Ticket #370: yahoo-https-authentication.diff

protocols/yahoo/libyahoo2.c

@@ -90 +90 @@
 #endif
 
 #include "base64.h"
+#include "http_client.h"
 
 #ifdef USE_STRUCT_CALLBACKS
 struct yahoo_callbacks *yc=NULL;
@@ -736 +737 @@
         data = y_new0(unsigned char, len + 1);
 
         memcpy(data + pos, "YMSG", 4); pos += 4;
-        pos += yahoo_put16(data + pos, 0x0a00);
+        pos += yahoo_put16(data + pos, 0x000e);
         pos += yahoo_put16(data + pos, 0x0000);
         pos += yahoo_put16(data + pos, pktlen + extra_pad);
         pos += yahoo_put16(data + pos, pkt->service);
@@ -2228 +2229 @@
         free(crypt_hash);
 }
 
+struct yahoo_https_auth_data
+{
+        struct yahoo_input_data *yid;
+        char *chal;
+};
+
+static void yahoo_https_auth_token_init(struct yahoo_https_auth_data *had);
+static void yahoo_https_auth_token_finish(struct http_request *req);
+static void yahoo_https_auth_init(struct yahoo_https_auth_data *had);
+static void yahoo_https_auth_finish(struct http_request *req);
+
+/* Extract a value from a login.yahoo.com response. Assume CRLF-linebreaks
+   and FAIL miserably if they're not there... */
+static char *yahoo_ha_find_key(char *response, char *key)
+{
+        char *s, *end;
+        int len = strlen(key);
+        
+        s = response;
+        do {
+                if (strncmp(s, key, len) == 0 && s[len] == '=') {
+                        s += len + 1;
+                        if ((end = strchr(s, '\r')))
+                                return g_strndup(s, end - s);
+                        else
+                                return g_strdup(s);
+                }
+                
+                if ((s = strchr(s, '\n')))
+                        s ++;
+        } while (s && *s);
+        
+        return NULL;
+}
+
+static void yahoo_https_auth(struct yahoo_input_data *yid, const char *seed, const char *sn)
+{
+        struct yahoo_data *yd = yid->yd;
+        struct yahoo_https_auth_data *had = g_new0(struct yahoo_https_auth_data, 1);
+        
+        had->yid = yid;
+        had->chal = g_strdup(seed);
+        
+        if (yd->token == NULL) {
+                yahoo_https_auth_token_init(had);
+        } else {
+                yahoo_https_auth_init(had);
+        }
+}
+
+static void yahoo_https_auth_token_init(struct yahoo_https_auth_data *had)
+{
+        struct yahoo_input_data *yid = had->yid;
+        struct yahoo_data *yd = yid->yd;
+        struct http_request *req;
+        char *login, *passwd, *chal;
+        char *url;
+        
+        login = g_strndup(yd->user, 3 * strlen(yd->user));
+        http_encode(login);
+        passwd = g_strndup(yd->password, 3 * strlen(yd->password));
+        http_encode(passwd);
+        chal = g_strndup(had->chal, 3 * strlen(had->chal));
+        http_encode(chal);
+        
+        url = g_strdup_printf("https://login.yahoo.com/config/pwtoken_get?src=ymsgr&ts=%d&login=%s&passwd=%s&chal=%s",
+                               (int) time(NULL), login, passwd, chal);
+        
+        req = http_dorequest_url(url, yahoo_https_auth_token_finish, had);
+        
+        g_free(url);
+}
+
+static void yahoo_https_auth_token_finish(struct http_request *req)
+{
+        struct yahoo_https_auth_data *had = req->data;
+        struct yahoo_input_data *yid = had->yid;
+        struct yahoo_data *yd = yid->yd;
+        int st;
+        
+        if (req->status_code != 200) {
+                YAHOO_CALLBACK(ext_yahoo_login_response)(yd->client_id, YAHOO_LOGIN_LOGOFF, NULL);
+                goto fail;
+        }
+        
+        if (sscanf(req->reply_body, "%d", &st) != 1 || st != 0) {
+                YAHOO_CALLBACK(ext_yahoo_login_response)(yd->client_id, st == 1212 ? YAHOO_LOGIN_PASSWD :
+                                                                        st == 1235 ? YAHOO_LOGIN_UNAME :
+                                                                        YAHOO_LOGIN_LOGOFF, NULL);
+                goto fail;
+        }
+        
+        if ((yd->token = yahoo_ha_find_key(req->reply_body, "ymsgr")) == NULL) {
+                YAHOO_CALLBACK(ext_yahoo_login_response)(yd->client_id, YAHOO_LOGIN_LOGOFF, NULL);
+                goto fail;
+        }
+        
+        return yahoo_https_auth_init(had);
+        
+fail:
+        g_free(had->chal);
+        g_free(had);
+}
+
+static void yahoo_https_auth_init(struct yahoo_https_auth_data *had)
+{
+        struct yahoo_input_data *yid = had->yid;
+        struct yahoo_data *yd = yid->yd;
+        struct http_request *req;
+        char *url;
+        
+        url = g_strdup_printf("https://login.yahoo.com/config/pwtoken_login?src=ymsgr&ts=%d&token=%s",
+                              (int) time(NULL), yd->token);
+        
+        req = http_dorequest_url(url, yahoo_https_auth_finish, had);
+        
+        g_free(url);
+}
+
+static void yahoo_https_auth_finish(struct http_request *req)
+{
+        struct yahoo_https_auth_data *had = req->data;
+        struct yahoo_input_data *yid = had->yid;
+        struct yahoo_data *yd = yid->yd;
+        struct yahoo_packet *pack;
+        char *crumb;
+        int st;
+        
+        md5_byte_t result[16];
+        md5_state_t ctx;
+        
+        unsigned char yhash[32];
+
+        if (req->status_code != 200) {
+                YAHOO_CALLBACK(ext_yahoo_login_response)(yd->client_id, YAHOO_LOGIN_LOGOFF, NULL);
+                goto fail;
+        }
+        
+        if (sscanf(req->reply_body, "%d", &st) != 1 || st != 0) {
+                YAHOO_CALLBACK(ext_yahoo_login_response)(yd->client_id, st == 1212 ? YAHOO_LOGIN_PASSWD :
+                                                                        st == 1235 ? YAHOO_LOGIN_UNAME :
+                                                                        YAHOO_LOGIN_LOGOFF, NULL);
+                goto fail;
+        }
+        
+        if ((yd->cookie_y = yahoo_ha_find_key(req->reply_body, "Y")) == NULL ||
+            (yd->cookie_t = yahoo_ha_find_key(req->reply_body, "T")) == NULL ||
+            (crumb = yahoo_ha_find_key(req->reply_body, "crumb")) == NULL) {
+                YAHOO_CALLBACK(ext_yahoo_login_response)(yd->client_id, YAHOO_LOGIN_LOGOFF, NULL);
+                goto fail;
+        }
+        
+        md5_init(&ctx);  
+        md5_append(&ctx, crumb, 11);
+        md5_append(&ctx, had->chal, strlen(had->chal));
+        md5_finish(&ctx, result);
+        to_y64(yhash, result, 16);
+
+        pack = yahoo_packet_new(YAHOO_SERVICE_AUTHRESP, yd->initial_status, yd->session_id);
+        yahoo_packet_hash(pack, 0, yd->user);
+        yahoo_packet_hash(pack, 277, yd->cookie_y);
+        yahoo_packet_hash(pack, 278, yd->cookie_t);
+        yahoo_packet_hash(pack, 307, yhash);
+        yahoo_packet_hash(pack, 244, "524223");
+        yahoo_packet_hash(pack, 2, yd->user);
+        yahoo_packet_hash(pack, 98, "us");
+        yahoo_packet_hash(pack, 135, "7.5.0.647");
+                
+        yahoo_send_packet(yid, pack, 0);
+                
+        yahoo_packet_free(pack);
+        
+        return;
+        
+fail:
+        g_free(had->chal);
+        g_free(had);
+}
+
 static void yahoo_process_auth(struct yahoo_input_data *yid, struct yahoo_packet *pkt)
 {
         char *seed = NULL;
@@ -2256 +2436 @@
                 case 1:
                         yahoo_process_auth_0x0b(yid, seed, sn);
                         break;
+                case 2:
+                        yahoo_https_auth(yid, seed, sn);
+                        break;
                 default:
                         /* call error */
                         WARNING(("unknown auth type %d", m));

protocols/yahoo/yahoo2_types.h

@@ -159 +159 @@
 struct yahoo_data {
         char  *user;
         char  *password;
+        char  *token;
 
         char  *cookie_y;
         char  *cookie_t;