src/core/sip-sec.c

   1 /**
   2  * @file sip-sec.c
   3  *
   4  * pidgin-sipe
   5  *
   6  * Copyright (C) 2010-2013 SIPE Project <http://sipe.sourceforge.net/>
   7  * Copyright (C) 2009 pier11 <pier11@operamail.com>
   8  *
   9  *
  10  * This program is free software; you can redistribute it and/or modify
  11  * it under the terms of the GNU General Public License as published by
  12  * the Free Software Foundation; either version 2 of the License, or
  13  * (at your option) any later version.
  14  *
  15  * This program is distributed in the hope that it will be useful,
  16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18  * GNU General Public License for more details.
  19  *
  20  * You should have received a copy of the GNU General Public License
  21  * along with this program; if not, write to the Free Software
  22  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  23  */
  24
  25 #ifdef HAVE_CONFIG_H
  26 #include "config.h"
  27 #endif
  28
  29 #include <stdlib.h>
  30 #include <string.h>
  31 #include <stdio.h>
  32 #include <time.h>
  33
  34 #include <glib.h>
  35
  36 #include "sipe-common.h"
  37 #include "sip-sec.h"
  38 #include "sipe-backend.h"
  39 #include "sipe-utils.h"
  40
  41 #include "sip-sec-mech.h"
  42
  43 /* SSPI is only supported on Windows platform */
  44 #if defined(_WIN32) && defined(HAVE_SSPI)
  45 #include "sip-sec-sspi.h"
  46 #define SIP_SEC_WINDOWS_SSPI 1
  47 #else
  48 #define SIP_SEC_WINDOWS_SSPI 0
  49 #endif
  50
  51 /* SIPE_AUTHENTICATION_TYPE_NTLM */
  52 #if SIP_SEC_WINDOWS_SSPI
  53 #define sip_sec_create_context__NTLM       sip_sec_create_context__sspi
  54 #define sip_sec_password__NTLM             sip_sec_password__sspi
  55 #else
  56 #include "sip-sec-ntlm.h"
  57 #define sip_sec_create_context__NTLM       sip_sec_create_context__ntlm
  58 #define sip_sec_password__NTLM             sip_sec_password__ntlm
  59 #endif
  60
  61 /* SIPE_AUTHENTICATION_TYPE_KERBEROS */
  62 #if SIP_SEC_WINDOWS_SSPI
  63 #define sip_sec_create_context__Kerberos   sip_sec_create_context__sspi
  64 #define sip_sec_password__Kerberos         sip_sec_password__sspi
  65 #elif defined(HAVE_LIBKRB5)
  66 #include "sip-sec-krb5.h"
  67 #define sip_sec_create_context__Kerberos   sip_sec_create_context__krb5
  68 #define sip_sec_password__Kerberos         sip_sec_password__krb5
  69 #else
  70 #define sip_sec_create_context__Kerberos   sip_sec_create_context__NONE
  71 #define sip_sec_password__Kerberos         sip_sec_password__NONE
  72 #endif
  73
  74 /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
  75 #if SIP_SEC_WINDOWS_SSPI
  76 #define sip_sec_create_context__Negotiate  sip_sec_create_context__sspi
  77 #elif defined(HAVE_LIBKRB5)
  78 #include "sip-sec-negotiate.h"
  79 #define sip_sec_create_context__Negotiate  sip_sec_create_context__negotiate
  80 #else
  81 #define sip_sec_create_context__Negotiate  sip_sec_create_context__NONE
  82 #endif
  83 /* Negotiate is only used for HTTP, not for SIP */
  84 #define sip_sec_password__Negotiate        sip_sec_password__NONE
  85
  86 /* SIPE_AUTHENTICATION_TYPE_TLS_DSK */
  87 #include "sip-sec-tls-dsk.h"
  88 #define sip_sec_create_context__TLS_DSK    sip_sec_create_context__tls_dsk
  89 #define sip_sec_password__TLS_DSK          sip_sec_password__tls_dsk
  90
  91 /* Dummy initialization hook */
  92 static SipSecContext
  93 sip_sec_create_context__NONE(SIPE_UNUSED_PARAMETER guint type)
  94 {
  95         return(NULL);
  96 }
  97
  98 /* Dummy SIP password hook */
  99 static gboolean sip_sec_password__NONE(void)
 100 {
 101         return(TRUE);
 102 }
 103
 104 /* sip_sec API methods */
 105 SipSecContext
 106 sip_sec_create_context(guint type,
 107                        gboolean sso,
 108                        gboolean http,
 109                        const gchar *domain,
 110                        const gchar *username,
 111                        const gchar *password)
 112 {
 113         SipSecContext context = NULL;
 114
 115         /* Map authentication type to module initialization hook & name */
 116         static sip_sec_create_context_func const auth_to_hook[] = {
 117                 sip_sec_create_context__NONE,      /* SIPE_AUTHENTICATION_TYPE_UNSET     */
 118                 sip_sec_create_context__NTLM,      /* SIPE_AUTHENTICATION_TYPE_NTLM      */
 119                 sip_sec_create_context__Kerberos,  /* SIPE_AUTHENTICATION_TYPE_KERBEROS  */
 120                 sip_sec_create_context__Negotiate, /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
 121                 sip_sec_create_context__TLS_DSK,   /* SIPE_AUTHENTICATION_TYPE_TLS_DSK   */
 122         };
 123
 124         SIPE_DEBUG_INFO("sip_sec_create_context: type: %d, Single Sign-On: %s, protocol: %s",
 125                         type, sso ? "yes" : "no", http ? "HTTP" : "SIP");
 126
 127         context = (*(auth_to_hook[type]))(type);
 128         if (context) {
 129
 130                 /* NOTE: mechanism must set private flags acquire_cred_func()! */
 131                 context->flags = 0;
 132
 133                 /* set common flags */
 134                 if (sso)
 135                         context->flags |= SIP_SEC_FLAG_COMMON_SSO;
 136                 if (http)
 137                         context->flags |= SIP_SEC_FLAG_COMMON_HTTP;
 138
 139                 if (!(*context->acquire_cred_func)(context, domain, username, password)) {
 140                         SIPE_DEBUG_INFO_NOFORMAT("ERROR: sip_sec_create_context: failed to acquire credentials.");
 141                         (*context->destroy_context_func)(context);
 142                         context = NULL;
 143                 }
 144         }
 145
 146         return(context);
 147 }
 148
 149 gboolean
 150 sip_sec_init_context_step(SipSecContext context,
 151                           const gchar *target,
 152                           const gchar *input_toked_base64,
 153                           gchar **output_toked_base64,
 154                           guint *expires)
 155 {
 156         gboolean ret = FALSE;
 157
 158         if (context) {
 159                 SipSecBuffer in_buff  = {0, NULL};
 160                 SipSecBuffer out_buff = {0, NULL};
 161
 162                 /* Not NULL for NTLM Type 2 or TLS-DSK */
 163                 if (input_toked_base64)
 164                         in_buff.value = g_base64_decode(input_toked_base64, &in_buff.length);
 165
 166                 ret = (*context->init_context_func)(context, in_buff, &out_buff, target);
 167
 168                 if (input_toked_base64)
 169                         g_free(in_buff.value);
 170
 171                 if (ret) {
 172
 173                         if (out_buff.value) {
 174                                 if (out_buff.length > 0) {
 175                                         *output_toked_base64 = g_base64_encode(out_buff.value, out_buff.length);
 176                                 } else {
 177                                         /* special string: caller takes ownership */
 178                                         *output_toked_base64 = (gchar *) out_buff.value;
 179                                         out_buff.value = NULL;
 180                                 }
 181                         }
 182
 183                         g_free(out_buff.value);
 184                 }
 185
 186                 if (expires) {
 187                         *expires = context->expires;
 188                 }
 189         }
 190
 191         return ret;
 192 }
 193
 194 gboolean sip_sec_context_is_ready(SipSecContext context)
 195 {
 196         return(context && (context->flags & SIP_SEC_FLAG_COMMON_READY));
 197 }
 198
 199 void
 200 sip_sec_destroy_context(SipSecContext context)
 201 {
 202         if (context) (*context->destroy_context_func)(context);
 203 }
 204
 205 gchar *sip_sec_make_signature(SipSecContext context, const gchar *message)
 206 {
 207         SipSecBuffer signature;
 208         gchar *signature_hex;
 209
 210         if (!(*context->make_signature_func)(context, message, &signature)) {
 211                 SIPE_DEBUG_INFO_NOFORMAT("ERROR: sip_sec_make_signature failed. Unable to sign message!");
 212                 return NULL;
 213         }
 214         signature_hex = buff_to_hex_str(signature.value, signature.length);
 215         g_free(signature.value);
 216         return signature_hex;
 217 }
 218
 219 gboolean sip_sec_verify_signature(SipSecContext context,
 220                                   const gchar *message,
 221                                   const gchar *signature_hex)
 222 {
 223         SipSecBuffer signature;
 224         gboolean res;
 225
 226         SIPE_DEBUG_INFO("sip_sec_verify_signature: message is:%s signature to verify is:%s",
 227                         message ? message : "", signature_hex ? signature_hex : "");
 228
 229         if (!message || !signature_hex)
 230                 return FALSE;
 231
 232         signature.length = hex_str_to_buff(signature_hex, &signature.value);
 233         res = (*context->verify_signature_func)(context, message, signature);
 234         g_free(signature.value);
 235         return res;
 236 }
 237
 238 /* Does authentication type require a password? */
 239 gboolean sip_sec_requires_password(guint authentication,
 240                                    gboolean sso)
 241 {
 242         /* Map authentication type to module initialization hook & name */
 243         static sip_sec_password_func const auth_to_hook[] = {
 244                 sip_sec_password__NONE,      /* SIPE_AUTHENTICATION_TYPE_UNSET     */
 245                 sip_sec_password__NTLM,      /* SIPE_AUTHENTICATION_TYPE_NTLM      */
 246                 sip_sec_password__Kerberos,  /* SIPE_AUTHENTICATION_TYPE_KERBEROS  */
 247                 sip_sec_password__Negotiate, /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
 248                 sip_sec_password__TLS_DSK,   /* SIPE_AUTHENTICATION_TYPE_TLS_DSK   */
 249         };
 250
 251         /* If Single-Sign On is disabled then a password is required */
 252         if (!sso)
 253                 return(TRUE);
 254
 255         /* Check if authentation method supports Single-Sign On */
 256         return((*(auth_to_hook[authentication]))());
 257 }
 258
 259 /* Initialize & Destroy */
 260 void sip_sec_init(void)
 261 {
 262 #ifndef HAVE_SSPI
 263         sip_sec_init__ntlm();
 264 #endif
 265 }
 266
 267 void sip_sec_destroy(void)
 268 {
 269 #ifndef HAVE_SSPI
 270         sip_sec_destroy__ntlm();
 271 #endif
 272 }
 273
 274 /*
 275   Local Variables:
 276   mode: c
 277   c-file-style: "bsd"
 278   indent-tabs-mode: t
 279   tab-width: 8
 280   End:
 281 */