src/core/sip-sec.c

   1 /**
   2  * @file sip-sec.c
   3  *
   4  * pidgin-sipe
   5  *
   6  * Copyright (C) 2010-2013 SIPE Project <http://sipe.sourceforge.net/>
   7  * Copyright (C) 2009 pier11 <pier11@operamail.com>
   8  *
   9  *
  10  * This program is free software; you can redistribute it and/or modify
  11  * it under the terms of the GNU General Public License as published by
  12  * the Free Software Foundation; either version 2 of the License, or
  13  * (at your option) any later version.
  14  *
  15  * This program is distributed in the hope that it will be useful,
  16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18  * GNU General Public License for more details.
  19  *
  20  * You should have received a copy of the GNU General Public License
  21  * along with this program; if not, write to the Free Software
  22  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  23  */
  24
  25 #ifdef HAVE_CONFIG_H
  26 #include "config.h"
  27 #endif
  28
  29 #include <stdlib.h>
  30 #include <string.h>
  31 #include <stdio.h>
  32 #include <time.h>
  33
  34 #include <glib.h>
  35
  36 #include "sipe-common.h"
  37 #include "sip-sec.h"
  38 #include "sipe-backend.h"
  39 #include "sipe-core.h"
  40 #include "sipe-utils.h"
  41
  42 #include "sip-sec-mech.h"
  43
  44 /* SSPI is only supported on Windows platform */
  45 #if defined(_WIN32) && defined(HAVE_SSPI)
  46 #include "sip-sec-sspi.h"
  47 #define SIP_SEC_WINDOWS_SSPI 1
  48 #else
  49 #define SIP_SEC_WINDOWS_SSPI 0
  50 #endif
  51
  52 /* SIPE_AUTHENTICATION_TYPE_BASIC */
  53 #include "sip-sec-basic.h"
  54 #define sip_sec_create_context__Basic      sip_sec_create_context__basic
  55 /* Basic is only used for HTTP, not for SIP */
  56 #define sip_sec_password__Basic            sip_sec_password__NONE
  57
  58 /* SIPE_AUTHENTICATION_TYPE_NTLM */
  59 #if SIP_SEC_WINDOWS_SSPI
  60 #define sip_sec_create_context__NTLM       sip_sec_create_context__sspi
  61 #define sip_sec_password__NTLM             sip_sec_password__sspi
  62 #else
  63 #include "sip-sec-ntlm.h"
  64 #define sip_sec_create_context__NTLM       sip_sec_create_context__ntlm
  65 #define sip_sec_password__NTLM             sip_sec_password__ntlm
  66 #endif
  67
  68 /* SIPE_AUTHENTICATION_TYPE_KERBEROS */
  69 #if SIP_SEC_WINDOWS_SSPI
  70 #define sip_sec_create_context__Kerberos   sip_sec_create_context__sspi
  71 #define sip_sec_password__Kerberos         sip_sec_password__sspi
  72 #elif defined(HAVE_GSSAPI_GSSAPI_H)
  73 #include "sip-sec-krb5.h"
  74 #define sip_sec_create_context__Kerberos   sip_sec_create_context__krb5
  75 #define sip_sec_password__Kerberos         sip_sec_password__krb5
  76 #else
  77 #define sip_sec_create_context__Kerberos   sip_sec_create_context__NONE
  78 #define sip_sec_password__Kerberos         sip_sec_password__NONE
  79 #endif
  80
  81 /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
  82 #if SIP_SEC_WINDOWS_SSPI
  83 #define sip_sec_create_context__Negotiate  sip_sec_create_context__sspi
  84 #elif defined(HAVE_GSSAPI_GSSAPI_H)
  85 #include "sip-sec-negotiate.h"
  86 #define sip_sec_create_context__Negotiate  sip_sec_create_context__negotiate
  87 #else
  88 #define sip_sec_create_context__Negotiate  sip_sec_create_context__NONE
  89 #endif
  90 /* Negotiate is only used for HTTP, not for SIP */
  91 #define sip_sec_password__Negotiate        sip_sec_password__NONE
  92
  93 /* SIPE_AUTHENTICATION_TYPE_TLS_DSK */
  94 #include "sip-sec-tls-dsk.h"
  95 #define sip_sec_create_context__TLS_DSK    sip_sec_create_context__tls_dsk
  96 #define sip_sec_password__TLS_DSK          sip_sec_password__tls_dsk
  97
  98 /* Dummy initialization hook */
  99 static SipSecContext
 100 sip_sec_create_context__NONE(SIPE_UNUSED_PARAMETER guint type)
 101 {
 102         return(NULL);
 103 }
 104
 105 /* Dummy SIP password hook */
 106 static gboolean sip_sec_password__NONE(void)
 107 {
 108         return(TRUE);
 109 }
 110
 111 /* sip_sec API methods */
 112 SipSecContext
 113 sip_sec_create_context(guint type,
 114                        gboolean sso,
 115                        gboolean http,
 116                        const gchar *domain,
 117                        const gchar *username,
 118                        const gchar *password)
 119 {
 120         SipSecContext context = NULL;
 121
 122         /* Map authentication type to module initialization hook & name */
 123         static sip_sec_create_context_func const auth_to_hook[] = {
 124                 sip_sec_create_context__NONE,      /* SIPE_AUTHENTICATION_TYPE_UNSET     */
 125                 sip_sec_create_context__Basic,     /* SIPE_AUTHENTICATION_TYPE_BASIC     */
 126                 sip_sec_create_context__NTLM,      /* SIPE_AUTHENTICATION_TYPE_NTLM      */
 127                 sip_sec_create_context__Kerberos,  /* SIPE_AUTHENTICATION_TYPE_KERBEROS  */
 128                 sip_sec_create_context__Negotiate, /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
 129                 sip_sec_create_context__TLS_DSK,   /* SIPE_AUTHENTICATION_TYPE_TLS_DSK   */
 130         };
 131
 132         SIPE_DEBUG_INFO("sip_sec_create_context: type: %d, Single Sign-On: %s, protocol: %s",
 133                         type, sso ? "yes" : "no", http ? "HTTP" : "SIP");
 134
 135         context = (*(auth_to_hook[type]))(type);
 136         if (context) {
 137
 138                 context->type = type;
 139
 140                 /* NOTE: mechanism must set private flags acquire_cred_func()! */
 141                 context->flags = 0;
 142
 143                 /* set common flags */
 144                 if (sso)
 145                         context->flags |= SIP_SEC_FLAG_COMMON_SSO;
 146                 if (http)
 147                         context->flags |= SIP_SEC_FLAG_COMMON_HTTP;
 148
 149                 if (!(*context->acquire_cred_func)(context, domain, username, password)) {
 150                         SIPE_DEBUG_INFO_NOFORMAT("ERROR: sip_sec_create_context: failed to acquire credentials.");
 151                         (*context->destroy_context_func)(context);
 152                         context = NULL;
 153                 }
 154         }
 155
 156         return(context);
 157 }
 158
 159 gboolean
 160 sip_sec_init_context_step(SipSecContext context,
 161                           const gchar *target,
 162                           const gchar *input_toked_base64,
 163                           gchar **output_toked_base64,
 164                           guint *expires)
 165 {
 166         gboolean ret = FALSE;
 167
 168         if (context) {
 169                 SipSecBuffer in_buff  = {0, NULL};
 170                 SipSecBuffer out_buff = {0, NULL};
 171
 172                 /* Not NULL for NTLM Type 2 or TLS-DSK */
 173                 if (input_toked_base64)
 174                         in_buff.value = g_base64_decode(input_toked_base64, &in_buff.length);
 175
 176                 ret = (*context->init_context_func)(context, in_buff, &out_buff, target);
 177
 178                 if (input_toked_base64)
 179                         g_free(in_buff.value);
 180
 181                 if (ret) {
 182
 183                         if (out_buff.value) {
 184                                 if (out_buff.length > 0) {
 185                                         *output_toked_base64 = g_base64_encode(out_buff.value, out_buff.length);
 186                                 } else {
 187                                         /* special string: caller takes ownership */
 188                                         *output_toked_base64 = (gchar *) out_buff.value;
 189                                         out_buff.value = NULL;
 190                                 }
 191                         }
 192
 193                         g_free(out_buff.value);
 194                 }
 195
 196                 if (expires) {
 197                         *expires = context->expires;
 198                 }
 199         }
 200
 201         return ret;
 202 }
 203
 204 gboolean sip_sec_context_is_ready(SipSecContext context)
 205 {
 206         return(context && (context->flags & SIP_SEC_FLAG_COMMON_READY));
 207 }
 208
 209 guint sip_sec_context_type(SipSecContext context)
 210 {
 211         if (context)
 212                 return(context->type);
 213         else
 214                 return(SIPE_AUTHENTICATION_TYPE_UNSET);
 215 }
 216
 217 void sip_sec_destroy_context(SipSecContext context)
 218 {
 219         if (context) (*context->destroy_context_func)(context);
 220 }
 221
 222 gchar *sip_sec_make_signature(SipSecContext context, const gchar *message)
 223 {
 224         SipSecBuffer signature;
 225         gchar *signature_hex;
 226
 227         if (!(*context->make_signature_func)(context, message, &signature)) {
 228                 SIPE_DEBUG_INFO_NOFORMAT("ERROR: sip_sec_make_signature failed. Unable to sign message!");
 229                 return NULL;
 230         }
 231         signature_hex = buff_to_hex_str(signature.value, signature.length);
 232         g_free(signature.value);
 233         return signature_hex;
 234 }
 235
 236 gboolean sip_sec_verify_signature(SipSecContext context,
 237                                   const gchar *message,
 238                                   const gchar *signature_hex)
 239 {
 240         SipSecBuffer signature;
 241         gboolean res;
 242
 243         SIPE_DEBUG_INFO("sip_sec_verify_signature: message is:%s signature to verify is:%s",
 244                         message ? message : "", signature_hex ? signature_hex : "");
 245
 246         if (!message || !signature_hex)
 247                 return FALSE;
 248
 249         signature.length = hex_str_to_buff(signature_hex, &signature.value);
 250         res = (*context->verify_signature_func)(context, message, signature);
 251         g_free(signature.value);
 252         return res;
 253 }
 254
 255 /* Does authentication type require a password? */
 256 gboolean sip_sec_requires_password(guint authentication,
 257                                    gboolean sso)
 258 {
 259         /* Map authentication type to module initialization hook & name */
 260         static sip_sec_password_func const auth_to_hook[] = {
 261                 sip_sec_password__NONE,      /* SIPE_AUTHENTICATION_TYPE_UNSET     */
 262                 sip_sec_password__Basic,     /* SIPE_AUTHENTICATION_TYPE_BASIC     */
 263                 sip_sec_password__NTLM,      /* SIPE_AUTHENTICATION_TYPE_NTLM      */
 264                 sip_sec_password__Kerberos,  /* SIPE_AUTHENTICATION_TYPE_KERBEROS  */
 265                 sip_sec_password__Negotiate, /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
 266                 sip_sec_password__TLS_DSK,   /* SIPE_AUTHENTICATION_TYPE_TLS_DSK   */
 267         };
 268
 269         /* If Single-Sign On is disabled then a password is required */
 270         if (!sso)
 271                 return(TRUE);
 272
 273         /* Check if authentation method supports Single-Sign On */
 274         return((*(auth_to_hook[authentication]))());
 275 }
 276
 277 /* Initialize & Destroy */
 278 void sip_sec_init(void)
 279 {
 280 #ifndef HAVE_SSPI
 281         sip_sec_init__ntlm();
 282 #endif
 283 }
 284
 285 void sip_sec_destroy(void)
 286 {
 287 #ifndef HAVE_SSPI
 288         sip_sec_destroy__ntlm();
 289 #endif
 290 }
 291
 292 /*
 293   Local Variables:
 294   mode: c
 295   c-file-style: "bsd"
 296   indent-tabs-mode: t
 297   tab-width: 8
 298   End:
 299 */