diff options
author | phsultan <phsultan@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-01-04 17:19:25 +0000 |
---|---|---|
committer | phsultan <phsultan@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-01-04 17:19:25 +0000 |
commit | 9fcde0b77c6682cae6a9c131422c27403ce07d48 (patch) | |
tree | dc21bafca166a5b1105b7961b645adc3461b8a23 /res/res_jabber.c | |
parent | 993aecf1608495ea95b537bbd8f7042e36455da0 (diff) |
Use SASL DIGEST-MD5 authentication over unsecured network connections only.
This authentication mechanism is implemented under the iksemel API, which
makes use of GnuTLS, whereas we use OpenSSL. Note : there's ongoing
dicsussion at the SASL IETF WG in order to deprecate SASL DIGEST-MD5, see
http://ietfreport.isoc.org/ids-wg-sasl.html.
git-svn-id: http://svn.digium.com/svn/asterisk/trunk@96499 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'res/res_jabber.c')
-rw-r--r-- | res/res_jabber.c | 42 |
1 files changed, 16 insertions, 26 deletions
diff --git a/res/res_jabber.c b/res/res_jabber.c index 32458ea9d..877d7eb0f 100644 --- a/res/res_jabber.c +++ b/res/res_jabber.c @@ -65,7 +65,6 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") #endif /*-- Forward declarations */ -static int aji_highest_bit(int number); static void aji_buddy_destroy(struct aji_buddy *obj); static void aji_client_destroy(struct aji_client *obj); static int aji_send_exec(struct ast_channel *chan, void *data); @@ -298,23 +297,6 @@ static int gtalk_yuck(iks *node) } /*! - * \brief Detects the highest bit in a number. - * \param number Number you want to have evaluated. - * \return the highest power of 2 that can go into the number. - */ -static int aji_highest_bit(int number) -{ - int x = sizeof(number) * 8 - 1; - if (!number) - return 0; - for (; x > 0; x--) { - if (number & (1 << x)) - break; - } - return (1 << x); -} - -/*! * \brief Setup the authentication struct * \param id iksid * \param pass password @@ -783,10 +765,6 @@ static void aji_log_hook(void *data, const char *xmpp, size_t size, int is_incom * \param username * \param pass password. * - * If SASL authentication type is MD5, we simply call iks_start_sasl(). - * If type is PLAIN, we compute the authentication string by ourselves, - * because it looks like Google's jabber server does not accept the value - * computed with iks_start_sasl(). * \return IKS_OK on success, IKSNET_NOTSUPP on failure. */ static int aji_start_sasl(struct aji_client *client, enum ikssasltype type, char *username, char *pass) @@ -796,8 +774,15 @@ static int aji_start_sasl(struct aji_client *client, enum ikssasltype type, char char *s; char *base64; - if (type == IKS_STREAM_SASL_MD5) - return iks_start_sasl(client->p, IKS_SASL_DIGEST_MD5, username, pass); + /* trigger SASL DIGEST-MD5 only over an unsecured connection. + iks_start_sasl is an iksemel API function and relies on GnuTLS, + whereas we use OpenSSL */ + if ((type & IKS_STREAM_SASL_MD5) && !aji_is_secure(client)) + return iks_start_sasl(client->p, IKS_SASL_DIGEST_MD5, username, pass); + if (!(type & IKS_STREAM_SASL_PLAIN)) { + ast_log(LOG_ERROR, "Server does not support SASL PLAIN authentication\n"); + return IKS_NET_NOTSUPP; + } x = iks_new("auth"); if (!x) { @@ -811,7 +796,12 @@ static int aji_start_sasl(struct aji_client *client, enum ikssasltype type, char base64 = alloca((len + 2) * 4 / 3); iks_insert_attrib(x, "mechanism", "PLAIN"); snprintf(s, len, "%c%s%c%s", 0, username, 0, pass); - ast_base64encode(base64, (const unsigned char *) s, len, (len + 2) * 4 / 3); + + /* exclude the NULL training byte from the base64 encoding operation + as some XMPP servers will refuse it. + The format for authentication is [authzid]\0authcid\0password + not [authzid]\0authcid\0password\0 */ + ast_base64encode(base64, (const unsigned char *) s, len - 1, (len + 2) * 4 / 3); iks_insert_cdata(x, base64, 0); ast_aji_send(client, x); iks_delete(x); @@ -916,7 +906,7 @@ static int aji_act_hook(void *data, int type, iks *node) ast_log(LOG_ERROR, "Malformed Jabber ID : %s (domain missing?)\n", client->jid->full); break; } - features = aji_highest_bit(features); + ret = aji_start_sasl(client, features, client->jid->user, client->password); if (ret != IKS_OK) { ASTOBJ_UNREF(client, aji_client_destroy); |