_create_context__Negotiate sip_sec_create_context__negotiate
95 #else
96 #define sip_sec_create_context__Negotiate sip_sec_create_context__NONE
97 #endif
98 /* Negotiate is only used for HTTP, not for SIP */
99 #define sip_sec_password__Negotiate sip_sec_password__NONE
100
101 /* SIPE_AUTHENTICATION_TYPE_TLS_DSK */
102 #include "sip-sec-tls-dsk.h"
103 #define sip_sec_create_context__TLS_DSK sip_sec_create_context__tls_dsk
104 #define sip_sec_password__TLS_DSK sip_sec_password__tls_dsk
105
106 /* Dummy initialization hook */
107 static SipSecContext
108 sip_sec_create_context__NONE(SIPE_UNUSED_PARAMETER guint type)
109 {
110 return(NULL);
111 }
112
113 /* Dummy SIP password hooks */
114 static gboolean sip_sec_password__NONE(void)
115 {
116 /* Don't ask for a password */
117 return(FALSE);
118 }
119
120 /* sip_sec API methods */
121 SipSecContext
122 sip_sec_create_context(guint type,
123 gboolean sso,
124 gboolean http,
125 const gchar *username,
126 const gchar *password)
127 {
128 SipSecContext context = NULL;
129
130 /* Map authentication type to module initialization hook & name */
131 static sip_sec_create_context_func const auth_to_hook[] = {
132 sip_sec_create_context__NONE, /* SIPE_AUTHENTICATION_TYPE_UNSET */
133 sip_sec_create_context__Basic, /* SIPE_AUTHENTICATION_TYPE_BASIC */
134 sip_sec_create_context__NTLM, /* SIPE_AUTHENTICATION_TYPE_NTLM */
135 sip_sec_create_context__Kerberos, /* SIPE_AUTHENTICATION_TYPE_KERBEROS */
136 sip_sec_create_context__Negotiate, /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
137 sip_sec_create_context__TLS_DSK, /* SIPE_AUTHENTICATION_TYPE_TLS_DSK */
138 sip_sec_create_context__NONE, /* SIPE_AUTHENTICATION_TYPE_AUTOMATIC */
139 };
140
141 SIPE_DEBUG_INFO("sip_sec_create_context: type: %d, Single Sign-On: %s, protocol: %s",
142 type, sso ? "yes" : "no", http ? "HTTP" : "SIP");
143
144 context = (*(auth_to_hook[type]))(type);
145 if (context) {
146
147 context->type = type;
148
149 /* NOTE: mechanism must set private flags acquire_cred_func()! */
150 context->flags = 0;
151
152 /* set common flags */
153 if (sso)
154 context->flags |= SIP_SEC_FLAG_COMMON_SSO;
155 if (http)
156 context->flags |= SIP_SEC_FLAG_COMMON_HTTP;
157
158 if (!(*context->acquire_cred_func)(context, username, password)) {
159 SIPE_DEBUG_INFO_NOFORMAT("ERROR: sip_sec_create_context: failed to acquire credentials.");
160 (*context->destroy_context_func)(context);
161 context = NULL;
162 }
163 }
164
165 return(context);
166 }
167
168 gboolean
169 sip_sec_init_context_step(SipSecContext context,
170 const gchar *target,
171 const gchar *input_toked_base64,
172 gchar **output_toked_base64,
173 guint *expires)
174 {
175 gboolean ret = FALSE;
176
177 if (context) {
178 SipSecBuffer in_buff = {0, NULL};
179 SipSecBuffer out_buff = {0, NULL};
180
181 /* Not NULL for NTLM Type 2 or TLS-DSK */
182 if (input_toked_base64)
183 in_buff.value = g_base64_decode(input_toked_base64, &in_buff.length);
184
185 ret = (*context->init_context_func)(context, in_buff, &out_buff, target);
186
187 if (input_toked_base64)
188 g_free(in_buff.value);
189
190 if (ret) {
191
192 if (out_buff.value) {
193 if (out_buff.length > 0) {
194 *output_toked_base64 = g_base64_encode(out_buff.value, out_buff.length);
195 } else {
196 /* special string: caller takes ownership */
197 *output_toked_base64 = (gchar *) out_buff.value;
198 out_buff.value = NULL;
199 }
200 }
201
202 g_free(out_buff.value);
203 }
204
205 if (expires) {
206 *expires = context->expires;
207 }
208 }
209
210 return ret;
211 }
212
213 gboolean sip_sec_context_is_ready(SipSecContext context)
214 {
215 return(context && (context->flags & SIP_SEC_FLAG_COMMON_READY));
216 }
217
218 const gchar *sip_sec_context_name(SipSecContext context)
219 {
220 if (context)
221 return((*context->context_name_func)(context));
222 else
223 return(NULL);
224 }
225
226 guint sip_sec_context_type(SipSecContext context)
227 {
228 if (context)
229 return(context->type);
230 else
231 return(SIPE_AUTHENTICATION_TYPE_UNSET);
232 }
233
234 void sip_sec_destroy_context(SipSecContext context)
235 {
236 if (context) (*context->destroy_context_func)(context);
237 }
238
239 gchar *sip_sec_make_signature(SipSecContext context, const gchar *message)
240 {
241 SipSecBuffer signature;
242 gchar *signature_hex;
243
244 if (!(*context->make_signature_func)(context, message, &signature)) {
245 SIPE_DEBUG_INFO_NOFORMAT("ERROR: sip_sec_make_signature failed. Unable to sign message!");
246 return NULL;
247 }
248 signature_hex = buff_to_hex_str(signature.value, signature.length);
249 g_free(signature.value);
250 return signature_hex;
251 }
252
253 gboolean sip_sec_verify_signature(SipSecContext context,
254 const gchar *message,
255 const gchar *signature_hex)
256 {
257 SipSecBuffer signature;
258 gboolean res;
259
260 SIPE_DEBUG_INFO("sip_sec_verify_signature: message is:%s signature to verify is:%s",
261 message ? message : "", signature_hex ? signature_hex : "");
262
263 if (!message || !signature_hex)
264 return FALSE;
265
266 signature.length = hex_str_to_buff(signature_hex, &signature.value);
267 res = (*context->verify_signature_func)(context, message, signature);
268 g_free(signature.value);
269 return res;
270 }
271
272 /* Does authentication type require a password? */
273 gboolean sip_sec_requires_password(guint authentication,
274 gboolean sso)
275 {
276 /* Map authentication type to module initialization hook & name */
277 static sip_sec_password_func const auth_to_hook[] = {
278 sip_sec_password__NONE, /* SIPE_AUTHENTICATION_TYPE_UNSET */
279 sip_sec_password__Basic, /* SIPE_AUTHENTICATION_TYPE_BASIC */
280 sip_sec_password__NTLM, /* SIPE_AUTHENTICATION_TYPE_NTLM */
281 sip_sec_password__Kerberos, /* SIPE_AUTHENTICATION_TYPE_KERBEROS */
282 sip_sec_password__Negotiate, /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
283 sip_sec_password__TLS_DSK, /* SIPE_AUTHENTICATION_TYPE_TLS_DSK */
284 sip_sec_password__NONE, /* SIPE_AUTHENTICATION_TYPE_AUTOMATIC */
285 };
286
287 /* If Single-Sign On is disabled then a password is required */
288 if (!sso)
289 return(TRUE);
290
291 /* Check if authentation method supports Single-Sign On */
292 return((*(auth_to_hook[authentication]))());
293 }
294
295 /* Initialize & Destroy */
296 void sip_sec_init(void)
297 {
298 #if !defined(HAVE_GSSAPI_ONLY) && !defined(HAVE_SSPI)
299 sip_sec_init__ntlm();
300 #endif
301 }
302
303 void sip_sec_destroy(void)
304 {
305 #if !defined(HAVE_GSSAPI_ONLY) && !defined(HAVE_SSPI)
306 sip_sec_destroy__ntlm();
307 #endif
308 }
309
310 /*
311 Local Variables:
312 mode: c
313 c-file-style: "bsd"
314 indent-tabs-mode: t
315 tab-width: 8
316 End:
317 */
A third-party Pidgin plugin for Microsoft LCS/OCS