From 9335d5033c2a35c57356d15c802a22aa57467b99 Mon Sep 17 00:00:00 2001
From: Stefan Becker <chemobejk@gmail.com>
Date: Wed, 2 Nov 2011 23:52:43 +0200
Subject: [PATCH] tls-dsk: use password to pass in user certificate

The TLS-DSK authentication scheme doesn't need the user name or
password. It needs a valid user certificate instead. "Misuse" the
password parameter in the sip-sec context initialization to pass in the
pointer to the certificate.
---
 src/core/sip-sec-tls-dsk.c | 24 ++++++++++--------------
 src/core/sip-transport.c   | 36 +++++++++++++++++++-----------------
 2 files changed, 29 insertions(+), 31 deletions(-)

diff --git a/src/core/sip-sec-tls-dsk.c b/src/core/sip-sec-tls-dsk.c
index f8d6d781..7fe21b18 100644
--- a/src/core/sip-sec-tls-dsk.c
+++ b/src/core/sip-sec-tls-dsk.c
@@ -42,34 +42,32 @@
 /* Security context for TLS-DSK */
 typedef struct _context_tls_dsk {
 	struct sip_sec_context common;
-	gchar *username;
-	gchar *password;
+	gpointer certificate;
 } *context_tls_dsk;
 
 
 static sip_uint32
 sip_sec_acquire_cred__tls_dsk(SipSecContext context,
 			      SIPE_UNUSED_PARAMETER const char *domain,
-			      const char *username,
+			      SIPE_UNUSED_PARAMETER const char *username,
 			      const char *password)
 {
 	context_tls_dsk ctx = (context_tls_dsk)context;
 
-	/* TLS-DSK requires a username & password. Domain is ignored */
-	if (!is_empty(username) || is_empty(password))
+	/* TLS-DSK requires a certificate. Everything else is ignored */
+	if (!password)
 		return SIP_SEC_E_INTERNAL_ERROR;
 
-	ctx->username = g_strdup(username);
-	ctx->password = g_strdup(password);
+	ctx->certificate = (gpointer) password;
 
 	return SIP_SEC_E_OK;
 }
 
 static sip_uint32
 sip_sec_init_sec_context__tls_dsk(SipSecContext context,
-			  SipSecBuffer in_buff,
-			  SipSecBuffer *out_buff,
-			  SIPE_UNUSED_PARAMETER const char *service_name)
+				  SipSecBuffer in_buff,
+				  SipSecBuffer *out_buff,
+				  SIPE_UNUSED_PARAMETER const char *service_name)
 {
 	context_tls_dsk ctx = (context_tls_dsk) context;
 
@@ -83,8 +81,8 @@ sip_sec_init_sec_context__tls_dsk(SipSecContext context,
 
 static sip_uint32
 sip_sec_make_signature__tls_dsk(SipSecContext context,
-			const char *message,
-			SipSecBuffer *signature)
+				const char *message,
+				SipSecBuffer *signature)
 {
 	context_tls_dsk ctx = (context_tls_dsk) context;
 
@@ -116,8 +114,6 @@ sip_sec_destroy_sec_context__tls_dsk(SipSecContext context)
 {
 	context_tls_dsk ctx = (context_tls_dsk) context;
 
-	g_free(ctx->username);
-	g_free(ctx->password);
 	g_free(ctx);
 }
 
diff --git a/src/core/sip-transport.c b/src/core/sip-transport.c
index 1398a535..3c55481b 100644
--- a/src/core/sip-transport.c
+++ b/src/core/sip-transport.c
@@ -199,6 +199,7 @@ static gchar *initialize_auth_context(struct sipe_core_private *sipe_private,
 {
 	struct sipe_account_data *sip = SIPE_ACCOUNT_DATA_PRIVATE;
 	const gchar *authuser = sip->authuser;
+	gpointer password = sip->password;
 	gchar *ret;
 	gchar *gssapi_data;
 	gchar *sign_str;
@@ -209,13 +210,30 @@ static gchar *initialize_auth_context(struct sipe_core_private *sipe_private,
 		authuser = sipe_private->username;
 	}
 
+	/* For TLS-DSK the "password" is a certificate */
+	if (auth->type == AUTH_TYPE_TLS_DSK) {
+		password = NULL; /* TBD: fetch certificate... */
+
+		if (!password) {
+			if (auth->sts_uri) {
+				SIPE_DEBUG_INFO("tls-dsk: Certificate Provisioning URI %s", auth->sts_uri);
+				// TBD: valid_certificate = ...
+			} else {
+				sipe_backend_connection_error(SIPE_CORE_PUBLIC,
+							      SIPE_CONNECTION_ERROR_AUTHENTICATION_FAILED,
+							      _("No URI for certificate provisioning service provided"));
+				return(NULL);
+			}
+		}
+	}
+
 	gssapi_data = sip_sec_init_context(&(auth->gssapi_context),
 					   &(auth->expires),
 					   auth->type,
 					   SIPE_CORE_PUBLIC_FLAG_IS(SSO),
 					   sip->authdomain ? sip->authdomain : "",
 					   authuser,
-					   sip->password,
+					   password,
 					   auth->target,
 					   auth->gssapi_data);
 	if (!gssapi_data || !auth->gssapi_context) {
@@ -287,22 +305,6 @@ static gchar *auth_header(struct sipe_core_private *sipe_private,
 	 * needs to be initialized. So the check should be a no-op...
 	 */
 	} else if (!auth->gssapi_context) {
-
-		if (auth->type == AUTH_TYPE_TLS_DSK) {
-			gboolean valid_certificate = FALSE;
-
-			if (!valid_certificate) {
-				if (auth->sts_uri) {
-					SIPE_DEBUG_INFO("tls-dsk: Certificate Provisioning URI %s", auth->sts_uri);
-					// TBD: valid_certificate = ...
-				} else {
-					sipe_backend_connection_error(SIPE_CORE_PUBLIC,
-								      SIPE_CONNECTION_ERROR_AUTHENTICATION_FAILED,
-								      _("No URI for certificate provisioning service provided"));
-				}
-			}
-		}
-
 		ret = initialize_auth_context(sipe_private, auth, msg);
 	}
 
-- 
2.11.4.GIT