diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/common/cfgfiles.c | 2 | ||||
-rw-r--r-- | src/common/common.vcxproj | 2 | ||||
-rw-r--r-- | src/common/dbus/dbus-client.c | 2 | ||||
-rw-r--r-- | src/common/hexchat.h | 6 | ||||
-rw-r--r-- | src/common/inbound.c | 179 | ||||
-rw-r--r-- | src/common/meson.build | 1 | ||||
-rw-r--r-- | src/common/modes.c | 2 | ||||
-rw-r--r-- | src/common/outbound.c | 4 | ||||
-rw-r--r-- | src/common/plugin.c | 1 | ||||
-rw-r--r-- | src/common/scram.c | 333 | ||||
-rw-r--r-- | src/common/scram.h | 51 | ||||
-rw-r--r-- | src/common/server.c | 6 | ||||
-rw-r--r-- | src/common/servlist.c | 5 | ||||
-rw-r--r-- | src/common/servlist.h | 3 | ||||
-rw-r--r-- | src/common/url.c | 2 | ||||
-rw-r--r-- | src/common/util.c | 2 | ||||
-rw-r--r-- | src/fe-gtk/fe-gtk.c | 3 | ||||
-rw-r--r-- | src/fe-gtk/maingui.c | 32 | ||||
-rw-r--r-- | src/fe-gtk/servlistgui.c | 8 | ||||
-rw-r--r-- | src/fe-gtk/setup.c | 1 | ||||
-rw-r--r-- | src/fe-gtk/xtext.c | 3 |
21 files changed, 585 insertions, 63 deletions
diff --git a/src/common/cfgfiles.c b/src/common/cfgfiles.c index fdee9f2c..f0799de9 100644 --- a/src/common/cfgfiles.c +++ b/src/common/cfgfiles.c @@ -468,6 +468,7 @@ const struct prefs vars[] = {"gui_win_fullscreen", P_OFFINT (hex_gui_win_fullscreen), TYPE_INT}, {"gui_win_left", P_OFFINT (hex_gui_win_left), TYPE_INT}, {"gui_win_modes", P_OFFINT (hex_gui_win_modes), TYPE_BOOL}, + {"gui_win_nick", P_OFFINT (hex_gui_win_nick), TYPE_BOOL}, {"gui_win_save", P_OFFINT (hex_gui_win_save), TYPE_BOOL}, {"gui_win_state", P_OFFINT (hex_gui_win_state), TYPE_INT}, {"gui_win_swap", P_OFFINT (hex_gui_win_swap), TYPE_BOOL}, @@ -772,6 +773,7 @@ load_default_config(void) prefs.hex_gui_ulist_count = 1; prefs.hex_gui_ulist_icons = 1; prefs.hex_gui_ulist_style = 1; + prefs.hex_gui_win_nick = 1; prefs.hex_gui_win_save = 1; prefs.hex_input_filter_beep = 1; prefs.hex_input_flash_hilight = 1; diff --git a/src/common/common.vcxproj b/src/common/common.vcxproj index bc191f43..c91d8cbb 100644 --- a/src/common/common.vcxproj +++ b/src/common/common.vcxproj @@ -36,6 +36,7 @@ <ClInclude Include="server.h" /> <ClInclude Include="servlist.h" /> <ClInclude Include="ssl.h" /> + <ClInclude Include="scram.h" /> <ClInclude Include="sysinfo\sysinfo.h" /> <ClInclude Include="text.h" /> <ClInclude Include="$(HexChatLib)textenums.h" /> @@ -69,6 +70,7 @@ <ClCompile Include="server.c" /> <ClCompile Include="servlist.c" /> <ClCompile Include="ssl.c" /> + <ClCompile Include="scram.c" /> <ClCompile Include="sysinfo\win32\backend.c" /> <ClCompile Include="text.c" /> <ClCompile Include="tree.c" /> diff --git a/src/common/dbus/dbus-client.c b/src/common/dbus/dbus-client.c index 8b40dd24..e70a49a9 100644 --- a/src/common/dbus/dbus-client.c +++ b/src/common/dbus/dbus-client.c @@ -67,7 +67,7 @@ hexchat_remote (void) gboolean hexchat_running; GError *error = NULL; char *command = NULL; - int i; + guint i; /* if there is nothing to do, return now. */ if (!arg_existing || !(arg_url || arg_urls || arg_command)) { diff --git a/src/common/hexchat.h b/src/common/hexchat.h index 470dd4ad..5ead96d1 100644 --- a/src/common/hexchat.h +++ b/src/common/hexchat.h @@ -41,6 +41,7 @@ #ifdef USE_OPENSSL #include <openssl/ssl.h> /* SSL_() */ +#include "scram.h" #endif #ifdef __EMX__ /* for o/s 2 */ @@ -150,6 +151,7 @@ struct hexchatprefs unsigned int hex_gui_ulist_style; unsigned int hex_gui_usermenu; unsigned int hex_gui_win_modes; + unsigned int hex_gui_win_nick; unsigned int hex_gui_win_save; unsigned int hex_gui_win_swap; unsigned int hex_gui_win_ucount; @@ -429,6 +431,9 @@ typedef struct session /* SASL Mechanisms */ #define MECH_PLAIN 0 #define MECH_EXTERNAL 1 +#define MECH_SCRAM_SHA_1 2 +#define MECH_SCRAM_SHA_256 3 +#define MECH_SCRAM_SHA_512 4 typedef struct server { @@ -584,6 +589,7 @@ typedef struct server #ifdef USE_OPENSSL unsigned int use_ssl:1; /* is server SSL capable? */ unsigned int accept_invalid_cert:1;/* ignore result of server's cert. verify */ + scram_session *scram_session; /* session for SASL SCRAM authentication */ #endif } server; diff --git a/src/common/inbound.c b/src/common/inbound.c index a591dc48..fdee2ecc 100644 --- a/src/common/inbound.c +++ b/src/common/inbound.c @@ -1648,7 +1648,10 @@ inbound_identified (server *serv) /* 'MODE +e MYSELF' on freenode */ static const char *sasl_mechanisms[] = { "PLAIN", - "EXTERNAL" + "EXTERNAL", + "SCRAM-SHA-1", + "SCRAM-SHA-256", + "SCRAM-SHA-512" }; static void @@ -1689,6 +1692,12 @@ inbound_toggle_caps (server *serv, const char *extensions_str, gboolean enable) #ifdef USE_OPENSSL if (serv->loginmethod == LOGIN_SASLEXTERNAL) serv->sasl_mech = MECH_EXTERNAL; + else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_1) + serv->sasl_mech = MECH_SCRAM_SHA_1; + else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_256) + serv->sasl_mech = MECH_SCRAM_SHA_256; + else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_512) + serv->sasl_mech = MECH_SCRAM_SHA_512; #endif /* Mechanism either defaulted to PLAIN or server gave us list */ tcp_sendf (serv, "AUTHENTICATE %s\r\n", sasl_mechanisms[serv->sasl_mech]); @@ -1766,6 +1775,30 @@ get_supported_mech (server *serv, const char *list) break; } } + else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_1) + { + if (!strcmp(mechs[i], "SCRAM-SHA-1")) + { + ret = MECH_SCRAM_SHA_1; + break; + } + } + else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_256) + { + if (!strcmp(mechs[i], "SCRAM-SHA-256")) + { + ret = MECH_SCRAM_SHA_256; + break; + } + } + else if (serv->loginmethod == LOGIN_SASL_SCRAM_SHA_512) + { + if (!strcmp(mechs[i], "SCRAM-SHA-512")) + { + ret = MECH_SCRAM_SHA_512; + break; + } + } else #endif if (!strcmp (mechs[i], "PLAIN")) @@ -1821,7 +1854,11 @@ inbound_cap_ls (server *serv, char *nick, char *extensions_str, /* if the SASL password is set AND auth mode is set to SASL, request SASL auth */ if (!g_strcmp0 (extension, "sasl") && - ((serv->loginmethod == LOGIN_SASL && strlen (serv->password) != 0) + (((serv->loginmethod == LOGIN_SASL + || serv->loginmethod == LOGIN_SASL_SCRAM_SHA_1 + || serv->loginmethod == LOGIN_SASL_SCRAM_SHA_256 + || serv->loginmethod == LOGIN_SASL_SCRAM_SHA_512) + && strlen (serv->password) != 0) || serv->loginmethod == LOGIN_SASLEXTERNAL)) { if (value) @@ -1901,11 +1938,103 @@ inbound_cap_list (server *serv, char *nick, char *extensions, NULL, NULL, 0, tags_data->timestamp); } +static void +plain_authenticate (server *serv, char *user, char *password) +{ + char *pass = encode_sasl_pass_plain (user, password); + + if (pass == NULL) + { + /* something went wrong abort */ + tcp_sendf (serv, "AUTHENTICATE *\r\n"); + return; + } + + /* long SASL passwords must be split into 400-byte chunks + https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command */ + size_t pass_len = strlen (pass); + if (pass_len <= 400) + tcp_sendf (serv, "AUTHENTICATE %s\r\n", pass); + else + { + size_t sent = 0; + while (sent < pass_len) + { + char *pass_chunk = g_strndup (pass + sent, 400); + tcp_sendf (serv, "AUTHENTICATE %s\r\n", pass_chunk); + sent += 400; + g_free (pass_chunk); + } + } + if (pass_len % 400 == 0) + tcp_sendf (serv, "AUTHENTICATE +\r\n"); +} + +#ifdef USE_OPENSSL +/* + * Sends AUTHENTICATE messages to log in via SCRAM. + */ +static void +scram_authenticate (server *serv, const char *data, const char *digest, + const char *user, const char *password) +{ + char *encoded, *decoded, *output; + scram_status status; + size_t output_len; + gsize decoded_len; + + if (serv->scram_session == NULL) + { + serv->scram_session = scram_session_create (digest, user, password); + + if (serv->scram_session == NULL) + { + PrintTextf (serv->server_session, _("Could not create SCRAM session with digest %s"), digest); + g_warning ("Could not create SCRAM session with digest %s", digest); + tcp_sendf (serv, "AUTHENTICATE *\r\n"); + return; + } + } + + decoded = g_base64_decode (data, &decoded_len); + status = scram_process (serv->scram_session, decoded, &output, &output_len); + g_free (decoded); + + if (status == SCRAM_IN_PROGRESS) + { + // Authentication is still in progress + encoded = g_base64_encode ((guchar *) output, output_len); + tcp_sendf (serv, "AUTHENTICATE %s\r\n", encoded); + g_free (encoded); + g_free (output); + } + else if (status == SCRAM_SUCCESS) + { + // Authentication succeeded + tcp_sendf (serv, "AUTHENTICATE +\r\n"); + g_clear_pointer (&serv->scram_session, scram_session_free); + } + else if (status == SCRAM_ERROR) + { + // Authentication failed + tcp_sendf (serv, "AUTHENTICATE *\r\n"); + + if (serv->scram_session->error != NULL) + { + PrintTextf (serv->server_session, _("SASL SCRAM authentication failed: %s"), serv->scram_session->error); + g_info ("SASL SCRAM authentication failed: %s", serv->scram_session->error); + } + + g_clear_pointer (&serv->scram_session, scram_session_free); + } +} +#endif + void inbound_sasl_authenticate (server *serv, char *data) { ircnet *net = (ircnet*)serv->network; - char *user, *pass = NULL; + char *user; const char *mech = sasl_mechanisms[serv->sasl_mech]; /* Got a list of supported mechanisms from outdated inspircd @@ -1921,43 +2050,24 @@ inbound_sasl_authenticate (server *serv, char *data) switch (serv->sasl_mech) { case MECH_PLAIN: - pass = encode_sasl_pass_plain (user, serv->password); + plain_authenticate(serv, user, serv->password); break; #ifdef USE_OPENSSL case MECH_EXTERNAL: - pass = g_strdup ("+"); + tcp_sendf (serv, "AUTHENTICATE +\r\n"); break; -#endif - } - - if (pass == NULL) - { - /* something went wrong abort */ - tcp_sendf (serv, "AUTHENTICATE *\r\n"); + case MECH_SCRAM_SHA_1: + scram_authenticate(serv, data, "SHA1", user, serv->password); return; + case MECH_SCRAM_SHA_256: + scram_authenticate(serv, data, "SHA256", user, serv->password); + return; + case MECH_SCRAM_SHA_512: + scram_authenticate(serv, data, "SHA512", user, serv->password); + return; +#endif } - /* long SASL passwords must be split into 400-byte chunks - https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command */ - size_t pass_len = strlen (pass); - if (pass_len <= 400) - tcp_sendf (serv, "AUTHENTICATE %s\r\n", pass); - else - { - size_t sent = 0; - while (sent < pass_len) - { - char *pass_chunk = g_strndup (pass + sent, 400); - tcp_sendf (serv, "AUTHENTICATE %s\r\n", pass_chunk); - sent += 400; - g_free (pass_chunk); - } - } - if (pass_len % 400 == 0) - tcp_sendf (serv, "AUTHENTICATE +\r\n"); - g_free (pass); - - EMIT_SIGNAL_TIMESTAMP (XP_TE_SASLAUTH, serv->server_session, user, (char*)mech, NULL, NULL, 0, 0); } @@ -1965,6 +2075,9 @@ inbound_sasl_authenticate (server *serv, char *data) void inbound_sasl_error (server *serv) { +#ifdef USE_OPENSSL + g_clear_pointer (&serv->scram_session, scram_session_free); +#endif /* Just abort, not much we can do */ tcp_sendf (serv, "AUTHENTICATE *\r\n"); } diff --git a/src/common/meson.build b/src/common/meson.build index 84e2fca3..35db2c27 100644 --- a/src/common/meson.build +++ b/src/common/meson.build @@ -15,6 +15,7 @@ common_sources = [ 'plugin-identd.c', 'plugin-timer.c', 'proto-irc.c', + 'scram.c', 'server.c', 'servlist.c', 'text.c', diff --git a/src/common/modes.c b/src/common/modes.c index d8fd75aa..1ff309bd 100644 --- a/src/common/modes.c +++ b/src/common/modes.c @@ -680,7 +680,7 @@ handle_mode (server * serv, char *word[], char *word_eol[], int len; size_t arg; size_t i, num_args; - int num_modes; + size_t num_modes; size_t offset = 3; int all_modes_have_args = FALSE; int using_front_tab = FALSE; diff --git a/src/common/outbound.c b/src/common/outbound.c index b9f88196..b8153502 100644 --- a/src/common/outbound.c +++ b/src/common/outbound.c @@ -468,7 +468,7 @@ create_mask (session * sess, char *mask, char *mode, char *typestr, int deop) type = prefs.hex_irc_ban_type; buf[0] = 0; - if (inet_addr (fullhost) != -1) /* "fullhost" is really a IP number */ + if (inet_addr (fullhost) != (guint32) -1) /* "fullhost" is really a IP number */ { lastdot = strrchr (fullhost, '.'); if (!lastdot) @@ -3458,6 +3458,8 @@ cmd_server (struct session *sess, char *tbuf, char *word[], char *word_eol[]) #ifdef USE_OPENSSL int use_ssl = TRUE; int use_ssl_noverify = FALSE; +#else + int use_ssl = FALSE; #endif int is_url = TRUE; server *serv = sess->server; diff --git a/src/common/plugin.c b/src/common/plugin.c index 5524e984..f4691d73 100644 --- a/src/common/plugin.c +++ b/src/common/plugin.c @@ -491,7 +491,6 @@ plugin_auto_load (session *sess) for_files (lib_dir, "hcfishlim.dll", plugin_auto_load_cb); for_files(lib_dir, "hclua.dll", plugin_auto_load_cb); for_files (lib_dir, "hcperl.dll", plugin_auto_load_cb); - for_files (lib_dir, "hcpython2.dll", plugin_auto_load_cb); for_files (lib_dir, "hcpython3.dll", plugin_auto_load_cb); for_files (lib_dir, "hcupd.dll", plugin_auto_load_cb); for_files (lib_dir, "hcwinamp.dll", plugin_auto_load_cb); diff --git a/src/common/scram.c b/src/common/scram.c new file mode 100644 index 00000000..b39199de --- /dev/null +++ b/src/common/scram.c @@ -0,0 +1,333 @@ +/* HexChat + * Copyright (C) 2023 Patrick Okraku + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#include "hexchat.h" + +#ifdef USE_OPENSSL + +#include "scram.h" +#include <openssl/hmac.h> +#include <openssl/rand.h> + +#define NONCE_LENGTH 18 +#define CLIENT_KEY "Client Key" +#define SERVER_KEY "Server Key" + +// EVP_MD_CTX_create() and EVP_MD_CTX_destroy() were renamed in OpenSSL 1.1.0 +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +#define EVP_MD_CTX_new(ctx) EVP_MD_CTX_create(ctx) +#define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy(ctx) +#endif + +scram_session +*scram_session_create (const char *digest, const char *username, const char *password) +{ + scram_session *session; + const EVP_MD *md; +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) + OpenSSL_add_all_algorithms (); +#endif + md = EVP_get_digestbyname (digest); + + if (md == NULL) + { + // Unknown message digest + return NULL; + } + + session = g_new0 (scram_session, 1); + session->digest = md; + session->digest_size = EVP_MD_size (md); + session->username = g_strdup (username); + session->password = g_strdup (password); + return session; +} + +void +scram_session_free (scram_session *session) +{ + if (session == NULL) + { + return; + } + + g_free (session->username); + g_free (session->password); + g_free (session->client_nonce_b64); + g_free (session->client_first_message_bare); + g_free (session->salted_password); + g_free (session->auth_message); + g_free (session->error); + + g_free (session); +} + +static int +create_nonce (void *buffer, size_t length) +{ + return RAND_bytes (buffer, length); +} + +static int +create_SHA (scram_session *session, const unsigned char *input, size_t input_len, + unsigned char *output, unsigned int *output_len) +{ + EVP_MD_CTX *md_ctx = EVP_MD_CTX_new (); + + if (!EVP_DigestInit_ex (md_ctx, session->digest, NULL)) + { + session->error = g_strdup ("Message digest initialization failed"); + EVP_MD_CTX_free (md_ctx); + return SCRAM_ERROR; + } + + if (!EVP_DigestUpdate (md_ctx, input, input_len)) + { + session->error = g_strdup ("Message digest update failed"); + EVP_MD_CTX_free (md_ctx); + return SCRAM_ERROR; + } + + if (!EVP_DigestFinal_ex (md_ctx, output, output_len)) + { + session->error = g_strdup ("Message digest finalization failed"); + EVP_MD_CTX_free (md_ctx); + return SCRAM_ERROR; + } + + EVP_MD_CTX_free (md_ctx); + return SCRAM_IN_PROGRESS; +} + +static scram_status +process_client_first (scram_session *session, char **output, size_t *output_len) +{ + char nonce[NONCE_LENGTH]; + + if (!create_nonce (nonce, NONCE_LENGTH)) + { + session->error = g_strdup ("Could not create client nonce"); + return SCRAM_ERROR; + } + + session->client_nonce_b64 = g_base64_encode ((guchar *) nonce, NONCE_LENGTH); + *output = g_strdup_printf ("n,,n=%s,r=%s", session->username, session->client_nonce_b64); + *output_len = strlen (*output); + session->client_first_message_bare = g_strdup (*output + 3); + session->step++; + return SCRAM_IN_PROGRESS; +} + +static scram_status +process_server_first (scram_session *session, const char *data, char **output, + size_t *output_len) +{ + char **params, *client_final_message_without_proof, *salt, *server_nonce_b64, + *client_proof_b64; + unsigned char *client_key, stored_key[EVP_MAX_MD_SIZE], *client_signature, *client_proof; + unsigned int i, param_count, iteration_count, client_key_len, stored_key_len; + gsize salt_len = 0; + size_t client_nonce_len; + + params = g_strsplit (data, ",", -1); + param_count = g_strv_length (params); + + if (param_count < 3) + { + session->error = g_strdup_printf ("Invalid server-first-message: %s", data); + g_strfreev (params); + return SCRAM_ERROR; + } + + server_nonce_b64 = NULL; + salt = NULL; + iteration_count = 0; + + for (i = 0; i < param_count; i++) + { + if (!strncmp (params[i], "r=", 2)) + { + g_free (server_nonce_b64); + server_nonce_b64 = g_strdup (params[i] + 2); + } + else if (!strncmp (params[i], "s=", 2)) + { + g_free (salt); + salt = g_strdup (params[i] + 2); + } + else if (!strncmp (params[i], "i=", 2)) + { + iteration_count = strtoul (params[i] + 2, NULL, 10); + } + } + + g_strfreev (params); + + if (server_nonce_b64 == NULL || *server_nonce_b64 == '\0' || salt == NULL || + *salt == '\0' || iteration_count == 0) + { + session->error = g_strdup_printf ("Invalid server-first-message: %s", data); + g_free (server_nonce_b64); + g_free (salt); + return SCRAM_ERROR; + } + + client_nonce_len = strlen (session->client_nonce_b64); + + // The server can append his nonce to the client's nonce + if (strlen (server_nonce_b64) < client_nonce_len || + strncmp (server_nonce_b64, session->client_nonce_b64, client_nonce_len)) + { + session->error = g_strdup_printf ("Invalid server nonce: %s", server_nonce_b64); + return SCRAM_ERROR; + } + + g_base64_decode_inplace ((gchar *) salt, &salt_len); + + // SaltedPassword := Hi(Normalize(password), salt, i) + session->salted_password = g_malloc (session->digest_size); + + PKCS5_PBKDF2_HMAC (session->password, strlen (session->password), (unsigned char *) salt, + salt_len, iteration_count, session->digest, session->digest_size, + session->salted_password); + + // AuthMessage := client-first-message-bare + "," + + // server-first-message + "," + + // client-final-message-without-proof + client_final_message_without_proof = g_strdup_printf ("c=biws,r=%s", server_nonce_b64); + + session->auth_message = g_strdup_printf ("%s,%s,%s", session->client_first_message_bare, + data, client_final_message_without_proof); + + // ClientKey := HMAC(SaltedPassword, "Client Key") + client_key = g_malloc0 (session->digest_size); + + HMAC (session->digest, session->salted_password, session->digest_size, + (unsigned char *) CLIENT_KEY, strlen (CLIENT_KEY), client_key, &client_key_len); + + // StoredKey := H(ClientKey) + if (!create_SHA (session, client_key, session->digest_size, stored_key, &stored_key_len)) + { + g_free (client_final_message_without_proof); + g_free (server_nonce_b64); + g_free (salt); + g_free (client_key); + return SCRAM_ERROR; + } + + // ClientSignature := HMAC(StoredKey, AuthMessage) + client_signature = g_malloc0 (session->digest_size); + HMAC (session->digest, stored_key, stored_key_len, (unsigned char *) session->auth_message, + strlen ((char *) session->auth_message), client_signature, NULL); + + // ClientProof := ClientKey XOR ClientSignature + client_proof = g_malloc0 (client_key_len); + + for (i = 0; i < client_key_len; i++) + { + client_proof[i] = client_key[i] ^ client_signature[i]; + } + + client_proof_b64 = g_base64_encode ((guchar *) client_proof, client_key_len); + + *output = g_strdup_printf ("%s,p=%s", client_final_message_without_proof, client_proof_b64); + *output_len = strlen (*output); + + g_free (server_nonce_b64); + g_free (salt); + g_free (client_final_message_without_proof); + g_free (client_key); + g_free (client_signature); + g_free (client_proof); + g_free (client_proof_b64); + + session->step++; + return SCRAM_IN_PROGRESS; +} + +static scram_status +process_server_final (scram_session *session, const char *data) +{ + char *verifier; + unsigned char *server_key, *server_signature; + unsigned int server_key_len = 0, server_signature_len = 0; + gsize verifier_len = 0; + + if (strlen (data) < 3 || (data[0] != 'v' && data[1] != '=')) + { + return SCRAM_ERROR; + } + + verifier = g_strdup (data + 2); + g_base64_decode_inplace (verifier, &verifier_len); + + // ServerKey := HMAC(SaltedPassword, "Server Key") + server_key = g_malloc0 (session->digest_size); + HMAC (session->digest, session->salted_password, session->digest_size, + (unsigned char *) SERVER_KEY, strlen (SERVER_KEY), server_key, &server_key_len); + + // ServerSignature := HMAC(ServerKey, AuthMessage) + server_signature = g_malloc0 (session->digest_size); + HMAC (session->digest, server_key, session->digest_size, + (unsigned char *) session->auth_message, strlen ((char *) session->auth_message), + server_signature, &server_signature_len); + + if (verifier_len == server_signature_len && + memcmp (verifier, server_signature, verifier_len) == 0) + { + g_free (verifier); + g_free (server_key); + g_free (server_signature); + return SCRAM_SUCCESS; + } + else + { + g_free (verifier); + g_free (server_key); + g_free (server_signature); + return SCRAM_ERROR; + } +} + +scram_status +scram_process (scram_session *session, const char *input, char **output, size_t *output_len) +{ + scram_status status; + + switch (session->step) + { + case 0: + status = process_client_first (session, output, output_len); + break; + case 1: + status = process_server_first (session, input, output, output_len); + break; + case 2: + status = process_server_final (session, input); + break; + default: + *output = NULL; + *output_len = 0; + status = SCRAM_ERROR; + break; + } + + return status; +} + +#endif \ No newline at end of file diff --git a/src/common/scram.h b/src/common/scram.h new file mode 100644 index 00000000..ffe22037 --- /dev/null +++ b/src/common/scram.h @@ -0,0 +1,51 @@ +/* HexChat + * Copyright (C) 2023 Patrick Okraku + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + */ +#ifndef HEXCHAT_SCRAM_H +#define HEXCHAT_SCRAM_H + +#include "config.h" +#ifdef USE_OPENSSL +#include <openssl/evp.h> + +typedef struct +{ + const EVP_MD *digest; + size_t digest_size; + char *username; + char *password; + char *client_nonce_b64; + char *client_first_message_bare; + unsigned char *salted_password; + char *auth_message; + char *error; + int step; +} scram_session; + +typedef enum +{ + SCRAM_ERROR = 0, + SCRAM_IN_PROGRESS, + SCRAM_SUCCESS +} scram_status; + +scram_session *scram_session_create (const char *digset, const char *username, const char *password); +void scram_session_free (scram_session *session); +scram_status scram_process (scram_session *session, const char *input, char **output, size_t *output_len); + +#endif +#endif \ No newline at end of file diff --git a/src/common/server.c b/src/common/server.c index e14da237..c78ce900 100644 --- a/src/common/server.c +++ b/src/common/server.c @@ -1765,7 +1765,9 @@ server_set_defaults (server *serv) g_free (serv->chanmodes); g_free (serv->nick_prefixes); g_free (serv->nick_modes); - +#ifdef USE_OPENSSL + g_clear_pointer (&serv->scram_session, scram_session_free); +#endif serv->chantypes = g_strdup ("#&!+"); serv->chanmodes = g_strdup ("beI,k,l"); serv->nick_prefixes = g_strdup ("@%+"); @@ -1937,6 +1939,8 @@ server_free (server *serv) #ifdef USE_OPENSSL if (serv->ctx) _SSL_context_free (serv->ctx); + + g_clear_pointer (&serv->scram_session, scram_session_free); #endif fe_server_callback (serv); diff --git a/src/common/servlist.c b/src/common/servlist.c index 771d7813..1f29bb32 100644 --- a/src/common/servlist.c +++ b/src/common/servlist.c @@ -305,6 +305,9 @@ static const struct defaultserver def[] = {"Techtronix", 0, 0, 0, LOGIN_SASL, 0, TRUE}, {0, "irc.techtronix.net"}, + {"TechNet", 0, 0, 0, LOGIN_SASL, 0, TRUE}, + {0, "irc.technet.chat"}, + {"tilde.chat", 0, 0, 0, LOGIN_SASL, 0, TRUE}, {0, "irc.tilde.chat"}, @@ -323,7 +326,7 @@ static const struct defaultserver def[] = #endif {"UnderNet", 0, 0, 0, LOGIN_CUSTOM, "MSG x@channels.undernet.org login %u %p"}, - {0, "us.undernet.org"}, + {0, "irc.undernet.org"}, {"Xertion", 0, 0, 0, LOGIN_SASL, 0, TRUE}, {0, "irc.xertion.org"}, diff --git a/src/common/servlist.h b/src/common/servlist.h index ec885fef..c3d158b2 100644 --- a/src/common/servlist.h +++ b/src/common/servlist.h @@ -79,6 +79,9 @@ extern GSList *network_list; #define LOGIN_CHALLENGEAUTH 8 #define LOGIN_CUSTOM 9 #define LOGIN_SASLEXTERNAL 10 +#define LOGIN_SASL_SCRAM_SHA_1 11 +#define LOGIN_SASL_SCRAM_SHA_256 12 +#define LOGIN_SASL_SCRAM_SHA_512 13 #define CHALLENGEAUTH_ALGO "HMAC-SHA-256" #define CHALLENGEAUTH_NICK "Q@CServe.quakenet.org" diff --git a/src/common/url.c b/src/common/url.c index 6a1d09e8..ae85ae44 100644 --- a/src/common/url.c +++ b/src/common/url.c @@ -331,7 +331,7 @@ url_check_line (char *buf) GRegex *re(void); GMatchInfo *gmi; char *po = buf; - int i; + size_t i; /* Skip over message prefix */ if (*po == ':') diff --git a/src/common/util.c b/src/common/util.c index f06074fc..bd920cae 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -988,7 +988,7 @@ void country_search (char *pattern, void *ud, void (*print)(void *, char *, ...)) { const domain_t *dom; - int i; + size_t i; for (i = 0; i < sizeof (domain) / sizeof (domain_t); i++) { diff --git a/src/fe-gtk/fe-gtk.c b/src/fe-gtk/fe-gtk.c index 38e6172d..125ab577 100644 --- a/src/fe-gtk/fe-gtk.c +++ b/src/fe-gtk/fe-gtk.c @@ -1065,8 +1065,7 @@ uri_contains_forbidden_characters (const char *uri) { while (*uri) { - /* This is not an exhaustive list, the full URI has segments that allow characters like "[]:" for example. */ - if (strchr ("`<> ${}\"+", *uri) != NULL || (*uri & 0x80) /* non-ascii */) + if (!g_ascii_isalnum (*uri) && !strchr ("-._~:/?#[]@!$&'()*+,;=", *uri)) return TRUE; uri++; } diff --git a/src/fe-gtk/maingui.c b/src/fe-gtk/maingui.c index 3e62da15..a3e633bc 100644 --- a/src/fe-gtk/maingui.c +++ b/src/fe-gtk/maingui.c @@ -399,27 +399,22 @@ fe_set_title (session *sess) _(DISPLAY_NAME)); break; case SESS_SERVER: - g_snprintf (tbuf, sizeof (tbuf), "%s @ %s - %s", - sess->server->nick, server_get_network (sess->server, TRUE), + g_snprintf (tbuf, sizeof (tbuf), "%s%s%s - %s", + prefs.hex_gui_win_nick ? sess->server->nick : "", + prefs.hex_gui_win_nick ? " @ " : "", server_get_network (sess->server, TRUE), _(DISPLAY_NAME)); break; case SESS_CHANNEL: /* don't display keys in the titlebar */ - if (prefs.hex_gui_win_modes) - { g_snprintf (tbuf, sizeof (tbuf), - "%s @ %s / %s (%s) - %s", - sess->server->nick, server_get_network (sess->server, TRUE), - sess->channel, sess->current_modes ? sess->current_modes : "", - _(DISPLAY_NAME)); - } - else - { - g_snprintf (tbuf, sizeof (tbuf), - "%s @ %s / %s - %s", - sess->server->nick, server_get_network (sess->server, TRUE), - sess->channel, _(DISPLAY_NAME)); - } + "%s%s%s / %s%s%s%s - %s", + prefs.hex_gui_win_nick ? sess->server->nick : "", + prefs.hex_gui_win_nick ? " @ " : "", + server_get_network (sess->server, TRUE), sess->channel, + prefs.hex_gui_win_modes && sess->current_modes ? " (" : "", + prefs.hex_gui_win_modes && sess->current_modes ? sess->current_modes : "", + prefs.hex_gui_win_modes && sess->current_modes ? ")" : "", + _(DISPLAY_NAME)); if (prefs.hex_gui_win_ucount) { g_snprintf (tbuf + strlen (tbuf), 9, " (%d)", sess->total); @@ -427,8 +422,9 @@ fe_set_title (session *sess) break; case SESS_NOTICES: case SESS_SNOTICES: - g_snprintf (tbuf, sizeof (tbuf), "%s @ %s (notices) - %s", - sess->server->nick, server_get_network (sess->server, TRUE), + g_snprintf (tbuf, sizeof (tbuf), "%s%s%s (notices) - %s", + prefs.hex_gui_win_nick ? sess->server->nick : "", + prefs.hex_gui_win_nick ? " @ " : "", server_get_network (sess->server, TRUE), _(DISPLAY_NAME)); break; default: diff --git a/src/fe-gtk/servlistgui.c b/src/fe-gtk/servlistgui.c index edcd4609..0e5e108b 100644 --- a/src/fe-gtk/servlistgui.c +++ b/src/fe-gtk/servlistgui.c @@ -128,6 +128,9 @@ static int login_types_conf[] = LOGIN_SASL, #ifdef USE_OPENSSL LOGIN_SASLEXTERNAL, + LOGIN_SASL_SCRAM_SHA_1, + LOGIN_SASL_SCRAM_SHA_256, + LOGIN_SASL_SCRAM_SHA_512, #endif LOGIN_PASS, LOGIN_MSG_NICKSERV, @@ -146,9 +149,12 @@ static int login_types_conf[] = static const char *login_types[]= { "Default", - "SASL (username + password)", + "SASL PLAIN (username + password)", #ifdef USE_OPENSSL "SASL EXTERNAL (cert)", + "SASL SCRAM-SHA-1", + "SASL SCRAM-SHA-256", + "SASL SCRAM-SHA-512", #endif "Server password (/PASS password)", "NickServ (/MSG NickServ + password)", diff --git a/src/fe-gtk/setup.c b/src/fe-gtk/setup.c index 2f0589bd..0e1dfde3 100644 --- a/src/fe-gtk/setup.c +++ b/src/fe-gtk/setup.c @@ -176,6 +176,7 @@ static const setting appearance_settings[] = {ST_HEADER, N_("Title Bar"),0,0,0}, {ST_TOGGLE, N_("Show channel modes"), P_OFFINTNL(hex_gui_win_modes),0,0,0}, {ST_TOGGLR, N_("Show number of users"), P_OFFINTNL(hex_gui_win_ucount),0,0,0}, + {ST_TOGGLE, N_("Show nickname"), P_OFFINTNL(hex_gui_win_nick),0,0,0}, {ST_END, 0, 0, 0, 0, 0} }; diff --git a/src/fe-gtk/xtext.c b/src/fe-gtk/xtext.c index 08a5110a..be978f22 100644 --- a/src/fe-gtk/xtext.c +++ b/src/fe-gtk/xtext.c @@ -170,7 +170,8 @@ xtext_pango_attr (PangoAttribute *attr) static void xtext_pango_init (GtkXText *xtext) { - int i, j; + size_t i; + int j; char buf[2] = "\000"; if (attr_lists[0]) |