diff options
Diffstat (limited to 'protocols')
| -rw-r--r-- | protocols/jabber/jabber.c | 99 | ||||
| -rw-r--r-- | protocols/jabber/jabber.h | 10 | ||||
| -rw-r--r-- | protocols/jabber/sasl.c | 195 |
3 files changed, 232 insertions, 72 deletions
diff --git a/protocols/jabber/jabber.c b/protocols/jabber/jabber.c index 7d9547ab..9b94b21d 100644 --- a/protocols/jabber/jabber.c +++ b/protocols/jabber/jabber.c @@ -59,6 +59,8 @@ static void jabber_init( account_t *acc ) s = set_add( &acc->set, "activity_timeout", "600", set_eval_int, acc ); + s = set_add( &acc->set, "oauth", "false", set_eval_bool, acc ); + g_snprintf( str, sizeof( str ), "%d", jabber_port_list[0] ); s = set_add( &acc->set, "port", str, set_eval_int, acc ); s->flags |= ACC_SET_OFFLINE_ONLY; @@ -98,9 +100,7 @@ static void jabber_login( account_t *acc ) { struct im_connection *ic = imcb_new( acc ); struct jabber_data *jd = g_new0( struct jabber_data, 1 ); - struct ns_srv_reply **srvl = NULL, *srv = NULL; - char *connect_to, *s; - int i; + char *s; /* For now this is needed in the _connected() handlers if using GLib event handling, to make sure we're not handling events @@ -137,63 +137,37 @@ static void jabber_login( account_t *acc ) *s = 0; } - /* This code isn't really pretty. Backwards compatibility never is... */ - s = acc->server; - while( s ) + jd->node_cache = g_hash_table_new_full( g_str_hash, g_str_equal, NULL, jabber_cache_entry_free ); + jd->buddies = g_hash_table_new( g_str_hash, g_str_equal ); + + if( set_getbool( &acc->set, "oauth" ) ) { - static int had_port = 0; - - if( strncmp( s, "ssl", 3 ) == 0 ) - { - set_setstr( &acc->set, "ssl", "true" ); - - /* Flush this part so that (if this was the first - part of the server string) acc->server gets - flushed. We don't want to have to do this another - time. :-) */ - *s = 0; - s ++; - - /* Only set this if the user didn't specify a custom - port number already... */ - if( !had_port ) - set_setint( &acc->set, "port", 5223 ); - } - else if( isdigit( *s ) ) - { - int i; - - /* The first character is a digit. It could be an - IP address though. Only accept this as a port# - if there are only digits. */ - for( i = 0; isdigit( s[i] ); i ++ ); - - /* If the first non-digit character is a colon or - the end of the string, save the port number - where it should be. */ - if( s[i] == ':' || s[i] == 0 ) - { - sscanf( s, "%d", &i ); - set_setint( &acc->set, "port", i ); - - /* See above. */ - *s = 0; - s ++; - } - - had_port = 1; - } + jd->fd = jd->r_inpa = jd->w_inpa = -1; - s = strchr( s, ':' ); - if( s ) + /* For the first login with OAuth, we have to authenticate via the browser. + For subsequent logins, exchange the refresh token for a valid access + token (even though the last one maybe didn't expire yet). */ + if( strncmp( acc->pass, "refresh_token=", 14 ) != 0 ) { - *s = 0; - s ++; + sasl_oauth2_init( ic ); + ic->flags |= OPT_SLOW_LOGIN; } + else + sasl_oauth2_refresh( ic, acc->pass + 14 ); } - - jd->node_cache = g_hash_table_new_full( g_str_hash, g_str_equal, NULL, jabber_cache_entry_free ); - jd->buddies = g_hash_table_new( g_str_hash, g_str_equal ); + else + jabber_connect( ic ); +} + +/* Separate this from jabber_login() so we can do OAuth first if necessary. + Putting this in io.c would probably be more correct. */ +void jabber_connect( struct im_connection *ic ) +{ + account_t *acc = ic->acc; + struct jabber_data *jd = ic->proto_data; + int i; + char *connect_to; + struct ns_srv_reply **srvl = NULL, *srv = NULL; /* Figure out the hostname to connect to. */ if( acc->server && *acc->server ) @@ -318,6 +292,7 @@ static void jabber_logout( struct im_connection *ic ) xt_free( jd->xt ); + g_free( jd->oauth2_access_token ); g_free( jd->away_message ); g_free( jd->username ); g_free( jd ); @@ -336,6 +311,20 @@ static int jabber_buddy_msg( struct im_connection *ic, char *who, char *message, if( g_strcasecmp( who, JABBER_XMLCONSOLE_HANDLE ) == 0 ) return jabber_write( ic, message, strlen( message ) ); + if( g_strcasecmp( who, "jabber_oauth" ) == 0 ) + { + if( sasl_oauth2_get_refresh_token( ic, message ) ) + { + return 1; + } + else + { + imcb_error( ic, "OAuth failure" ); + imc_logout( ic, TRUE ); + return 0; + } + } + if( ( s = strchr( who, '=' ) ) && jabber_chat_by_jid( ic, s + 1 ) ) bud = jabber_buddy_by_ext_jid( ic, who, 0 ); else diff --git a/protocols/jabber/jabber.h b/protocols/jabber/jabber.h index adf9a291..c68ae343 100644 --- a/protocols/jabber/jabber.h +++ b/protocols/jabber/jabber.h @@ -46,6 +46,8 @@ typedef enum activates all XEP-85 related code. */ JFLAG_XMLCONSOLE = 64, /* If the user added an xmlconsole buddy. */ JFLAG_STARTTLS_DONE = 128, /* If a plaintext session was converted to TLS. */ + + JFLAG_SASL_FB = 0x10000, /* Trying Facebook authentication. */ } jabber_flags_t; typedef enum @@ -92,6 +94,8 @@ struct jabber_data char *username; /* USERNAME@server */ char *server; /* username@SERVER -=> server/domain, not hostname */ + char *oauth2_access_token; + /* After changing one of these two (or the priority setting), call presence_send_update() to inform the server about the changes. */ const struct jabber_away_state *away_state; @@ -231,6 +235,9 @@ struct jabber_transfer #define XMLNS_BYTESTREAMS "http://jabber.org/protocol/bytestreams" /* XEP-0065 */ #define XMLNS_IBB "http://jabber.org/protocol/ibb" /* XEP-0047 */ +/* jabber.c */ +void jabber_connect( struct im_connection *ic ); + /* iq.c */ xt_status jabber_pkt_iq( struct xt_node *node, gpointer data ); int jabber_init_iq_auth( struct im_connection *ic ); @@ -315,6 +322,9 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ); xt_status sasl_pkt_challenge( struct xt_node *node, gpointer data ); xt_status sasl_pkt_result( struct xt_node *node, gpointer data ); gboolean sasl_supported( struct im_connection *ic ); +void sasl_oauth2_init( struct im_connection *ic ); +int sasl_oauth2_get_refresh_token( struct im_connection *ic, const char *msg ); +int sasl_oauth2_refresh( struct im_connection *ic, const char *refresh_token ); /* conference.c */ struct groupchat *jabber_chat_join( struct im_connection *ic, const char *room, const char *nick, const char *password ); diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index 53248ef3..f21a6706 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -25,6 +25,8 @@ #include "jabber.h" #include "base64.h" +#include "oauth2.h" +#include "oauth.h" xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) { @@ -32,7 +34,7 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) struct jabber_data *jd = ic->proto_data; struct xt_node *c, *reply; char *s; - int sup_plain = 0, sup_digest = 0; + int sup_plain = 0, sup_digest = 0, sup_oauth2 = 0, sup_fb = 0; if( !sasl_supported( ic ) ) { @@ -58,6 +60,10 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) sup_plain = 1; if( c->text && g_strcasecmp( c->text, "DIGEST-MD5" ) == 0 ) sup_digest = 1; + if( c->text && g_strcasecmp( c->text, "X-OAUTH2" ) == 0 ) + sup_oauth2 = 1; + if( c->text && g_strcasecmp( c->text, "X-FACEBOOK-PLATFORM" ) == 0 ) + sup_fb = 1; c = c->next; } @@ -72,7 +78,38 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) reply = xt_new_node( "auth", NULL, NULL ); xt_add_attr( reply, "xmlns", XMLNS_SASL ); - if( sup_digest ) + if( set_getbool( &ic->acc->set, "oauth" ) ) + { + int len; + + if( !sup_oauth2 ) + { + imcb_error( ic, "OAuth requested, but not supported by server" ); + imc_logout( ic, FALSE ); + xt_free_node( reply ); + return XT_ABORT; + } + + /* X-OAUTH2 is, not *the* standard OAuth2 SASL/XMPP implementation. + It's currently used by GTalk and vaguely documented on + http://code.google.com/apis/cloudprint/docs/rawxmpp.html . */ + xt_add_attr( reply, "mechanism", "X-OAUTH2" ); + + len = strlen( jd->username ) + strlen( jd->oauth2_access_token ) + 2; + s = g_malloc( len + 1 ); + s[0] = 0; + strcpy( s + 1, jd->username ); + strcpy( s + 2 + strlen( jd->username ), jd->oauth2_access_token ); + reply->text = base64_encode( (unsigned char *)s, len ); + reply->text_len = strlen( reply->text ); + g_free( s ); + } + else if( sup_fb && strstr( ic->acc->pass, "session_key=" ) ) + { + xt_add_attr( reply, "mechanism", "X-FACEBOOK-PLATFORM" ); + jd->flags |= JFLAG_SASL_FB; + } + else if( sup_digest ) { xt_add_attr( reply, "mechanism", "DIGEST-MD5" ); @@ -95,7 +132,7 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) g_free( s ); } - if( !jabber_write_packet( ic, reply ) ) + if( reply && !jabber_write_packet( ic, reply ) ) { xt_free_node( reply ); return XT_ABORT; @@ -196,12 +233,12 @@ xt_status sasl_pkt_challenge( struct xt_node *node, gpointer data ) { struct im_connection *ic = data; struct jabber_data *jd = ic->proto_data; - struct xt_node *reply = NULL; + struct xt_node *reply_pkt = NULL; char *nonce = NULL, *realm = NULL, *cnonce = NULL; unsigned char cnonce_bin[30]; char *digest_uri = NULL; char *dec = NULL; - char *s = NULL; + char *s = NULL, *reply = NULL; xt_status ret = XT_ABORT; if( node->text_len == 0 ) @@ -209,7 +246,50 @@ xt_status sasl_pkt_challenge( struct xt_node *node, gpointer data ) dec = frombase64( node->text ); - if( !( s = sasl_get_part( dec, "rspauth" ) ) ) + if( jd->flags & JFLAG_SASL_FB ) + { + /* Facebook proprietary authentication. Not as useful as it seemed, but + the code's written now, may as well keep it.. + + Mechanism is described on http://developers.facebook.com/docs/chat/ + and in their Python module. It's all mostly useless because the tokens + expire after 24h. */ + GSList *p_in = NULL, *p_out = NULL, *p; + md5_state_t md5; + char time[33], *token; + const char *secret; + + oauth_params_parse( &p_in, dec ); + oauth_params_add( &p_out, "nonce", oauth_params_get( &p_in, "nonce" ) ); + oauth_params_add( &p_out, "method", oauth_params_get( &p_in, "method" ) ); + oauth_params_free( &p_in ); + + token = g_strdup( ic->acc->pass ); + oauth_params_parse( &p_in, token ); + g_free( token ); + oauth_params_add( &p_out, "session_key", oauth_params_get( &p_in, "session_key" ) ); + + g_snprintf( time, sizeof( time ), "%lld", (long long) ( gettime() * 1000 ) ); + oauth_params_add( &p_out, "call_id", time ); + oauth_params_add( &p_out, "api_key", oauth2_service_facebook.consumer_key ); + oauth_params_add( &p_out, "v", "1.0" ); + oauth_params_add( &p_out, "format", "XML" ); + + md5_init( &md5 ); + for( p = p_out; p; p = p->next ) + md5_append( &md5, p->data, strlen( p->data ) ); + + secret = oauth_params_get( &p_in, "secret" ); + if( secret ) + md5_append( &md5, (unsigned char*) secret, strlen( secret ) ); + md5_finish_ascii( &md5, time ); + oauth_params_add( &p_out, "sig", time ); + + reply = oauth_params_string( p_out ); + oauth_params_free( &p_out ); + oauth_params_free( &p_in ); + } + else if( !( s = sasl_get_part( dec, "rspauth" ) ) ) { /* See RFC 2831 for for information. */ md5_state_t A1, A2, H; @@ -270,23 +350,20 @@ xt_status sasl_pkt_challenge( struct xt_node *node, gpointer data ) sprintf( Hh + i * 2, "%02x", Hr[i] ); /* Now build the SASL response string: */ - g_free( dec ); - dec = g_strdup_printf( "username=\"%s\",realm=\"%s\",nonce=\"%s\",cnonce=\"%s\"," - "nc=%08x,qop=auth,digest-uri=\"%s\",response=%s,charset=%s", - jd->username, realm, nonce, cnonce, 1, digest_uri, Hh, "utf-8" ); - s = tobase64( dec ); + reply = g_strdup_printf( "username=\"%s\",realm=\"%s\",nonce=\"%s\",cnonce=\"%s\"," + "nc=%08x,qop=auth,digest-uri=\"%s\",response=%s,charset=%s", + jd->username, realm, nonce, cnonce, 1, digest_uri, Hh, "utf-8" ); } else { /* We found rspauth, but don't really care... */ - g_free( s ); - s = NULL; } - reply = xt_new_node( "response", s, NULL ); - xt_add_attr( reply, "xmlns", XMLNS_SASL ); + s = reply ? tobase64( reply ) : NULL; + reply_pkt = xt_new_node( "response", s, NULL ); + xt_add_attr( reply_pkt, "xmlns", XMLNS_SASL ); - if( !jabber_write_packet( ic, reply ) ) + if( !jabber_write_packet( ic, reply_pkt ) ) goto silent_error; ret = XT_HANDLED; @@ -300,10 +377,11 @@ silent_error: g_free( digest_uri ); g_free( cnonce ); g_free( nonce ); + g_free( reply ); g_free( realm ); g_free( dec ); g_free( s ); - xt_free_node( reply ); + xt_free_node( reply_pkt ); return ret; } @@ -346,3 +424,86 @@ gboolean sasl_supported( struct im_connection *ic ) return ( jd->xt && jd->xt->root && xt_find_attr( jd->xt->root, "version" ) ) != 0; } + +void sasl_oauth2_init( struct im_connection *ic ) +{ + char *msg, *url; + + imcb_log( ic, "Starting OAuth authentication" ); + + /* Temporary contact, just used to receive the OAuth response. */ + imcb_add_buddy( ic, "jabber_oauth", NULL ); + url = oauth2_url( &oauth2_service_google, + "https://www.googleapis.com/auth/googletalk" ); + msg = g_strdup_printf( "Open this URL in your browser to authenticate: %s", url ); + imcb_buddy_msg( ic, "jabber_oauth", msg, 0, 0 ); + imcb_buddy_msg( ic, "jabber_oauth", "Respond to this message with the returned " + "authorization token.", 0, 0 ); + + g_free( msg ); + g_free( url ); +} + +static gboolean sasl_oauth2_remove_contact( gpointer data, gint fd, b_input_condition cond ) +{ + struct im_connection *ic = data; + if( g_slist_find( jabber_connections, ic ) ) + imcb_remove_buddy( ic, "jabber_oauth", NULL ); + return FALSE; +} + +static void sasl_oauth2_got_token( gpointer data, const char *access_token, const char *refresh_token ); + +int sasl_oauth2_get_refresh_token( struct im_connection *ic, const char *msg ) +{ + char *code; + int ret; + + imcb_log( ic, "Requesting OAuth access token" ); + + /* Don't do it here because the caller may get confused if the contact + we're currently sending a message to is deleted. */ + b_timeout_add( 1, sasl_oauth2_remove_contact, ic ); + + code = g_strdup( msg ); + g_strstrip( code ); + ret = oauth2_access_token( &oauth2_service_google, OAUTH2_AUTH_CODE, + code, sasl_oauth2_got_token, ic ); + + g_free( code ); + return ret; +} + +int sasl_oauth2_refresh( struct im_connection *ic, const char *refresh_token ) +{ + return oauth2_access_token( &oauth2_service_google, OAUTH2_AUTH_REFRESH, + refresh_token, sasl_oauth2_got_token, ic ); +} + +static void sasl_oauth2_got_token( gpointer data, const char *access_token, const char *refresh_token ) +{ + struct im_connection *ic = data; + struct jabber_data *jd; + + if( g_slist_find( jabber_connections, ic ) == NULL ) + return; + + jd = ic->proto_data; + + if( access_token == NULL ) + { + imcb_error( ic, "OAuth failure (missing access token)" ); + imc_logout( ic, TRUE ); + return; + } + if( refresh_token != NULL ) + { + g_free( ic->acc->pass ); + ic->acc->pass = g_strdup_printf( "refresh_token=%s", refresh_token ); + } + + g_free( jd->oauth2_access_token ); + jd->oauth2_access_token = g_strdup( access_token ); + + jabber_connect( ic ); +} |