Context Navigation

source: lib/oauth.c @ a08e875

Last change on this file since a08e875 was 3b878a1, checked in by Wilmer van der Gaast <wilmer@…>, at 2010-05-02T21:20:09Z
OAuth sanity fix: Twitter-specific stuff should not be in lib/oauth.c. Somewhat intrusive, should've done this right immediately. :-/
Property mode set to `100644`
File size: 11.9 KB

Rev	Line
[be28fe7]	1	/***************************************************************************\
	2	* *
	3	* BitlBee - An IRC to IM gateway *
	4	* Simple OAuth client (consumer) implementation. *
	5	* *
	6	* Copyright 2010 Wilmer van der Gaast <wilmer@gaast.net> *
	7	* *
	8	* This library is free software; you can redistribute it and/or *
	9	* modify it under the terms of the GNU Lesser General Public *
	10	* License as published by the Free Software Foundation, version *
	11	* 2.1. *
	12	* *
	13	* This library is distributed in the hope that it will be useful, *
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of *
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
	16	* Lesser General Public License for more details. *
	17	* *
	18	* You should have received a copy of the GNU Lesser General Public License *
	19	* along with this library; if not, write to the Free Software Foundation, *
	20	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA *
	21	* *
	22	\***************************************************************************/
	23
	24	#include <glib.h>
	25	#include <gmodule.h>
	26	#include <stdlib.h>
	27	#include <string.h>
[da2efd4]	28	#include "http_client.h"
[be28fe7]	29	#include "base64.h"
	30	#include "misc.h"
	31	#include "sha1.h"
[da2efd4]	32	#include "url.h"
[acba168]	33	#include "oauth.h"
[be28fe7]	34
	35	#define HMAC_BLOCK_SIZE 64
	36
	37	static char oauth_sign( const char method, const char *url,
[c2ecadc]	38	const char params, struct oauth_info oi )
[be28fe7]	39	{
	40	sha1_state_t sha1;
	41	uint8_t hash[sha1_hash_size];
	42	uint8_t key[HMAC_BLOCK_SIZE+1];
	43	char *s;
	44	int i;
	45
	46	/* Create K. If our current key is >64 chars we have to hash it,
	47	otherwise just pad. */
	48	memset( key, 0, HMAC_BLOCK_SIZE );
[c2ecadc]	49	i = strlen( oi->sp->consumer_secret ) + 1 + ( oi->token_secret ? strlen( oi->token_secret ) : 0 );
[be28fe7]	50	if( i > HMAC_BLOCK_SIZE )
	51	{
	52	sha1_init( &sha1 );
[c2ecadc]	53	sha1_append( &sha1, (uint8_t*) oi->sp->consumer_secret, strlen( oi->sp->consumer_secret ) );
[da2efd4]	54	sha1_append( &sha1, (uint8_t*) "&", 1 );
[c2ecadc]	55	if( oi->token_secret )
	56	sha1_append( &sha1, (uint8_t*) oi->token_secret, strlen( oi->token_secret ) );
[be28fe7]	57	sha1_finish( &sha1, key );
	58	}
	59	else
	60	{
[da2efd4]	61	g_snprintf( (gchar*) key, HMAC_BLOCK_SIZE + 1, "%s&%s",
[c2ecadc]	62	oi->sp->consumer_secret, oi->token_secret ? : "" );
[be28fe7]	63	}
	64
	65	/* Inner part: H(K XOR 0x36, text) */
	66	sha1_init( &sha1 );
	67
	68	for( i = 0; i < HMAC_BLOCK_SIZE; i ++ )
	69	key[i] ^= 0x36;
	70	sha1_append( &sha1, key, HMAC_BLOCK_SIZE );
	71
	72	/* OAuth: text = method&url&params, all http_encoded. */
	73	sha1_append( &sha1, (const uint8_t*) method, strlen( method ) );
	74	sha1_append( &sha1, (const uint8_t*) "&", 1 );
	75
	76	s = g_new0( char, strlen( url ) * 3 + 1 );
	77	strcpy( s, url );
	78	http_encode( s );
	79	sha1_append( &sha1, (const uint8_t*) s, strlen( s ) );
	80	sha1_append( &sha1, (const uint8_t*) "&", 1 );
	81	g_free( s );
	82
	83	s = g_new0( char, strlen( params ) * 3 + 1 );
	84	strcpy( s, params );
	85	http_encode( s );
	86	sha1_append( &sha1, (const uint8_t*) s, strlen( s ) );
	87	g_free( s );
	88
	89	sha1_finish( &sha1, hash );
	90
	91	/* Final result: H(K XOR 0x5C, inner stuff) */
	92	sha1_init( &sha1 );
	93	for( i = 0; i < HMAC_BLOCK_SIZE; i ++ )
	94	key[i] ^= 0x36 ^ 0x5c;
	95	sha1_append( &sha1, key, HMAC_BLOCK_SIZE );
	96	sha1_append( &sha1, hash, sha1_hash_size );
	97	sha1_finish( &sha1, hash );
	98
[ee84bdb]	99	/* base64_encode + HTTP escape it (both consumers
	100	need it that away) and we're done. */
	101	s = base64_encode( hash, sha1_hash_size );
	102	s = g_realloc( s, strlen( s ) * 3 + 1 );
	103	http_encode( s );
	104
	105	return s;
[be28fe7]	106	}
[da2efd4]	107
	108	static char *oauth_nonce()
	109	{
	110	unsigned char bytes[9];
	111
	112	random_bytes( bytes, sizeof( bytes ) );
[ee84bdb]	113	return base64_encode( bytes, sizeof( bytes ) );
[da2efd4]	114	}
	115
	116	void oauth_params_add( GSList *params, const char key, const char *value )
	117	{
	118	char *item;
	119
	120	item = g_strdup_printf( "%s=%s", key, value );
	121	params = g_slist_insert_sorted( params, item, (GCompareFunc) strcmp );
	122	}
	123
	124	void oauth_params_del( GSList *params, const char key )
	125	{
	126	int key_len = strlen( key );
	127	GSList l, n;
	128
	129	for( l = *params; l; l = n )
	130	{
	131	n = l->next;
	132
	133	if( strncmp( (char*) l->data, key, key_len ) == 0 &&
	134	((char*)l->data)[key_len] == '=' )
	135	{
	136	g_free( l->data );
[b2bc25c]	137	params = g_slist_remove( params, l->data );
[da2efd4]	138	}
	139	}
	140	}
	141
	142	void oauth_params_set( GSList *params, const char key, const char *value )
	143	{
	144	oauth_params_del( params, key );
	145	oauth_params_add( params, key, value );
	146	}
	147
	148	const char oauth_params_get( GSList params, const char key )
	149	{
	150	int key_len = strlen( key );
	151	GSList *l;
	152
	153	for( l = *params; l; l = l->next )
	154	{
	155	if( strncmp( (char*) l->data, key, key_len ) == 0 &&
	156	((char*)l->data)[key_len] == '=' )
	157	return (const char*) l->data + key_len + 1;
	158	}
	159
	160	return NULL;
	161	}
	162
[508c340]	163	static void oauth_params_parse( GSList *params, char in )
[da2efd4]	164	{
[ee84bdb]	165	char amp, eq, *s;
[da2efd4]	166
	167	while( in && *in )
	168	{
	169	eq = strchr( in, '=' );
	170	if( !eq )
	171	break;
	172
	173	*eq = '\0';
	174	if( ( amp = strchr( eq + 1, '&' ) ) )
	175	*amp = '\0';
	176
[ee84bdb]	177	s = g_strdup( eq + 1 );
	178	http_decode( s );
	179	oauth_params_add( params, in, s );
	180	g_free( s );
[da2efd4]	181
	182	*eq = '=';
	183	if( amp == NULL )
	184	break;
	185
	186	*amp = '&';
	187	in = amp + 1;
	188	}
	189	}
	190
	191	void oauth_params_free( GSList **params )
	192	{
	193	while( params && *params )
	194	{
	195	g_free( (*params)->data );
	196	params = g_slist_remove( params, (*params)->data );
	197	}
	198	}
	199
	200	char oauth_params_string( GSList params )
	201	{
	202	GSList *l;
	203	GString *str = g_string_new( "" );
	204
	205	for( l = params; l; l = l->next )
	206	{
[ee84bdb]	207	char s, eq;
	208
	209	s = g_malloc( strlen( l->data ) * 3 + 1 );
	210	strcpy( s, l->data );
	211	if( ( eq = strchr( s, '=' ) ) )
	212	http_encode( eq + 1 );
	213	g_string_append( str, s );
	214	g_free( s );
	215
[da2efd4]	216	if( l->next )
	217	g_string_append_c( str, '&' );
	218	}
	219
	220	return g_string_free( str, FALSE );
	221	}
	222
[18dbb20]	223	void oauth_info_free( struct oauth_info *info )
	224	{
	225	if( info )
	226	{
[c2ecadc]	227	g_free( info->auth_url );
[18dbb20]	228	g_free( info->request_token );
[c2ecadc]	229	g_free( info->token );
	230	g_free( info->token_secret );
[18dbb20]	231	g_free( info );
	232	}
	233	}
	234
[3b878a1]	235	static void oauth_add_default_params( GSList *params, const struct oauth_service sp )
[b2bc25c]	236	{
	237	char *s;
	238
[c2ecadc]	239	oauth_params_set( params, "oauth_consumer_key", sp->consumer_key );
[b2bc25c]	240	oauth_params_set( params, "oauth_signature_method", "HMAC-SHA1" );
	241
	242	s = g_strdup_printf( "%d", (int) time( NULL ) );
	243	oauth_params_set( params, "oauth_timestamp", s );
	244	g_free( s );
	245
	246	s = oauth_nonce();
	247	oauth_params_set( params, "oauth_nonce", s );
	248	g_free( s );
	249
	250	oauth_params_set( params, "oauth_version", "1.0" );
	251	}
	252
[c2ecadc]	253	static void oauth_post_request( const char url, GSList *params_, http_input_function func, struct oauth_info oi )
[da2efd4]	254	{
	255	GSList *params = NULL;
	256	char s, params_s, *post;
	257	void *req;
	258	url_t url_p;
	259
	260	if( !url_set( &url_p, url ) )
	261	{
	262	oauth_params_free( params_ );
	263	return NULL;
	264	}
	265
	266	if( params_ )
	267	params = *params_;
	268
[c2ecadc]	269	oauth_add_default_params( &params, oi->sp );
[da2efd4]	270
	271	params_s = oauth_params_string( params );
[0bff877]	272	oauth_params_free( &params );
[da2efd4]	273
[c2ecadc]	274	s = oauth_sign( "POST", url, params_s, oi );
[da2efd4]	275	post = g_strdup_printf( "%s&oauth_signature=%s", params_s, s );
	276	g_free( params_s );
	277	g_free( s );
	278
	279	s = g_strdup_printf( "POST %s HTTP/1.0\r\n"
	280	"Host: %s\r\n"
	281	"Content-Type: application/x-www-form-urlencoded\r\n"
	282	"Content-Length: %zd\r\n"
	283	"\r\n"
	284	"%s", url_p.file, url_p.host, strlen( post ), post );
	285	g_free( post );
	286
	287	req = http_dorequest( url_p.host, url_p.port, url_p.proto == PROTO_HTTPS,
[c2ecadc]	288	s, func, oi );
[da2efd4]	289	g_free( s );
	290
	291	return req;
	292	}
	293
[346dfd9]	294	static void oauth_request_token_done( struct http_request *req );
[da2efd4]	295
[3b878a1]	296	struct oauth_info oauth_request_token( const struct oauth_service sp, oauth_cb func, void *data )
[da2efd4]	297	{
	298	struct oauth_info *st = g_new0( struct oauth_info, 1 );
[346dfd9]	299	GSList *params = NULL;
[da2efd4]	300
	301	st->func = func;
	302	st->data = data;
[c2ecadc]	303	st->sp = sp;
[da2efd4]	304
[346dfd9]	305	oauth_params_add( &params, "oauth_callback", "oob" );
	306
[c2ecadc]	307	if( !oauth_post_request( sp->url_request_token, &params, oauth_request_token_done, st ) )
[18dbb20]	308	{
	309	oauth_info_free( st );
	310	return NULL;
	311	}
	312
	313	return st;
[da2efd4]	314	}
	315
[346dfd9]	316	static void oauth_request_token_done( struct http_request *req )
[da2efd4]	317	{
	318	struct oauth_info *st = req->data;
	319
	320	st->http = req;
	321
	322	if( req->status_code == 200 )
	323	{
[508c340]	324	GSList *params = NULL;
[da2efd4]	325
[c2ecadc]	326	st->auth_url = g_strdup_printf( "%s?%s", st->sp->url_authorize, req->reply_body );
	327	oauth_params_parse( &params, req->reply_body );
[713d611]	328	st->request_token = g_strdup( oauth_params_get( &params, "oauth_token" ) );
[da2efd4]	329	oauth_params_free( &params );
	330	}
	331
[c42e8b9]	332	st->stage = OAUTH_REQUEST_TOKEN;
[c2ecadc]	333	st->func( st );
[346dfd9]	334	}
	335
	336	static void oauth_access_token_done( struct http_request *req );
	337
[c2ecadc]	338	gboolean oauth_access_token( const char pin, struct oauth_info st )
[346dfd9]	339	{
	340	GSList *params = NULL;
	341
[713d611]	342	oauth_params_add( &params, "oauth_token", st->request_token );
[346dfd9]	343	oauth_params_add( &params, "oauth_verifier", pin );
	344
[c2ecadc]	345	return oauth_post_request( st->sp->url_access_token, &params, oauth_access_token_done, st ) != NULL;
[346dfd9]	346	}
	347
	348	static void oauth_access_token_done( struct http_request *req )
	349	{
[b2bc25c]	350	struct oauth_info *st = req->data;
	351
[0bff877]	352	st->http = req;
	353
[b2bc25c]	354	if( req->status_code == 200 )
[c42e8b9]	355	{
[18dbb20]	356	GSList *params = NULL;
[c42e8b9]	357
	358	oauth_params_parse( &params, req->reply_body );
[c2ecadc]	359	st->token = g_strdup( oauth_params_get( &params, "oauth_token" ) );
	360	st->token_secret = g_strdup( oauth_params_get( &params, "oauth_token_secret" ) );
[c42e8b9]	361	oauth_params_free( &params );
	362	}
[b2bc25c]	363
[c42e8b9]	364	st->stage = OAUTH_ACCESS_TOKEN;
[c2ecadc]	365	if( st->func( st ) )
	366	{
	367	/* Don't need these anymore, but keep the rest. */
	368	g_free( st->auth_url );
	369	st->auth_url = NULL;
	370	g_free( st->request_token );
	371	st->request_token = NULL;
	372	}
[b2bc25c]	373	}
	374
[c2ecadc]	375	char oauth_http_header( struct oauth_info oi, const char method, const char url, char *args )
[b2bc25c]	376	{
[508c340]	377	GSList params = NULL, l;
[c2ecadc]	378	char sig = NULL, params_s, *s;
[b2bc25c]	379	GString *ret = NULL;
	380
[c2ecadc]	381	oauth_params_add( &params, "oauth_token", oi->token );
	382	oauth_add_default_params( &params, oi->sp );
[b2bc25c]	383
[18dbb20]	384	/* Start building the OAuth header. 'key="value", '... */
[b2bc25c]	385	ret = g_string_new( "OAuth " );
	386	for( l = params; l; l = l->next )
	387	{
	388	char *kv = l->data;
	389	char *eq = strchr( kv, '=' );
	390	char esc[strlen(kv)*3+1];
	391
	392	if( eq == NULL )
	393	break; /* WTF */
	394
	395	strcpy( esc, eq + 1 );
	396	http_encode( esc );
	397
	398	g_string_append_len( ret, kv, eq - kv + 1 );
	399	g_string_append_c( ret, '"' );
	400	g_string_append( ret, esc );
	401	g_string_append( ret, "\", " );
	402	}
	403
[18dbb20]	404	/* Now, before generating the signature, add GET/POST arguments to params
	405	since they should be included in the base signature string (but not in
	406	the HTTP header). */
[508c340]	407	if( args )
	408	oauth_params_parse( &params, args );
	409	if( ( s = strchr( url, '?' ) ) )
	410	{
	411	s = g_strdup( s + 1 );
[c2ecadc]	412	oauth_params_parse( &params, s );
[508c340]	413	g_free( s );
	414	}
	415
[18dbb20]	416	/* Append the signature and we're done! */
[508c340]	417	params_s = oauth_params_string( params );
[c2ecadc]	418	sig = oauth_sign( method, url, params_s, oi );
[b2bc25c]	419	g_string_append_printf( ret, "oauth_signature=\"%s\"", sig );
[ee84bdb]	420	g_free( params_s );
[b2bc25c]	421
	422	oauth_params_free( &params );
	423	g_free( sig );
	424
	425	return ret ? g_string_free( ret, FALSE ) : NULL;
[da2efd4]	426	}
[f4b0911]	427
	428	char oauth_to_string( struct oauth_info oi )
	429	{
	430	GSList *params = NULL;
	431	char *ret;
	432
	433	oauth_params_add( &params, "oauth_token", oi->token );
	434	oauth_params_add( &params, "oauth_token_secret", oi->token_secret );
	435	ret = oauth_params_string( params );
	436	oauth_params_free( &params );
	437
	438	return ret;
	439	}
	440
[3b878a1]	441	struct oauth_info oauth_from_string( char in, const struct oauth_service *sp )
[f4b0911]	442	{
	443	struct oauth_info *oi = g_new0( struct oauth_info, 1 );
	444	GSList *params = NULL;
	445
	446	oauth_params_parse( &params, in );
	447	oi->token = g_strdup( oauth_params_get( &params, "oauth_token" ) );
	448	oi->token_secret = g_strdup( oauth_params_get( &params, "oauth_token_secret" ) );
	449	oauth_params_free( &params );
	450	oi->sp = sp;
	451
	452	return oi;
	453	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: