From 57b4525653972dc23c8c5ca5ffaa7e44fad64ee9 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Fri, 22 Jul 2011 19:29:25 +0100 Subject: Nothing useful yet, this just generates an auth URL. Things to do: Ability to process the answer. This is hard because the GTalk server will time out very quickly which means we lose our state/scope/etc. (And the ability to even receive the answer, at least if I'd do this the same way the Twitter module does it.) And then, get the access token and use it, of course. :-) --- protocols/jabber/sasl.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'protocols/jabber/sasl.c') diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index 53248ef3..0bbbae11 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -25,6 +25,7 @@ #include "jabber.h" #include "base64.h" +#include "oauth2.h" xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) { @@ -32,7 +33,7 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) struct jabber_data *jd = ic->proto_data; struct xt_node *c, *reply; char *s; - int sup_plain = 0, sup_digest = 0; + int sup_plain = 0, sup_digest = 0, sup_oauth2 = 0; if( !sasl_supported( ic ) ) { @@ -58,6 +59,8 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) sup_plain = 1; if( c->text && g_strcasecmp( c->text, "DIGEST-MD5" ) == 0 ) sup_digest = 1; + if( c->text && g_strcasecmp( c->text, "X-OAUTH2" ) == 0 ) + sup_oauth2 = 1; c = c->next; } @@ -72,7 +75,15 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) reply = xt_new_node( "auth", NULL, NULL ); xt_add_attr( reply, "xmlns", XMLNS_SASL ); - if( sup_digest ) + if( sup_oauth2 && set_getbool( &ic->acc->set, "oauth" ) ) + { + imcb_log( ic, "Open this URL in your browser to authenticate: %s", + oauth2_url( &oauth2_service_google, + "https://www.googleapis.com/auth/googletalk" ) ); + xt_free_node( reply ); + reply = NULL; + } + else if( sup_digest ) { xt_add_attr( reply, "mechanism", "DIGEST-MD5" ); @@ -95,7 +106,7 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) g_free( s ); } - if( !jabber_write_packet( ic, reply ) ) + if( reply && !jabber_write_packet( ic, reply ) ) { xt_free_node( reply ); return XT_ABORT; -- cgit v1.2.3 From 4a5d88504235e1df5d01a3a5701b83dd82d6695d Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Tue, 26 Jul 2011 12:58:38 +0100 Subject: Working OAuth2 support. Needs some more debugging (error handling is not great and imc_logout() gets (rightfully) confused when jabber_data is empty). --- protocols/jabber/sasl.c | 111 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 105 insertions(+), 6 deletions(-) (limited to 'protocols/jabber/sasl.c') diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index 0bbbae11..a7c3dd6f 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -75,13 +75,31 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) reply = xt_new_node( "auth", NULL, NULL ); xt_add_attr( reply, "xmlns", XMLNS_SASL ); - if( sup_oauth2 && set_getbool( &ic->acc->set, "oauth" ) ) + if( set_getbool( &ic->acc->set, "oauth" ) ) { - imcb_log( ic, "Open this URL in your browser to authenticate: %s", - oauth2_url( &oauth2_service_google, - "https://www.googleapis.com/auth/googletalk" ) ); - xt_free_node( reply ); - reply = NULL; + int len; + + if( !sup_oauth2 ) + { + imcb_error( ic, "OAuth requested, but not supported by server" ); + imc_logout( ic, FALSE ); + xt_free_node( reply ); + return XT_ABORT; + } + + /* X-OAUTH2 is, not *the* standard OAuth2 SASL/XMPP implementation. + It's currently used by GTalk and vaguely documented on + http://code.google.com/apis/cloudprint/docs/rawxmpp.html . */ + xt_add_attr( reply, "mechanism", "X-OAUTH2" ); + + len = strlen( jd->username ) + strlen( jd->oauth2_access_token ) + 2; + s = g_malloc( len + 1 ); + s[0] = 0; + strcpy( s + 1, jd->username ); + strcpy( s + 2 + strlen( jd->username ), jd->oauth2_access_token ); + reply->text = base64_encode( (unsigned char *)s, len ); + reply->text_len = strlen( reply->text ); + g_free( s ); } else if( sup_digest ) { @@ -357,3 +375,84 @@ gboolean sasl_supported( struct im_connection *ic ) return ( jd->xt && jd->xt->root && xt_find_attr( jd->xt->root, "version" ) ) != 0; } + +void sasl_oauth2_init( struct im_connection *ic ) +{ + char *msg, *url; + + imcb_log( ic, "Starting OAuth authentication" ); + + /* Temporary contact, just used to receive the OAuth response. */ + imcb_add_buddy( ic, "jabber_oauth", NULL ); + url = oauth2_url( &oauth2_service_google, + "https://www.googleapis.com/auth/googletalk" ); + msg = g_strdup_printf( "Open this URL in your browser to authenticate: %s", url ); + imcb_buddy_msg( ic, "jabber_oauth", msg, 0, 0 ); + imcb_buddy_msg( ic, "jabber_oauth", "Respond to this message with the returned " + "authorization token.", 0, 0 ); + + g_free( msg ); + g_free( url ); +} + +static gboolean sasl_oauth2_remove_contact( gpointer data, gint fd, b_input_condition cond ) +{ + struct im_connection *ic = data; + imcb_remove_buddy( ic, "jabber_oauth", NULL ); + return FALSE; +} + +static void sasl_oauth2_got_token( gpointer data, const char *access_token, const char *refresh_token ); + +int sasl_oauth2_get_refresh_token( struct im_connection *ic, const char *msg ) +{ + char *code; + int ret; + + imcb_log( ic, "Requesting OAuth access token" ); + + /* Don't do it here because the caller may get confused if the contact + we're currently sending a message to is deleted. */ + b_timeout_add( 1, sasl_oauth2_remove_contact, ic ); + + code = g_strdup( msg ); + g_strstrip( code ); + ret = oauth2_access_token( &oauth2_service_google, OAUTH2_AUTH_CODE, + code, sasl_oauth2_got_token, ic ); + + g_free( code ); + return ret; +} + +int sasl_oauth2_refresh( struct im_connection *ic, const char *refresh_token ) +{ + return oauth2_access_token( &oauth2_service_google, OAUTH2_AUTH_REFRESH, + refresh_token, sasl_oauth2_got_token, ic ); +} + +static void sasl_oauth2_got_token( gpointer data, const char *access_token, const char *refresh_token ) +{ + struct im_connection *ic = data; + struct jabber_data *jd; + + if( g_slist_find( jabber_connections, ic ) == NULL ) + return; + + jd = ic->proto_data; + + if( access_token == NULL ) + { + imcb_error( ic, "OAuth failure (missing access token)" ); + imc_logout( ic, TRUE ); + } + if( refresh_token != NULL ) + { + g_free( ic->acc->pass ); + ic->acc->pass = g_strdup_printf( "refresh_token=%s", refresh_token ); + } + + g_free( jd->oauth2_access_token ); + jd->oauth2_access_token = g_strdup( access_token ); + + jabber_connect( ic ); +} -- cgit v1.2.3 From e1c926f53750ca288f30f3d62eecdc763b67d642 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Sun, 31 Jul 2011 16:44:37 +0100 Subject: Facebook authentication. This isn't really OAuth in the end: FB doesn't really support desktop app OAuth in a way that would work with BitlBee. Plus, it's only OAuth-compliant by, err, name? --- protocols/jabber/sasl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 49 insertions(+), 2 deletions(-) (limited to 'protocols/jabber/sasl.c') diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index a7c3dd6f..89571d8d 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -26,6 +26,7 @@ #include "jabber.h" #include "base64.h" #include "oauth2.h" +#include "oauth.h" xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) { @@ -33,7 +34,7 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) struct jabber_data *jd = ic->proto_data; struct xt_node *c, *reply; char *s; - int sup_plain = 0, sup_digest = 0, sup_oauth2 = 0; + int sup_plain = 0, sup_digest = 0, sup_oauth2 = 0, sup_fb = 0; if( !sasl_supported( ic ) ) { @@ -61,6 +62,8 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) sup_digest = 1; if( c->text && g_strcasecmp( c->text, "X-OAUTH2" ) == 0 ) sup_oauth2 = 1; + if( c->text && g_strcasecmp( c->text, "X-FACEBOOK-PLATFORM" ) == 0 ) + sup_fb = 1; c = c->next; } @@ -101,6 +104,11 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) reply->text_len = strlen( reply->text ); g_free( s ); } + else if( sup_fb && strstr( ic->acc->pass, "session_key=" ) ) + { + xt_add_attr( reply, "mechanism", "X-FACEBOOK-PLATFORM" ); + jd->flags |= JFLAG_SASL_FB; + } else if( sup_digest ) { xt_add_attr( reply, "mechanism", "DIGEST-MD5" ); @@ -238,7 +246,45 @@ xt_status sasl_pkt_challenge( struct xt_node *node, gpointer data ) dec = frombase64( node->text ); - if( !( s = sasl_get_part( dec, "rspauth" ) ) ) + if( jd->flags & JFLAG_SASL_FB ) + { + GSList *p_in = NULL, *p_out = NULL, *p; + md5_state_t md5; + char time[33], *fmt, *token; + const char *secret; + + oauth_params_parse( &p_in, dec ); + oauth_params_add( &p_out, "nonce", oauth_params_get( &p_in, "nonce" ) ); + oauth_params_add( &p_out, "method", oauth_params_get( &p_in, "method" ) ); + oauth_params_free( &p_in ); + + token = g_strdup( ic->acc->pass ); + oauth_params_parse( &p_in, token ); + g_free( token ); + oauth_params_add( &p_out, "session_key", oauth_params_get( &p_in, "session_key" ) ); + + g_snprintf( time, sizeof( time ), "%lld", (long long) ( gettime() * 1000 ) ); + oauth_params_add( &p_out, "call_id", time ); + oauth_params_add( &p_out, "api_key", oauth2_service_facebook.consumer_key ); + oauth_params_add( &p_out, "v", "1.0" ); + oauth_params_add( &p_out, "format", "XML" ); + + md5_init( &md5 ); + for( p = p_out; p; p = p->next ) + md5_append( &md5, p->data, strlen( p->data ) ); + + secret = oauth_params_get( &p_in, "secret" ); + md5_append( &md5, (unsigned char*) secret, strlen( secret ) ); + md5_finish_ascii( &md5, time ); + oauth_params_add( &p_out, "sig", time ); + + fmt = oauth_params_string( p_out ); + oauth_params_free( &p_out ); + oauth_params_free( &p_in ); + s = tobase64( fmt ); + g_free( fmt ); + } + else if( !( s = sasl_get_part( dec, "rspauth" ) ) ) { /* See RFC 2831 for for information. */ md5_state_t A1, A2, H; @@ -444,6 +490,7 @@ static void sasl_oauth2_got_token( gpointer data, const char *access_token, cons { imcb_error( ic, "OAuth failure (missing access token)" ); imc_logout( ic, TRUE ); + return; } if( refresh_token != NULL ) { -- cgit v1.2.3 From f138bd25e9184c3033f405a7bbb5734d82a877c7 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Sun, 31 Jul 2011 21:27:30 +0100 Subject: OAuth code cleanup. --- protocols/jabber/sasl.c | 39 +++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 18 deletions(-) (limited to 'protocols/jabber/sasl.c') diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index 89571d8d..f232864b 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -233,12 +233,12 @@ xt_status sasl_pkt_challenge( struct xt_node *node, gpointer data ) { struct im_connection *ic = data; struct jabber_data *jd = ic->proto_data; - struct xt_node *reply = NULL; + struct xt_node *reply_pkt = NULL; char *nonce = NULL, *realm = NULL, *cnonce = NULL; unsigned char cnonce_bin[30]; char *digest_uri = NULL; char *dec = NULL; - char *s = NULL; + char *s = NULL, *reply = NULL; xt_status ret = XT_ABORT; if( node->text_len == 0 ) @@ -248,9 +248,15 @@ xt_status sasl_pkt_challenge( struct xt_node *node, gpointer data ) if( jd->flags & JFLAG_SASL_FB ) { + /* Facebook proprietary authentication. Not as useful as it seemed, but + the code's written now, may as well keep it.. + + Mechanism is described on http://developers.facebook.com/docs/chat/ + and in their Python module. It's all mostly useless because the tokens + expire after 24h. */ GSList *p_in = NULL, *p_out = NULL, *p; md5_state_t md5; - char time[33], *fmt, *token; + char time[33], *token; const char *secret; oauth_params_parse( &p_in, dec ); @@ -274,15 +280,14 @@ xt_status sasl_pkt_challenge( struct xt_node *node, gpointer data ) md5_append( &md5, p->data, strlen( p->data ) ); secret = oauth_params_get( &p_in, "secret" ); - md5_append( &md5, (unsigned char*) secret, strlen( secret ) ); + if( secret ) + md5_append( &md5, (unsigned char*) secret, strlen( secret ) ); md5_finish_ascii( &md5, time ); oauth_params_add( &p_out, "sig", time ); - fmt = oauth_params_string( p_out ); + reply = oauth_params_string( p_out ); oauth_params_free( &p_out ); oauth_params_free( &p_in ); - s = tobase64( fmt ); - g_free( fmt ); } else if( !( s = sasl_get_part( dec, "rspauth" ) ) ) { @@ -345,23 +350,20 @@ xt_status sasl_pkt_challenge( struct xt_node *node, gpointer data ) sprintf( Hh + i * 2, "%02x", Hr[i] ); /* Now build the SASL response string: */ - g_free( dec ); - dec = g_strdup_printf( "username=\"%s\",realm=\"%s\",nonce=\"%s\",cnonce=\"%s\"," - "nc=%08x,qop=auth,digest-uri=\"%s\",response=%s,charset=%s", - jd->username, realm, nonce, cnonce, 1, digest_uri, Hh, "utf-8" ); - s = tobase64( dec ); + reply = g_strdup_printf( "username=\"%s\",realm=\"%s\",nonce=\"%s\",cnonce=\"%s\"," + "nc=%08x,qop=auth,digest-uri=\"%s\",response=%s,charset=%s", + jd->username, realm, nonce, cnonce, 1, digest_uri, Hh, "utf-8" ); } else { /* We found rspauth, but don't really care... */ - g_free( s ); - s = NULL; } - reply = xt_new_node( "response", s, NULL ); - xt_add_attr( reply, "xmlns", XMLNS_SASL ); + s = reply ? tobase64( reply ) : NULL; + reply_pkt = xt_new_node( "response", s, NULL ); + xt_add_attr( reply_pkt, "xmlns", XMLNS_SASL ); - if( !jabber_write_packet( ic, reply ) ) + if( !jabber_write_packet( ic, reply_pkt ) ) goto silent_error; ret = XT_HANDLED; @@ -375,10 +377,11 @@ silent_error: g_free( digest_uri ); g_free( cnonce ); g_free( nonce ); + g_free( reply ); g_free( realm ); g_free( dec ); g_free( s ); - xt_free_node( reply ); + xt_free_node( reply_pkt ); return ret; } -- cgit v1.2.3 From 911d97a988d5f3d90c4b15c05adc733ada1fb37a Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Thu, 4 Aug 2011 16:19:54 +0100 Subject: Error handling fixes. Found one double free() bug causing troubles when a buddy_msg() handler takes down the IM connection immediately. --- protocols/jabber/sasl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'protocols/jabber/sasl.c') diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index f232864b..f21a6706 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -447,7 +447,8 @@ void sasl_oauth2_init( struct im_connection *ic ) static gboolean sasl_oauth2_remove_contact( gpointer data, gint fd, b_input_condition cond ) { struct im_connection *ic = data; - imcb_remove_buddy( ic, "jabber_oauth", NULL ); + if( g_slist_find( jabber_connections, ic ) ) + imcb_remove_buddy( ic, "jabber_oauth", NULL ); return FALSE; } -- cgit v1.2.3 From 18c6d369d777a1d38ef450f868c22de1d0ebba2d Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Sun, 18 Dec 2011 20:25:44 +0100 Subject: More generic OAuth support now. Should work well for all GTalk accounts now and somewhat for MS Messenger. The fb part needs different parsing of the authorize request, and possibly some other work. --- protocols/jabber/sasl.c | 74 +++++++++++++++++++++++++++++++++++++------------ 1 file changed, 57 insertions(+), 17 deletions(-) (limited to 'protocols/jabber/sasl.c') diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index f21a6706..89ab1337 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -28,13 +28,42 @@ #include "oauth2.h" #include "oauth.h" +const struct oauth2_service oauth2_service_google = +{ + "https://accounts.google.com/o/oauth2/auth", + "https://accounts.google.com/o/oauth2/token", + "urn:ietf:wg:oauth:2.0:oob", + "https://www.googleapis.com/auth/googletalk", + "783993391592.apps.googleusercontent.com", + "6C-Zgf7Tr7gEQTPlBhMUgo7R", +}; +const struct oauth2_service oauth2_service_facebook = +{ + "https://www.facebook.com/dialog/oauth", + "https://graph.facebook.com/oauth/access_token", + "http://www.bitlbee.org/main.php/Facebook/oauth2.html", + "offline_access,xmpp_login", + "126828914005625", + "4b100f0f244d620bf3f15f8b217d4c32", +}; +const struct oauth2_service oauth2_service_mslive = +{ + "https://oauth.live.com/authorize", + "https://oauth.live.com/token", + "http://www.bitlbee.org/main.php/Messenger/oauth2.html", + "wl.messenger", + "000000004C06FCD1", + "IRKlBPzJJAWcY-TbZjiTEJu9tn7XCFaV", +}; + xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) { struct im_connection *ic = data; struct jabber_data *jd = ic->proto_data; struct xt_node *c, *reply; char *s; - int sup_plain = 0, sup_digest = 0, sup_oauth2 = 0, sup_fb = 0; + int sup_plain = 0, sup_digest = 0, sup_gtalk = 0, sup_fb = 0, sup_ms = 0; + int want_oauth = FALSE; if( !sasl_supported( ic ) ) { @@ -61,14 +90,16 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) if( c->text && g_strcasecmp( c->text, "DIGEST-MD5" ) == 0 ) sup_digest = 1; if( c->text && g_strcasecmp( c->text, "X-OAUTH2" ) == 0 ) - sup_oauth2 = 1; + sup_gtalk = 1; if( c->text && g_strcasecmp( c->text, "X-FACEBOOK-PLATFORM" ) == 0 ) sup_fb = 1; + if( c->text && g_strcasecmp( c->text, "X-MESSENGER-OAUTH2" ) == 0 ) + sup_ms = 1; c = c->next; } - if( !sup_plain && !sup_digest ) + if( !sup_plain && !sup_digest && !sup_gtalk && !sup_fb && !sup_ms ) { imcb_error( ic, "No known SASL authentication schemes supported" ); imc_logout( ic, FALSE ); @@ -77,19 +108,12 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) reply = xt_new_node( "auth", NULL, NULL ); xt_add_attr( reply, "xmlns", XMLNS_SASL ); + want_oauth = set_getbool( &ic->acc->set, "oauth" ); - if( set_getbool( &ic->acc->set, "oauth" ) ) + if( sup_gtalk && want_oauth ) { int len; - if( !sup_oauth2 ) - { - imcb_error( ic, "OAuth requested, but not supported by server" ); - imc_logout( ic, FALSE ); - xt_free_node( reply ); - return XT_ABORT; - } - /* X-OAUTH2 is, not *the* standard OAuth2 SASL/XMPP implementation. It's currently used by GTalk and vaguely documented on http://code.google.com/apis/cloudprint/docs/rawxmpp.html . */ @@ -104,11 +128,24 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) reply->text_len = strlen( reply->text ); g_free( s ); } - else if( sup_fb && strstr( ic->acc->pass, "session_key=" ) ) + else if( sup_ms && want_oauth ) + { + xt_add_attr( reply, "mechanism", "X-MESSENGER-OAUTH2" ); + reply->text = g_strdup( jd->oauth2_access_token ); + reply->text_len = strlen( jd->oauth2_access_token ); + } + else if( sup_fb && want_oauth && strstr( ic->acc->pass, "session_key=" ) ) { xt_add_attr( reply, "mechanism", "X-FACEBOOK-PLATFORM" ); jd->flags |= JFLAG_SASL_FB; } + else if( want_oauth ) + { + imcb_error( ic, "OAuth requested, but not supported by server" ); + imc_logout( ic, FALSE ); + xt_free_node( reply ); + return XT_ABORT; + } else if( sup_digest ) { xt_add_attr( reply, "mechanism", "DIGEST-MD5" ); @@ -427,14 +464,14 @@ gboolean sasl_supported( struct im_connection *ic ) void sasl_oauth2_init( struct im_connection *ic ) { + struct jabber_data *jd = ic->proto_data; char *msg, *url; imcb_log( ic, "Starting OAuth authentication" ); /* Temporary contact, just used to receive the OAuth response. */ imcb_add_buddy( ic, "jabber_oauth", NULL ); - url = oauth2_url( &oauth2_service_google, - "https://www.googleapis.com/auth/googletalk" ); + url = oauth2_url( jd->oauth2_service ); msg = g_strdup_printf( "Open this URL in your browser to authenticate: %s", url ); imcb_buddy_msg( ic, "jabber_oauth", msg, 0, 0 ); imcb_buddy_msg( ic, "jabber_oauth", "Respond to this message with the returned " @@ -456,6 +493,7 @@ static void sasl_oauth2_got_token( gpointer data, const char *access_token, cons int sasl_oauth2_get_refresh_token( struct im_connection *ic, const char *msg ) { + struct jabber_data *jd = ic->proto_data; char *code; int ret; @@ -467,7 +505,7 @@ int sasl_oauth2_get_refresh_token( struct im_connection *ic, const char *msg ) code = g_strdup( msg ); g_strstrip( code ); - ret = oauth2_access_token( &oauth2_service_google, OAUTH2_AUTH_CODE, + ret = oauth2_access_token( jd->oauth2_service, OAUTH2_AUTH_CODE, code, sasl_oauth2_got_token, ic ); g_free( code ); @@ -476,7 +514,9 @@ int sasl_oauth2_get_refresh_token( struct im_connection *ic, const char *msg ) int sasl_oauth2_refresh( struct im_connection *ic, const char *refresh_token ) { - return oauth2_access_token( &oauth2_service_google, OAUTH2_AUTH_REFRESH, + struct jabber_data *jd = ic->proto_data; + + return oauth2_access_token( jd->oauth2_service, OAUTH2_AUTH_REFRESH, refresh_token, sasl_oauth2_got_token, ic ); } -- cgit v1.2.3 From 64b663524a465efb7707a2c634be97b9fb6f963b Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Sun, 18 Dec 2011 22:56:44 +0100 Subject: Restructured and updated code a little bit to support new-style (much better and "proper" OAuth2) Facebook OAuth support. (And, add wl.offline scope to get tokens that don't expire after an hour.) --- protocols/jabber/sasl.c | 47 +++++++++++++++++++++-------------------------- 1 file changed, 21 insertions(+), 26 deletions(-) (limited to 'protocols/jabber/sasl.c') diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index 89ab1337..622bff74 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -51,7 +51,7 @@ const struct oauth2_service oauth2_service_mslive = "https://oauth.live.com/authorize", "https://oauth.live.com/token", "http://www.bitlbee.org/main.php/Messenger/oauth2.html", - "wl.messenger", + "wl.offline_access%20wl.messenger", "000000004C06FCD1", "IRKlBPzJJAWcY-TbZjiTEJu9tn7XCFaV", }; @@ -87,13 +87,13 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) { if( c->text && g_strcasecmp( c->text, "PLAIN" ) == 0 ) sup_plain = 1; - if( c->text && g_strcasecmp( c->text, "DIGEST-MD5" ) == 0 ) + else if( c->text && g_strcasecmp( c->text, "DIGEST-MD5" ) == 0 ) sup_digest = 1; - if( c->text && g_strcasecmp( c->text, "X-OAUTH2" ) == 0 ) + else if( c->text && g_strcasecmp( c->text, "X-OAUTH2" ) == 0 ) sup_gtalk = 1; - if( c->text && g_strcasecmp( c->text, "X-FACEBOOK-PLATFORM" ) == 0 ) + else if( c->text && g_strcasecmp( c->text, "X-FACEBOOK-PLATFORM" ) == 0 ) sup_fb = 1; - if( c->text && g_strcasecmp( c->text, "X-MESSENGER-OAUTH2" ) == 0 ) + else if( c->text && g_strcasecmp( c->text, "X-MESSENGER-OAUTH2" ) == 0 ) sup_ms = 1; c = c->next; @@ -134,7 +134,7 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) reply->text = g_strdup( jd->oauth2_access_token ); reply->text_len = strlen( jd->oauth2_access_token ); } - else if( sup_fb && want_oauth && strstr( ic->acc->pass, "session_key=" ) ) + else if( sup_fb && want_oauth ) { xt_add_attr( reply, "mechanism", "X-FACEBOOK-PLATFORM" ); jd->flags |= JFLAG_SASL_FB; @@ -291,40 +291,23 @@ xt_status sasl_pkt_challenge( struct xt_node *node, gpointer data ) Mechanism is described on http://developers.facebook.com/docs/chat/ and in their Python module. It's all mostly useless because the tokens expire after 24h. */ - GSList *p_in = NULL, *p_out = NULL, *p; - md5_state_t md5; - char time[33], *token; - const char *secret; + GSList *p_in = NULL, *p_out = NULL; + char time[33]; oauth_params_parse( &p_in, dec ); oauth_params_add( &p_out, "nonce", oauth_params_get( &p_in, "nonce" ) ); oauth_params_add( &p_out, "method", oauth_params_get( &p_in, "method" ) ); oauth_params_free( &p_in ); - token = g_strdup( ic->acc->pass ); - oauth_params_parse( &p_in, token ); - g_free( token ); - oauth_params_add( &p_out, "session_key", oauth_params_get( &p_in, "session_key" ) ); - g_snprintf( time, sizeof( time ), "%lld", (long long) ( gettime() * 1000 ) ); oauth_params_add( &p_out, "call_id", time ); oauth_params_add( &p_out, "api_key", oauth2_service_facebook.consumer_key ); oauth_params_add( &p_out, "v", "1.0" ); oauth_params_add( &p_out, "format", "XML" ); - - md5_init( &md5 ); - for( p = p_out; p; p = p->next ) - md5_append( &md5, p->data, strlen( p->data ) ); - - secret = oauth_params_get( &p_in, "secret" ); - if( secret ) - md5_append( &md5, (unsigned char*) secret, strlen( secret ) ); - md5_finish_ascii( &md5, time ); - oauth_params_add( &p_out, "sig", time ); + oauth_params_add( &p_out, "access_token", jd->oauth2_access_token ); reply = oauth_params_string( p_out ); oauth_params_free( &p_out ); - oauth_params_free( &p_in ); } else if( !( s = sasl_get_part( dec, "rspauth" ) ) ) { @@ -520,6 +503,18 @@ int sasl_oauth2_refresh( struct im_connection *ic, const char *refresh_token ) refresh_token, sasl_oauth2_got_token, ic ); } +int sasl_oauth2_load_access_token( struct im_connection *ic ) +{ + struct jabber_data *jd = ic->proto_data; + GSList *p_in = NULL; + + oauth_params_parse( &p_in, ic->acc->pass ); + jd->oauth2_access_token = g_strdup( oauth_params_get( &p_in, "access_token" ) ); + oauth_params_free( &p_in ); + + return jd->oauth2_access_token != NULL; +} + static void sasl_oauth2_got_token( gpointer data, const char *access_token, const char *refresh_token ) { struct im_connection *ic = data; -- cgit v1.2.3 From 4be0e3458a001a1c2eb3dd0074d7fd65260f2e6f Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 01:41:40 +0100 Subject: Give a list of SASL mechanisms supported by a server when reporting we don't support any of them. --- protocols/jabber/sasl.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'protocols/jabber/sasl.c') diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index 622bff74..8727212f 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -64,6 +64,7 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) char *s; int sup_plain = 0, sup_digest = 0, sup_gtalk = 0, sup_fb = 0, sup_ms = 0; int want_oauth = FALSE; + GString *mechs; if( !sasl_supported( ic ) ) { @@ -82,6 +83,7 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) return XT_ABORT; } + mechs = g_string_new( "" ); c = node->children; while( ( c = xt_find_node( c, "mechanism" ) ) ) { @@ -96,15 +98,21 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) else if( c->text && g_strcasecmp( c->text, "X-MESSENGER-OAUTH2" ) == 0 ) sup_ms = 1; + if( c->text ) + g_string_append_printf( mechs, " %s", c->text ); + c = c->next; } if( !sup_plain && !sup_digest && !sup_gtalk && !sup_fb && !sup_ms ) { - imcb_error( ic, "No known SASL authentication schemes supported" ); + imcb_error( ic, "BitlBee does not support any of the offered SASL " + "authentication schemes:%s", mechs->str ); imc_logout( ic, FALSE ); + g_string_free( mechs, TRUE ); return XT_ABORT; } + g_string_free( mechs, TRUE ); reply = xt_new_node( "auth", NULL, NULL ); xt_add_attr( reply, "xmlns", XMLNS_SASL ); @@ -536,6 +544,14 @@ static void sasl_oauth2_got_token( gpointer data, const char *access_token, cons g_free( ic->acc->pass ); ic->acc->pass = g_strdup_printf( "refresh_token=%s", refresh_token ); } + /* Should do this, but only in the Facebook case where we get an access + token that never expires. Shouldn't overwrite a refresh token with + an access token. + else + { + g_free( ic->acc->pass ); + ic->acc->pass = g_strdup_printf( "access_token=%s", access_token ); + } */ g_free( jd->oauth2_access_token ); jd->oauth2_access_token = g_strdup( access_token ); -- cgit v1.2.3 From 36533bf6bfc01f56afd6a8cd7bd3dfa9de87297b Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 13:54:49 +0100 Subject: When updating the XMPP password field with OAuth data, try harder to preserve existing data. (Like refresh tokens which we'll need again on next login.) --- protocols/jabber/sasl.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) (limited to 'protocols/jabber/sasl.c') diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index 8727212f..06dda8a8 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -527,6 +527,7 @@ static void sasl_oauth2_got_token( gpointer data, const char *access_token, cons { struct im_connection *ic = data; struct jabber_data *jd; + GSList *auth = NULL; if( g_slist_find( jabber_connections, ic ) == NULL ) return; @@ -539,19 +540,16 @@ static void sasl_oauth2_got_token( gpointer data, const char *access_token, cons imc_logout( ic, TRUE ); return; } - if( refresh_token != NULL ) - { - g_free( ic->acc->pass ); - ic->acc->pass = g_strdup_printf( "refresh_token=%s", refresh_token ); - } - /* Should do this, but only in the Facebook case where we get an access - token that never expires. Shouldn't overwrite a refresh token with - an access token. - else - { - g_free( ic->acc->pass ); - ic->acc->pass = g_strdup_printf( "access_token=%s", access_token ); - } */ + + oauth_params_parse( &auth, ic->acc->pass ); + if( refresh_token ) + oauth_params_set( &auth, "refresh_token", refresh_token ); + if( access_token ) + oauth_params_set( &auth, "access_token", access_token ); + + g_free( ic->acc->pass ); + ic->acc->pass = oauth_params_string( auth ); + oauth_params_free( &auth ); g_free( jd->oauth2_access_token ); jd->oauth2_access_token = g_strdup( access_token ); -- cgit v1.2.3 From e14b47b826594772e4f3d0dbec1bf17153aa92b1 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Wed, 21 Dec 2011 11:48:08 +0100 Subject: Fix parsing of acc->pass. Use oauth_params_ functions instead of string magic, fixes escaping issues. --- protocols/jabber/sasl.c | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'protocols/jabber/sasl.c') diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index 06dda8a8..2f45eb20 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -511,18 +511,6 @@ int sasl_oauth2_refresh( struct im_connection *ic, const char *refresh_token ) refresh_token, sasl_oauth2_got_token, ic ); } -int sasl_oauth2_load_access_token( struct im_connection *ic ) -{ - struct jabber_data *jd = ic->proto_data; - GSList *p_in = NULL; - - oauth_params_parse( &p_in, ic->acc->pass ); - jd->oauth2_access_token = g_strdup( oauth_params_get( &p_in, "access_token" ) ); - oauth_params_free( &p_in ); - - return jd->oauth2_access_token != NULL; -} - static void sasl_oauth2_got_token( gpointer data, const char *access_token, const char *refresh_token ) { struct im_connection *ic = data; -- cgit v1.2.3 From 34ded90e19635c7ebf2afd184f36b03abc879bec Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Sat, 24 Dec 2011 19:09:05 +0100 Subject: Slight cleanup: Use a constant instead of just "jabber_oauth" everywhere, and added some safeguards to keep the user from messaging it when we're not actually doing OAuth setup. --- protocols/jabber/sasl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'protocols/jabber/sasl.c') diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index 2f45eb20..b4eb4eb8 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -461,12 +461,12 @@ void sasl_oauth2_init( struct im_connection *ic ) imcb_log( ic, "Starting OAuth authentication" ); /* Temporary contact, just used to receive the OAuth response. */ - imcb_add_buddy( ic, "jabber_oauth", NULL ); + imcb_add_buddy( ic, JABBER_OAUTH_HANDLE, NULL ); url = oauth2_url( jd->oauth2_service ); msg = g_strdup_printf( "Open this URL in your browser to authenticate: %s", url ); - imcb_buddy_msg( ic, "jabber_oauth", msg, 0, 0 ); - imcb_buddy_msg( ic, "jabber_oauth", "Respond to this message with the returned " - "authorization token.", 0, 0 ); + imcb_buddy_msg( ic, JABBER_OAUTH_HANDLE, msg, 0, 0 ); + imcb_buddy_msg( ic, JABBER_OAUTH_HANDLE, "Respond to this message with the returned " + "authorization token.", 0, 0 ); g_free( msg ); g_free( url ); @@ -476,7 +476,7 @@ static gboolean sasl_oauth2_remove_contact( gpointer data, gint fd, b_input_cond { struct im_connection *ic = data; if( g_slist_find( jabber_connections, ic ) ) - imcb_remove_buddy( ic, "jabber_oauth", NULL ); + imcb_remove_buddy( ic, JABBER_OAUTH_HANDLE, NULL ); return FALSE; } -- cgit v1.2.3 From 644b8080349d7d42ca89946acc207592fd0acc2d Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 26 Dec 2011 11:50:34 +0100 Subject: A few more minor cleanups before merging this into mainline. --- protocols/jabber/sasl.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'protocols/jabber/sasl.c') diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c index b4eb4eb8..d08890a6 100644 --- a/protocols/jabber/sasl.c +++ b/protocols/jabber/sasl.c @@ -104,10 +104,14 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data ) c = c->next; } - if( !sup_plain && !sup_digest && !sup_gtalk && !sup_fb && !sup_ms ) + if( !sup_plain && !sup_digest ) { - imcb_error( ic, "BitlBee does not support any of the offered SASL " - "authentication schemes:%s", mechs->str ); + if( !sup_gtalk && !sup_fb && !sup_ms ) + imcb_error( ic, "This server requires OAuth " + "(supported schemes:%s)", mechs->str ); + else + imcb_error( ic, "BitlBee does not support any of the offered SASL " + "authentication schemes:%s", mechs->str ); imc_logout( ic, FALSE ); g_string_free( mechs, TRUE ); return XT_ABORT; @@ -293,12 +297,8 @@ xt_status sasl_pkt_challenge( struct xt_node *node, gpointer data ) if( jd->flags & JFLAG_SASL_FB ) { - /* Facebook proprietary authentication. Not as useful as it seemed, but - the code's written now, may as well keep it.. - - Mechanism is described on http://developers.facebook.com/docs/chat/ - and in their Python module. It's all mostly useless because the tokens - expire after 24h. */ + /* New-style Facebook OAauth2 support. Instead of sending a refresh + token, they just send an access token that should never expire. */ GSList *p_in = NULL, *p_out = NULL; char time[33]; -- cgit v1.2.3