src/core/sip-sec.c

   1 /**
   2  * @file sip-sec.c
   3  *
   4  * pidgin-sipe
   5  *
   6  * Copyright (C) 2010-2013 SIPE Project <http://sipe.sourceforge.net/>
   7  * Copyright (C) 2009 pier11 <pier11@operamail.com>
   8  *
   9  *
  10  * This program is free software; you can redistribute it and/or modify
  11  * it under the terms of the GNU General Public License as published by
  12  * the Free Software Foundation; either version 2 of the License, or
  13  * (at your option) any later version.
  14  *
  15  * This program is distributed in the hope that it will be useful,
  16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18  * GNU General Public License for more details.
  19  *
  20  * You should have received a copy of the GNU General Public License
  21  * along with this program; if not, write to the Free Software
  22  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  23  */
  24
  25 #ifdef HAVE_CONFIG_H
  26 #include "config.h"
  27 #endif
  28
  29 #include <stdlib.h>
  30 #include <string.h>
  31 #include <stdio.h>
  32 #include <time.h>
  33
  34 #include <glib.h>
  35
  36 #include "sipe-common.h"
  37 #include "sip-sec.h"
  38 #include "sipe-backend.h"
  39 #include "sipe-core.h"
  40 #include "sipe-utils.h"
  41
  42 #include "sip-sec-mech.h"
  43
  44 /* SSPI is only supported on Windows platform */
  45 #if defined(_WIN32) && defined(HAVE_SSPI)
  46 #include "sip-sec-sspi.h"
  47 #define SIP_SEC_WINDOWS_SSPI 1
  48 #else
  49 #define SIP_SEC_WINDOWS_SSPI 0
  50 #endif
  51
  52 #ifdef HAVE_GSSAPI_GSSAPI_H
  53 #include "sip-sec-gssapi.h"
  54 #endif
  55
  56 /* SIPE_AUTHENTICATION_TYPE_BASIC */
  57 #include "sip-sec-basic.h"
  58 #define sip_sec_create_context__Basic      sip_sec_create_context__basic
  59 /* Basic is only used for HTTP, not for SIP */
  60 #define sip_sec_password__Basic            sip_sec_password__NONE
  61
  62 /* SIPE_AUTHENTICATION_TYPE_NTLM */
  63 #if SIP_SEC_WINDOWS_SSPI
  64 #define sip_sec_create_context__NTLM       sip_sec_create_context__sspi
  65 #define sip_sec_password__NTLM             sip_sec_password__sspi
  66 #elif defined(HAVE_GSSAPI_ONLY)
  67 #define sip_sec_create_context__NTLM       sip_sec_create_context__gssapi
  68 #define sip_sec_password__NTLM             sip_sec_password__gssapi
  69 #else
  70 #include "sip-sec-ntlm.h"
  71 #define sip_sec_create_context__NTLM       sip_sec_create_context__ntlm
  72 #define sip_sec_password__NTLM             sip_sec_password__ntlm
  73 #endif
  74
  75 /* SIPE_AUTHENTICATION_TYPE_KERBEROS */
  76 #if SIP_SEC_WINDOWS_SSPI
  77 #define sip_sec_create_context__Kerberos   sip_sec_create_context__sspi
  78 #define sip_sec_password__Kerberos         sip_sec_password__sspi
  79 #elif defined(HAVE_GSSAPI_GSSAPI_H)
  80 #define sip_sec_create_context__Kerberos   sip_sec_create_context__gssapi
  81 #define sip_sec_password__Kerberos         sip_sec_password__gssapi
  82 #else
  83 #define sip_sec_create_context__Kerberos   sip_sec_create_context__NONE
  84 #define sip_sec_password__Kerberos         sip_sec_password__NONE
  85 #endif
  86
  87 /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
  88 #if SIP_SEC_WINDOWS_SSPI
  89 #define sip_sec_create_context__Negotiate  sip_sec_create_context__sspi
  90 #elif defined(HAVE_GSSAPI_ONLY)
  91 #define sip_sec_create_context__Negotiate  sip_sec_create_context__gssapi
  92 #elif defined(HAVE_GSSAPI_GSSAPI_H)
  93 #include "sip-sec-negotiate.h"
  94 #define sip_sec_create_context__Negotiate  sip_sec_create_context__negotiate
  95 #else
  96 #define sip_sec_create_context__Negotiate  sip_sec_create_context__NONE
  97 #endif
  98 /* Negotiate is only used for HTTP, not for SIP */
  99 #define sip_sec_password__Negotiate        sip_sec_password__NONE
 100
 101 /* SIPE_AUTHENTICATION_TYPE_TLS_DSK */
 102 #include "sip-sec-tls-dsk.h"
 103 #define sip_sec_create_context__TLS_DSK    sip_sec_create_context__tls_dsk
 104 #define sip_sec_password__TLS_DSK          sip_sec_password__tls_dsk
 105
 106 /* Dummy initialization hook */
 107 static SipSecContext
 108 sip_sec_create_context__NONE(SIPE_UNUSED_PARAMETER guint type)
 109 {
 110         return(NULL);
 111 }
 112
 113 /* Dummy SIP password hook */
 114 static gboolean sip_sec_password__NONE(void)
 115 {
 116         return(TRUE);
 117 }
 118
 119 /* sip_sec API methods */
 120 SipSecContext
 121 sip_sec_create_context(guint type,
 122                        gboolean sso,
 123                        gboolean http,
 124                        const gchar *domain,
 125                        const gchar *username,
 126                        const gchar *password)
 127 {
 128         SipSecContext context = NULL;
 129
 130         /* Map authentication type to module initialization hook & name */
 131         static sip_sec_create_context_func const auth_to_hook[] = {
 132                 sip_sec_create_context__NONE,      /* SIPE_AUTHENTICATION_TYPE_UNSET     */
 133                 sip_sec_create_context__Basic,     /* SIPE_AUTHENTICATION_TYPE_BASIC     */
 134                 sip_sec_create_context__NTLM,      /* SIPE_AUTHENTICATION_TYPE_NTLM      */
 135                 sip_sec_create_context__Kerberos,  /* SIPE_AUTHENTICATION_TYPE_KERBEROS  */
 136                 sip_sec_create_context__Negotiate, /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
 137                 sip_sec_create_context__TLS_DSK,   /* SIPE_AUTHENTICATION_TYPE_TLS_DSK   */
 138         };
 139
 140         SIPE_DEBUG_INFO("sip_sec_create_context: type: %d, Single Sign-On: %s, protocol: %s",
 141                         type, sso ? "yes" : "no", http ? "HTTP" : "SIP");
 142
 143         context = (*(auth_to_hook[type]))(type);
 144         if (context) {
 145
 146                 context->type = type;
 147
 148                 /* NOTE: mechanism must set private flags acquire_cred_func()! */
 149                 context->flags = 0;
 150
 151                 /* set common flags */
 152                 if (sso)
 153                         context->flags |= SIP_SEC_FLAG_COMMON_SSO;
 154                 if (http)
 155                         context->flags |= SIP_SEC_FLAG_COMMON_HTTP;
 156
 157                 if (!(*context->acquire_cred_func)(context, domain, username, password)) {
 158                         SIPE_DEBUG_INFO_NOFORMAT("ERROR: sip_sec_create_context: failed to acquire credentials.");
 159                         (*context->destroy_context_func)(context);
 160                         context = NULL;
 161                 }
 162         }
 163
 164         return(context);
 165 }
 166
 167 gboolean
 168 sip_sec_init_context_step(SipSecContext context,
 169                           const gchar *target,
 170                           const gchar *input_toked_base64,
 171                           gchar **output_toked_base64,
 172                           guint *expires)
 173 {
 174         gboolean ret = FALSE;
 175
 176         if (context) {
 177                 SipSecBuffer in_buff  = {0, NULL};
 178                 SipSecBuffer out_buff = {0, NULL};
 179
 180                 /* Not NULL for NTLM Type 2 or TLS-DSK */
 181                 if (input_toked_base64)
 182                         in_buff.value = g_base64_decode(input_toked_base64, &in_buff.length);
 183
 184                 ret = (*context->init_context_func)(context, in_buff, &out_buff, target);
 185
 186                 if (input_toked_base64)
 187                         g_free(in_buff.value);
 188
 189                 if (ret) {
 190
 191                         if (out_buff.value) {
 192                                 if (out_buff.length > 0) {
 193                                         *output_toked_base64 = g_base64_encode(out_buff.value, out_buff.length);
 194                                 } else {
 195                                         /* special string: caller takes ownership */
 196                                         *output_toked_base64 = (gchar *) out_buff.value;
 197                                         out_buff.value = NULL;
 198                                 }
 199                         }
 200
 201                         g_free(out_buff.value);
 202                 }
 203
 204                 if (expires) {
 205                         *expires = context->expires;
 206                 }
 207         }
 208
 209         return ret;
 210 }
 211
 212 gboolean sip_sec_context_is_ready(SipSecContext context)
 213 {
 214         return(context && (context->flags & SIP_SEC_FLAG_COMMON_READY));
 215 }
 216
 217 const gchar *sip_sec_context_name(SipSecContext context)
 218 {
 219         if (context)
 220                 return((*context->context_name_func)(context));
 221         else
 222                 return(NULL);
 223 }
 224
 225 guint sip_sec_context_type(SipSecContext context)
 226 {
 227         if (context)
 228                 return(context->type);
 229         else
 230                 return(SIPE_AUTHENTICATION_TYPE_UNSET);
 231 }
 232
 233 void sip_sec_destroy_context(SipSecContext context)
 234 {
 235         if (context) (*context->destroy_context_func)(context);
 236 }
 237
 238 gchar *sip_sec_make_signature(SipSecContext context, const gchar *message)
 239 {
 240         SipSecBuffer signature;
 241         gchar *signature_hex;
 242
 243         if (!(*context->make_signature_func)(context, message, &signature)) {
 244                 SIPE_DEBUG_INFO_NOFORMAT("ERROR: sip_sec_make_signature failed. Unable to sign message!");
 245                 return NULL;
 246         }
 247         signature_hex = buff_to_hex_str(signature.value, signature.length);
 248         g_free(signature.value);
 249         return signature_hex;
 250 }
 251
 252 gboolean sip_sec_verify_signature(SipSecContext context,
 253                                   const gchar *message,
 254                                   const gchar *signature_hex)
 255 {
 256         SipSecBuffer signature;
 257         gboolean res;
 258
 259         SIPE_DEBUG_INFO("sip_sec_verify_signature: message is:%s signature to verify is:%s",
 260                         message ? message : "", signature_hex ? signature_hex : "");
 261
 262         if (!message || !signature_hex)
 263                 return FALSE;
 264
 265         signature.length = hex_str_to_buff(signature_hex, &signature.value);
 266         res = (*context->verify_signature_func)(context, message, signature);
 267         g_free(signature.value);
 268         return res;
 269 }
 270
 271 /* Does authentication type require a password? */
 272 gboolean sip_sec_requires_password(guint authentication,
 273                                    gboolean sso)
 274 {
 275         /* Map authentication type to module initialization hook & name */
 276         static sip_sec_password_func const auth_to_hook[] = {
 277                 sip_sec_password__NONE,      /* SIPE_AUTHENTICATION_TYPE_UNSET     */
 278                 sip_sec_password__Basic,     /* SIPE_AUTHENTICATION_TYPE_BASIC     */
 279                 sip_sec_password__NTLM,      /* SIPE_AUTHENTICATION_TYPE_NTLM      */
 280                 sip_sec_password__Kerberos,  /* SIPE_AUTHENTICATION_TYPE_KERBEROS  */
 281                 sip_sec_password__Negotiate, /* SIPE_AUTHENTICATION_TYPE_NEGOTIATE */
 282                 sip_sec_password__TLS_DSK,   /* SIPE_AUTHENTICATION_TYPE_TLS_DSK   */
 283         };
 284
 285         /* If Single-Sign On is disabled then a password is required */
 286         if (!sso)
 287                 return(TRUE);
 288
 289         /* Check if authentation method supports Single-Sign On */
 290         return((*(auth_to_hook[authentication]))());
 291 }
 292
 293 /* Initialize & Destroy */
 294 void sip_sec_init(void)
 295 {
 296 #if !defined(HAVE_GSSAPI_ONLY) && !defined(HAVE_SSPI)
 297         sip_sec_init__ntlm();
 298 #endif
 299 }
 300
 301 void sip_sec_destroy(void)
 302 {
 303 #if !defined(HAVE_GSSAPI_ONLY) && !defined(HAVE_SSPI)
 304         sip_sec_destroy__ntlm();
 305 #endif
 306 }
 307
 308 /*
 309   Local Variables:
 310   mode: c
 311   c-file-style: "bsd"
 312   indent-tabs-mode: t
 313   tab-width: 8
 314   End:
 315 */