HGKeeper

~~--- a/libpurple/protocols/ircv3/purpleircv3sasl.c Thu Feb 23 01:33:50 2023 -0600~~

+++ b/libpurple/protocols/ircv3/purpleircv3sasl.c Thu Feb 23 06:00:48 2023 -0600

@@ -18,7 +18,7 @@

#include <glib/gi18n-lib.h>

~~-#include <gsasl.h>~~

+#include <hasl.h>

#include "purpleircv3sasl.h"

@@ -28,22 +28,10 @@

#define PURPLE_IRCV3_SASL_DATA_KEY ("sasl-data")

~~-/* Workarounds for old versions of gsasl. By defining these values when they're~~

~~- * not yet defined, upgrades of gsasl should continue to work without needing~~

~~- * to recompile this code.~~

~~- */~~

~~-#ifndef GSASL_CB_TLS_EXPORTER~~

~~-# define GSASL_CB_TLS_EXPORTER (25)~~

~~-#endif~~

typedef struct {

PurpleConnection *connection;

~~- Gsasl *ctx;~~

~~- Gsasl_session *session;~~

~~- char *current_mechanism;~~

~~- GString *mechanisms;~~

+ HaslContext *ctx;

GString *server_in_buffer;

} PurpleIRCv3SASLData;

@@ -67,87 +55,11 @@

}

/******************************************************************************

~~- * SASL Callbacks~~

~~- *****************************************************************************/~~

~~-static int~~

~~-purple_ircv3_sasl_callback(G_GNUC_UNUSED Gsasl *ctx, Gsasl_session *session,~~

~~- Gsasl_property property)~~

~~- PurpleIRCv3SASLData *data = NULL;~~

~~- int res = GSASL_NO_CALLBACK;~~

~~- data = gsasl_session_hook_get(session);~~

~~- switch(property) {~~

~~- case GSASL_AUTHID:~~

~~- gsasl_property_set(session, GSASL_AUTHID,~~

~~- purple_ircv3_sasl_get_username(data->connection));~~

~~- res = GSASL_OK;~~

~~- break;~~

~~- case GSASL_AUTHZID:~~

~~- /* AUTHZID is only used implemented for the PLAIN mechanism. If we~~

~~- * return a value for SCRAM, it needs to match AUTHID, which we~~

~~- * always set which would be redundant.~~

- *

~~- * So instead, we just check if the mechanism is PLAIN and if so~~

~~- * set it to empty string because it's the user logging in on their~~

~~- * own behalf and IRCv3 doesn't really let an admin login as a~~

~~- * normal user.~~

- *

~~- * See https://www.gnu.org/software/gsasl/manual/gsasl.html#PLAIN~~

~~- * for further explanation.~~

~~- */~~

~~- if(purple_strequal(data->current_mechanism, "PLAIN")) {~~

~~- gsasl_property_set(session, GSASL_AUTHZID, "");~~

~~- res = GSASL_OK;~~

~~- }~~

~~- break;~~

~~- case GSASL_PASSWORD:~~

~~- gsasl_property_set(session, GSASL_PASSWORD,~~

~~- purple_connection_get_password(data->connection));~~

~~- res = GSASL_OK;~~

~~- break;~~

~~- case GSASL_SCRAM_SALTED_PASSWORD:~~

~~- /* Ignored, we let gsasl figure it out from the password above. */~~

~~- break;~~

~~- case GSASL_CB_TLS_UNIQUE:~~

~~- case GSASL_CB_TLS_EXPORTER:~~

~~- /* TODO: implement these in the near future when we're implementing~~

~~- * EXTERNAL support for PIDGIN-17741.~~

~~- */~~

~~- break;~~

~~- default:~~

~~- g_warning("Unknown property %d", property);~~

~~- break;~~

~~- }~~

~~- return res;~~

-/******************************************************************************

* SASL Helpers

*****************************************************************************/

static void

~~-purple_ircv3_sasl_connection_error(PurpleConnection *connection, int res,~~

~~- int err, const char *msg)~~

~~- GError *error = NULL;~~

~~- error = g_error_new(PURPLE_CONNECTION_ERROR, err, "%s: %s", msg,~~

~~- gsasl_strerror(res));~~

~~- purple_connection_take_error(connection, error);~~

~~-static void~~

purple_ircv3_sasl_data_free(PurpleIRCv3SASLData *data) {

~~- g_clear_object(&data->connection);~~

~~- g_clear_pointer(&data->session, gsasl_finish);~~

~~- g_clear_pointer(&data->ctx, gsasl_done);~~

~~- g_clear_pointer(&data->current_mechanism, g_free);~~

~~- g_string_free(data->mechanisms, TRUE);~~

~~- data->mechanisms = NULL;~~

+ g_clear_object(&data->ctx);

g_string_free(data->server_in_buffer, TRUE);

@@ -155,11 +67,8 @@

}

static void

~~-purple_ircv3_sasl_data_add(PurpleConnection *connection, Gsasl *ctx,~~

~~- const char *mechanisms)~~

+purple_ircv3_sasl_data_add(PurpleConnection *connection, HaslContext *ctx) {

PurpleIRCv3SASLData *data = NULL;

~~- GStrv parts = NULL;~~

data = g_new0(PurpleIRCv3SASLData, 1);

g_object_set_data_full(G_OBJECT(connection), PURPLE_IRCV3_SASL_DATA_KEY,

@@ -171,122 +80,41 @@

data->connection = connection;

data->ctx = ctx;

~~- gsasl_callback_set(data->ctx, purple_ircv3_sasl_callback);~~

/* We truncate the server_in_buffer when we need to so that we can minimize

* allocations and simplify the logic involved with it.

data->server_in_buffer = g_string_new("");

~~- /* Create a GString for the mechanisms with a leading and trailing ` `.~~

~~- * This is so we can easily remove attempted mechanism by removing~~

~~- * ` <attempted_mechanism> ` from the string which will make sure we're~~

~~- * always removing the proper mechanism. This is necessary because some~~

~~- * mechanisms have the same prefix, and others have the same suffix, which~~

~~- * could lead to incorrect removals.~~

- *

~~- * For example, if the list contains `EAP-AES128-PLUS EAP-AES128` and we~~

~~- * try `EAP-AES128` first, that means we would remove `EAP-AES128` from the~~

~~- * list which would first find `EAP-AES128-PLUS` and replace it with an~~

~~- * empty string, leaving the list as `-PLUS EAP-AES128` which is obviously~~

~~- * wrong. Instead the additional spaces mean our replace can be~~

~~- * ` EAP-AES128 `, which will get the proper value and update the~~

~~- * list to just contain ` EAP-AES128-PLUS `.~~

- *

~~- * For a list of mechanisms see~~

~~- * https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml~~

- *

~~- */~~

~~- data->mechanisms = g_string_new("");~~

~~- parts = g_strsplit(mechanisms, ",", -1);~~

~~- for(int i = 0; parts[i] != NULL; i++) {~~

~~- g_string_append_printf(data->mechanisms, " %s ", parts[i]);~~

~~- }~~

~~- g_strfreev(parts);~~

~~-static void~~

~~-purple_ircv3_sasl_attempt_mechanism(PurpleIRCv3Connection *connection,~~

~~- PurpleIRCv3SASLData *data,~~

~~- const char *next_mechanism)~~

~~- int res = GSASL_OK;~~

~~- g_free(data->current_mechanism);~~

~~- data->current_mechanism = g_strdup(next_mechanism);~~

~~- res = gsasl_client_start(data->ctx, next_mechanism, &data->session);~~

~~- if(res != GSASL_OK) {~~

~~- purple_ircv3_sasl_connection_error(PURPLE_CONNECTION(connection),~~

~~- res,~~

~~- PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE,~~

~~- _("Failed to setup SASL client"));~~

~~- return;~~

~~- }~~

~~- gsasl_session_hook_set(data->session, data);~~

~~- purple_ircv3_connection_writef(connection, "AUTHENTICATE %s",~~

~~- next_mechanism);~~

}

static void

purple_ircv3_sasl_attempt(PurpleIRCv3Connection *connection) {

PurpleIRCv3SASLData *data = NULL;

~~- PurpleAccount *account = NULL;~~

const char *next_mechanism = NULL;

~~- gboolean allow_plain = TRUE;~~

~~- gboolean good_mechanism = FALSE;~~

+ const char *current = NULL;

data = g_object_get_data(G_OBJECT(connection), PURPLE_IRCV3_SASL_DATA_KEY);

~~- /* If this is not our first attempt, remove the previous mechanism from the~~

~~- * list of mechanisms to try.~~

~~- */~~

~~- if(data->current_mechanism != NULL) {~~

~~- char *to_remove = g_strdup_printf(" %s ", data->current_mechanism);~~

~~- g_message("SASL '%s' mechanism failed", data->current_mechanism);~~

~~- g_string_replace(data->mechanisms, to_remove, "", 0);~~

~~- g_free(to_remove);~~

~~- }~~

~~- account = purple_connection_get_account(PURPLE_CONNECTION(connection));~~

~~- if(!purple_account_get_bool(account, "use-tls", TRUE)) {~~

~~- if(!purple_account_get_bool(account, "plain-sasl-in-clear", FALSE)) {~~

~~- allow_plain = FALSE;~~

~~- }~~

+ current = hasl_context_get_current_mechanism(data->ctx);

+ if(current != NULL) {

+ g_message("SASL '%s' mechanism failed", current);

}

~~- while(!good_mechanism) {~~

~~- good_mechanism = TRUE;~~

~~- next_mechanism = gsasl_client_suggest_mechanism(data->ctx,~~

~~- data->mechanisms->str);~~

~~- if(next_mechanism == NULL) {~~

~~- GError *error = g_error_new(PURPLE_CONNECTION_ERROR,~~

~~- PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE,~~

~~- _("No valid SASL mechanisms found"));~~

+ next_mechanism = hasl_context_next(data->ctx);

+ if(next_mechanism == NULL) {

+ GError *error = g_error_new(PURPLE_CONNECTION_ERROR,

+ PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE,

+ _("No valid SASL mechanisms found"));

~~- purple_connection_take_error(PURPLE_CONNECTION(connection), error);~~

~~- return;~~

~~- }~~

+ purple_connection_take_error(PURPLE_CONNECTION(connection), error);

~~- if(purple_strequal(next_mechanism, "PLAIN") && !allow_plain) {~~

~~- g_message("skipping SASL 'PLAIN' as it's not allowed without tls");~~

~~- good_mechanism = FALSE;~~

~~- g_string_replace(data->mechanisms, " PLAIN ", "", 0);~~

~~- }~~

+ return;

}

g_message("trying SASL '%s' mechanism", next_mechanism);

~~- purple_ircv3_sasl_attempt_mechanism(connection, data, next_mechanism);~~

+ purple_ircv3_connection_writef(connection, "AUTHENTICATE %s",

+ next_mechanism);

}

static void

@@ -294,28 +122,22 @@

PurpleIRCv3Connection *connection = NULL;

PurpleAccount *account = NULL;

PurpleConnection *purple_connection = NULL;

~~- Gsasl *ctx = NULL;~~

+ HaslContext *ctx = NULL;

const char *mechanisms = NULL;

~~- gint res;~~

+ gboolean toggle = FALSE;

connection = purple_ircv3_capabilities_get_connection(caps);

purple_connection = PURPLE_CONNECTION(connection);

account = purple_connection_get_account(purple_connection);

~~- res = gsasl_init(&ctx);~~

~~- if(res != GSASL_OK) {~~

~~- purple_ircv3_sasl_connection_error(purple_connection, res,~~

~~- PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE,~~

~~- _("Failed to initialize SASL"));~~

+ ctx = hasl_context_new();

~~- return;~~

~~- }~~

~~- /* At this point we are ready to start our sasl negotiation, so add a wait~~

+ /* At this point we are ready to start our SASL negotiation, so add a wait

* counter to the capabilities and start the negotiations!

purple_ircv3_capabilities_add_wait(caps);

+ /* Determine what mechanisms we're allowing and tell the context. */

mechanisms = purple_account_get_string(account, "sasl-mechanisms", "");

if(purple_strempty(mechanisms)) {

/* If the user didn't specify any mechanisms, grab the mechanisms that

@@ -323,9 +145,20 @@

mechanisms = purple_ircv3_capabilities_lookup(caps, "sasl", NULL);

}

+ hasl_context_set_allowed_mechanisms(ctx, mechanisms);

+ /* Add the values we know to the context. */

+ hasl_context_set_username(ctx, purple_ircv3_sasl_get_username(purple_connection));

+ hasl_context_set_password(ctx, purple_connection_get_password(purple_connection));

+ toggle = purple_account_get_bool(account, "use-tls", TRUE);

+ hasl_context_set_tls(ctx, toggle);

+ toggle = purple_account_get_bool(account, "plain-sasl-in-clear", FALSE);

+ hasl_context_set_allow_clear_text(ctx, toggle);

/* Create our SASLData object, add it to the connection. */

~~- purple_ircv3_sasl_data_add(purple_connection, ctx, mechanisms);~~

+ purple_ircv3_sasl_data_add(purple_connection, ctx);

/* Make it go! */

purple_ircv3_sasl_attempt(connection);

@@ -477,7 +310,7 @@

purple_ircv3_capabilities_remove_wait(capabilities);

g_message("successfully authenticated with SASL '%s' mechanism.",

~~- data->current_mechanism);~~

+ hasl_context_get_current_mechanism(data->ctx));

return TRUE;

}

@@ -679,49 +512,49 @@

}

if(done) {

~~- char *server_in = NULL;~~

~~- char *client_out = NULL;~~

+ HaslMechanismResult res = 0;

+ GError *local_error = NULL;

+ guint8 *server_in = NULL;

+ guint8 *client_out = NULL;

gsize server_in_length = 0;

size_t client_out_length = 0;

~~- int res = 0;~~

/* If we have a buffer, base64 decode it, and then truncate it. */

if(data->server_in_buffer->len > 0) {

~~- server_in = (char *)g_base64_decode(data->server_in_buffer->str,~~

~~- &server_in_length);~~

+ server_in = g_base64_decode(data->server_in_buffer->str,

+ &server_in_length);

g_string_truncate(data->server_in_buffer, 0);

}

/* Try to move to the next step of the sasl client. */

~~- res = gsasl_step(data->session, server_in, server_in_length,~~

~~- &client_out, &client_out_length);~~

+ res = hasl_context_step(data->ctx, server_in, server_in_length,

+ &client_out, &client_out_length, &local_error);

/* We should be done with server_in, so free it.*/

g_clear_pointer(&server_in, g_free);

~~- /* If we didn't get ok or needs more, it's an error.~~

- *

~~- * We allow needs more as SCRAM will is client first and returns~~

~~- * GSASL_NEEDS_MORE on the first step. We could tie this now a bit~~

~~- * more, but this seems to be fine for now. -- GK 2023-01-28~~

~~- */~~

~~- if(res != GSASL_OK && res != GSASL_NEEDS_MORE) {~~

~~- g_set_error(error, PURPLE_CONNECTION_ERROR,~~

~~- PURPLE_CONNECTION_ERROR_AUTHENTICATION_IMPOSSIBLE,~~

~~- _("SASL authentication failed: %s"),~~

~~- gsasl_strerror(res));~~

+ if(res == HASL_MECHANISM_RESULT_ERROR) {

+ g_propagate_error(error, local_error);

return FALSE;

}

+ if(local_error != NULL) {

+ g_warning("hasl_context_step returned an error without an error "

+ "status: %s", local_error->message);

+ g_clear_error(&local_error);

+ }

/* If we got an output for the client, write it out. */

if(client_out_length > 0) {

~~- char *encoded = g_base64_encode((guchar *)client_out,~~

~~- client_out_length);~~

+ char *encoded = NULL;

+ encoded = g_base64_encode(client_out, client_out_length);

+ g_clear_pointer(&client_out, g_free);

purple_ircv3_connection_writef(connection, "AUTHENTICATE %s",

encoded);

g_free(encoded);

} else {

purple_ircv3_connection_writef(connection, "AUTHENTICATE +");

pidgin/pidgin