Hi!

The attached patch adds support for the Kerberos (GSSAPI) SASL
authentication mechanism in gajim. It's been tested against jabberd2 but
should work fine with other servers as well.

Is ./src/common/xmpp/auth.py still used and should I patch that as well?
Only ./src/common/xmpp/auth_nb.py seems to be executed at the moment.

Cheers,

Jelmer
-- 
Jelmer Vernooij <[EMAIL PROTECTED]> - http://samba.org/~jelmer/
Jabber: [EMAIL PROTECTED]
=== modified file 'src/common/xmpp/auth_nb.py'
--- src/common/xmpp/auth_nb.py	2008-07-29 18:49:31 +0000
+++ src/common/xmpp/auth_nb.py	2008-09-22 11:58:02 +0000
@@ -23,6 +23,15 @@
 from client import PlugIn
 import sha,base64,random,dispatcher_nb
 
+try:
+	import kerberos
+	have_kerberos = True
+except ImportError:
+	have_kerberos = False
+
+GSS_STATE_STEP = 0
+GSS_STATE_WRAP = 1
+
 def challenge_splitter(data):
 	''' Helper function that creates a dict from challenge string.
 	Sample chalenge string:
@@ -132,16 +141,26 @@
 		self._owner.RegisterHandler('challenge', self.SASLHandler, xmlns=NS_SASL)
 		self._owner.RegisterHandler('failure', self.SASLHandler, xmlns=NS_SASL)
 		self._owner.RegisterHandler('success', self.SASLHandler, xmlns=NS_SASL)
-		if "DIGEST-MD5" in mecs:
+		if "GSSAPI" in mecs and have_kerberos:
+			rc, self.gss_vc = kerberos.authGSSClientInit('xmpp@' + 
+														self._owner.Server)
+			response = kerberos.authGSSClientResponse(self.gss_vc)
+			node=Node('auth',attrs={'xmlns': NS_SASL, 'mechanism': 'GSSAPI'},
+                   payload=(response or ""))
+			self.mechanism = "GSSAPI"
+			self.gss_step = GSS_STATE_STEP
+		elif "DIGEST-MD5" in mecs:
 			node=Node('auth',attrs={'xmlns': NS_SASL, 'mechanism': 'DIGEST-MD5'})
+			self.mechanism = "DIGEST-MD5"
 		elif "PLAIN" in mecs:
 			sasl_data='%s\x00%s\x00%s' % (self.username+'@' + self._owner.Server, 
 																	self.username, self.password)
 			node=Node('auth', attrs={'xmlns':NS_SASL,'mechanism':'PLAIN'}, 
 								payload=[base64.encodestring(sasl_data).replace('\n','')])
+			self.mechanism = "PLAIN"
 		else:
 			self.startsasl='failure'
-			self.DEBUG('I can only use DIGEST-MD5 and PLAIN mecanisms.', 'error')
+			self.DEBUG('I can only use DIGEST-MD5, GSSAPI and PLAIN mecanisms.', 'error')
 			return
 		self.startsasl='in-process'
 		self._owner.send(node.__str__())
@@ -176,6 +195,22 @@
 		incoming_data = challenge.getData()
 		data=base64.decodestring(incoming_data)
 		self.DEBUG('Got challenge:'+data,'ok')
+		if self.mechanism == "GSSAPI":
+			if self.gss_step == GSS_STATE_STEP:
+				rc = kerberos.authGSSClientStep(self.gss_vc, incoming_data)
+				if rc != kerberos.AUTH_GSS_CONTINUE:
+					self.gss_step = GSS_STATE_WRAP
+			elif self.gss_step == GSS_STATE_WRAP:
+				rc = kerberos.authGSSClientUnwrap(self.gss_vc, incoming_data)
+				response = kerberos.authGSSClientResponse(self.gss_vc)
+				rc = kerberos.authGSSClientWrap(self.gss_vc, response,
+												self.username)
+			response = kerberos.authGSSClientResponse(self.gss_vc)
+			if not response:
+				response = ''
+			self._owner.send(Node('response', attrs={'xmlns':NS_SASL},
+						payload=response).__str__())
+			raise NodeProcessed
 		chal = challenge_splitter(data)
 		if not self.realm and chal.has_key('realm'):
 			self.realm = chal['realm']
@@ -428,4 +463,4 @@
 		if self.on_bind:
 			self.on_bind(None)
 
-# vim: se ts=3:
\ No newline at end of file
+# vim: se ts=3:

_______________________________________________
Gajim-devel mailing list
Gajim-devel@gajim.org
https://lists.gajim.org/cgi-bin/listinfo/gajim-devel

Reply via email to