[be28fe7] | 1 | /***************************************************************************\ |
---|
| 2 | * * |
---|
| 3 | * BitlBee - An IRC to IM gateway * |
---|
| 4 | * Simple OAuth client (consumer) implementation. * |
---|
| 5 | * * |
---|
| 6 | * Copyright 2010 Wilmer van der Gaast <wilmer@gaast.net> * |
---|
| 7 | * * |
---|
| 8 | * This library is free software; you can redistribute it and/or * |
---|
| 9 | * modify it under the terms of the GNU Lesser General Public * |
---|
| 10 | * License as published by the Free Software Foundation, version * |
---|
| 11 | * 2.1. * |
---|
| 12 | * * |
---|
| 13 | * This library is distributed in the hope that it will be useful, * |
---|
| 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * |
---|
| 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * |
---|
| 16 | * Lesser General Public License for more details. * |
---|
| 17 | * * |
---|
| 18 | * You should have received a copy of the GNU Lesser General Public License * |
---|
| 19 | * along with this library; if not, write to the Free Software Foundation, * |
---|
| 20 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA * |
---|
| 21 | * * |
---|
| 22 | \***************************************************************************/ |
---|
| 23 | |
---|
| 24 | #include <glib.h> |
---|
| 25 | #include <gmodule.h> |
---|
| 26 | #include <stdlib.h> |
---|
| 27 | #include <string.h> |
---|
[da2efd4] | 28 | #include "http_client.h" |
---|
[be28fe7] | 29 | #include "base64.h" |
---|
| 30 | #include "misc.h" |
---|
| 31 | #include "sha1.h" |
---|
[da2efd4] | 32 | #include "url.h" |
---|
[acba168] | 33 | #include "oauth.h" |
---|
[be28fe7] | 34 | |
---|
| 35 | #define CONSUMER_KEY "xsDNKJuNZYkZyMcu914uEA" |
---|
| 36 | #define CONSUMER_SECRET "FCxqcr0pXKzsF9ajmP57S3VQ8V6Drk4o2QYtqMcOszo" |
---|
| 37 | /* How can it be a secret if it's right here in the source code? No clue... */ |
---|
| 38 | |
---|
| 39 | #define HMAC_BLOCK_SIZE 64 |
---|
| 40 | |
---|
| 41 | static char *oauth_sign( const char *method, const char *url, |
---|
| 42 | const char *params, const char *token_secret ) |
---|
| 43 | { |
---|
| 44 | sha1_state_t sha1; |
---|
| 45 | uint8_t hash[sha1_hash_size]; |
---|
| 46 | uint8_t key[HMAC_BLOCK_SIZE+1]; |
---|
| 47 | char *s; |
---|
| 48 | int i; |
---|
| 49 | |
---|
| 50 | /* Create K. If our current key is >64 chars we have to hash it, |
---|
| 51 | otherwise just pad. */ |
---|
| 52 | memset( key, 0, HMAC_BLOCK_SIZE ); |
---|
[da2efd4] | 53 | i = strlen( CONSUMER_SECRET ) + 1 + ( token_secret ? strlen( token_secret ) : 0 ); |
---|
[be28fe7] | 54 | if( i > HMAC_BLOCK_SIZE ) |
---|
| 55 | { |
---|
| 56 | sha1_init( &sha1 ); |
---|
[da2efd4] | 57 | sha1_append( &sha1, (uint8_t*) CONSUMER_SECRET, strlen( CONSUMER_SECRET ) ); |
---|
| 58 | sha1_append( &sha1, (uint8_t*) "&", 1 ); |
---|
[be28fe7] | 59 | if( token_secret ) |
---|
[da2efd4] | 60 | sha1_append( &sha1, (uint8_t*) token_secret, strlen( token_secret ) ); |
---|
[be28fe7] | 61 | sha1_finish( &sha1, key ); |
---|
| 62 | } |
---|
| 63 | else |
---|
| 64 | { |
---|
[da2efd4] | 65 | g_snprintf( (gchar*) key, HMAC_BLOCK_SIZE + 1, "%s&%s", |
---|
[be28fe7] | 66 | CONSUMER_SECRET, token_secret ? : "" ); |
---|
| 67 | } |
---|
| 68 | |
---|
| 69 | /* Inner part: H(K XOR 0x36, text) */ |
---|
| 70 | sha1_init( &sha1 ); |
---|
| 71 | |
---|
| 72 | for( i = 0; i < HMAC_BLOCK_SIZE; i ++ ) |
---|
| 73 | key[i] ^= 0x36; |
---|
| 74 | sha1_append( &sha1, key, HMAC_BLOCK_SIZE ); |
---|
| 75 | |
---|
| 76 | /* OAuth: text = method&url¶ms, all http_encoded. */ |
---|
| 77 | sha1_append( &sha1, (const uint8_t*) method, strlen( method ) ); |
---|
| 78 | sha1_append( &sha1, (const uint8_t*) "&", 1 ); |
---|
| 79 | |
---|
| 80 | s = g_new0( char, strlen( url ) * 3 + 1 ); |
---|
| 81 | strcpy( s, url ); |
---|
| 82 | http_encode( s ); |
---|
| 83 | sha1_append( &sha1, (const uint8_t*) s, strlen( s ) ); |
---|
| 84 | sha1_append( &sha1, (const uint8_t*) "&", 1 ); |
---|
| 85 | g_free( s ); |
---|
| 86 | |
---|
| 87 | s = g_new0( char, strlen( params ) * 3 + 1 ); |
---|
| 88 | strcpy( s, params ); |
---|
| 89 | http_encode( s ); |
---|
| 90 | sha1_append( &sha1, (const uint8_t*) s, strlen( s ) ); |
---|
| 91 | g_free( s ); |
---|
| 92 | |
---|
| 93 | sha1_finish( &sha1, hash ); |
---|
| 94 | |
---|
| 95 | /* Final result: H(K XOR 0x5C, inner stuff) */ |
---|
| 96 | sha1_init( &sha1 ); |
---|
| 97 | for( i = 0; i < HMAC_BLOCK_SIZE; i ++ ) |
---|
| 98 | key[i] ^= 0x36 ^ 0x5c; |
---|
| 99 | sha1_append( &sha1, key, HMAC_BLOCK_SIZE ); |
---|
| 100 | sha1_append( &sha1, hash, sha1_hash_size ); |
---|
| 101 | sha1_finish( &sha1, hash ); |
---|
| 102 | |
---|
| 103 | /* base64_encode it and we're done. */ |
---|
| 104 | return base64_encode( hash, sha1_hash_size ); |
---|
| 105 | } |
---|
[da2efd4] | 106 | |
---|
| 107 | static char *oauth_nonce() |
---|
| 108 | { |
---|
| 109 | unsigned char bytes[9]; |
---|
| 110 | |
---|
| 111 | random_bytes( bytes, sizeof( bytes ) ); |
---|
| 112 | return base64_encode( bytes, sizeof( bytes ) ); |
---|
| 113 | } |
---|
| 114 | |
---|
| 115 | void oauth_params_add( GSList **params, const char *key, const char *value ) |
---|
| 116 | { |
---|
| 117 | char *item; |
---|
| 118 | |
---|
| 119 | item = g_strdup_printf( "%s=%s", key, value ); |
---|
| 120 | *params = g_slist_insert_sorted( *params, item, (GCompareFunc) strcmp ); |
---|
| 121 | } |
---|
| 122 | |
---|
| 123 | void oauth_params_del( GSList **params, const char *key ) |
---|
| 124 | { |
---|
| 125 | int key_len = strlen( key ); |
---|
| 126 | GSList *l, *n; |
---|
| 127 | |
---|
| 128 | for( l = *params; l; l = n ) |
---|
| 129 | { |
---|
| 130 | n = l->next; |
---|
| 131 | |
---|
| 132 | if( strncmp( (char*) l->data, key, key_len ) == 0 && |
---|
| 133 | ((char*)l->data)[key_len] == '=' ) |
---|
| 134 | { |
---|
| 135 | g_free( l->data ); |
---|
[b2bc25c] | 136 | *params = g_slist_remove( *params, l->data ); |
---|
[da2efd4] | 137 | } |
---|
| 138 | } |
---|
| 139 | } |
---|
| 140 | |
---|
| 141 | void oauth_params_set( GSList **params, const char *key, const char *value ) |
---|
| 142 | { |
---|
| 143 | oauth_params_del( params, key ); |
---|
| 144 | oauth_params_add( params, key, value ); |
---|
| 145 | } |
---|
| 146 | |
---|
| 147 | const char *oauth_params_get( GSList **params, const char *key ) |
---|
| 148 | { |
---|
| 149 | int key_len = strlen( key ); |
---|
| 150 | GSList *l; |
---|
| 151 | |
---|
| 152 | for( l = *params; l; l = l->next ) |
---|
| 153 | { |
---|
| 154 | if( strncmp( (char*) l->data, key, key_len ) == 0 && |
---|
| 155 | ((char*)l->data)[key_len] == '=' ) |
---|
| 156 | return (const char*) l->data + key_len + 1; |
---|
| 157 | } |
---|
| 158 | |
---|
| 159 | return NULL; |
---|
| 160 | } |
---|
| 161 | |
---|
[508c340] | 162 | static void oauth_params_parse( GSList **params, char *in ) |
---|
[da2efd4] | 163 | { |
---|
| 164 | char *amp, *eq; |
---|
| 165 | |
---|
| 166 | while( in && *in ) |
---|
| 167 | { |
---|
| 168 | eq = strchr( in, '=' ); |
---|
| 169 | if( !eq ) |
---|
| 170 | break; |
---|
| 171 | |
---|
| 172 | *eq = '\0'; |
---|
| 173 | if( ( amp = strchr( eq + 1, '&' ) ) ) |
---|
| 174 | *amp = '\0'; |
---|
| 175 | |
---|
[508c340] | 176 | oauth_params_add( params, in, eq + 1 ); |
---|
[da2efd4] | 177 | |
---|
| 178 | *eq = '='; |
---|
| 179 | if( amp == NULL ) |
---|
| 180 | break; |
---|
| 181 | |
---|
| 182 | *amp = '&'; |
---|
| 183 | in = amp + 1; |
---|
| 184 | } |
---|
| 185 | } |
---|
| 186 | |
---|
| 187 | void oauth_params_free( GSList **params ) |
---|
| 188 | { |
---|
| 189 | while( params && *params ) |
---|
| 190 | { |
---|
| 191 | g_free( (*params)->data ); |
---|
| 192 | *params = g_slist_remove( *params, (*params)->data ); |
---|
| 193 | } |
---|
| 194 | } |
---|
| 195 | |
---|
| 196 | char *oauth_params_string( GSList *params ) |
---|
| 197 | { |
---|
| 198 | GSList *l; |
---|
| 199 | GString *str = g_string_new( "" ); |
---|
| 200 | |
---|
| 201 | for( l = params; l; l = l->next ) |
---|
| 202 | { |
---|
| 203 | g_string_append( str, l->data ); |
---|
| 204 | if( l->next ) |
---|
| 205 | g_string_append_c( str, '&' ); |
---|
| 206 | } |
---|
| 207 | |
---|
| 208 | return g_string_free( str, FALSE ); |
---|
| 209 | } |
---|
| 210 | |
---|
[b2bc25c] | 211 | static void oauth_add_default_params( GSList **params ) |
---|
| 212 | { |
---|
| 213 | char *s; |
---|
| 214 | |
---|
| 215 | oauth_params_set( params, "oauth_consumer_key", CONSUMER_KEY ); |
---|
| 216 | oauth_params_set( params, "oauth_signature_method", "HMAC-SHA1" ); |
---|
| 217 | |
---|
| 218 | s = g_strdup_printf( "%d", (int) time( NULL ) ); |
---|
| 219 | oauth_params_set( params, "oauth_timestamp", s ); |
---|
| 220 | g_free( s ); |
---|
| 221 | |
---|
| 222 | s = oauth_nonce(); |
---|
| 223 | oauth_params_set( params, "oauth_nonce", s ); |
---|
| 224 | g_free( s ); |
---|
| 225 | |
---|
| 226 | oauth_params_set( params, "oauth_version", "1.0" ); |
---|
| 227 | } |
---|
| 228 | |
---|
[da2efd4] | 229 | static void *oauth_post_request( const char *url, GSList **params_, http_input_function func, void *data ) |
---|
| 230 | { |
---|
| 231 | GSList *params = NULL; |
---|
| 232 | char *s, *params_s, *post; |
---|
| 233 | void *req; |
---|
| 234 | url_t url_p; |
---|
| 235 | |
---|
| 236 | if( !url_set( &url_p, url ) ) |
---|
| 237 | { |
---|
| 238 | oauth_params_free( params_ ); |
---|
| 239 | return NULL; |
---|
| 240 | } |
---|
| 241 | |
---|
| 242 | if( params_ ) |
---|
| 243 | params = *params_; |
---|
| 244 | |
---|
[b2bc25c] | 245 | oauth_add_default_params( ¶ms ); |
---|
[da2efd4] | 246 | |
---|
| 247 | params_s = oauth_params_string( params ); |
---|
| 248 | oauth_params_free( params_ ); |
---|
| 249 | |
---|
| 250 | s = oauth_sign( "POST", url, params_s, NULL ); |
---|
| 251 | s = g_realloc( s, strlen( s ) * 3 + 1 ); |
---|
| 252 | http_encode( s ); |
---|
| 253 | |
---|
| 254 | post = g_strdup_printf( "%s&oauth_signature=%s", params_s, s ); |
---|
| 255 | g_free( params_s ); |
---|
| 256 | g_free( s ); |
---|
| 257 | |
---|
| 258 | s = g_strdup_printf( "POST %s HTTP/1.0\r\n" |
---|
| 259 | "Host: %s\r\n" |
---|
| 260 | "Content-Type: application/x-www-form-urlencoded\r\n" |
---|
| 261 | "Content-Length: %zd\r\n" |
---|
| 262 | "\r\n" |
---|
| 263 | "%s", url_p.file, url_p.host, strlen( post ), post ); |
---|
| 264 | g_free( post ); |
---|
| 265 | |
---|
| 266 | req = http_dorequest( url_p.host, url_p.port, url_p.proto == PROTO_HTTPS, |
---|
| 267 | s, func, data ); |
---|
| 268 | g_free( s ); |
---|
| 269 | |
---|
| 270 | return req; |
---|
| 271 | } |
---|
| 272 | |
---|
[346dfd9] | 273 | static void oauth_request_token_done( struct http_request *req ); |
---|
[da2efd4] | 274 | |
---|
| 275 | void *oauth_request_token( const char *url, oauth_cb func, void *data ) |
---|
| 276 | { |
---|
| 277 | struct oauth_info *st = g_new0( struct oauth_info, 1 ); |
---|
[346dfd9] | 278 | GSList *params = NULL; |
---|
[da2efd4] | 279 | |
---|
| 280 | st->func = func; |
---|
| 281 | st->data = data; |
---|
| 282 | |
---|
[346dfd9] | 283 | oauth_params_add( ¶ms, "oauth_callback", "oob" ); |
---|
| 284 | |
---|
[da2efd4] | 285 | return oauth_post_request( url, NULL, oauth_request_token_done, st ); |
---|
| 286 | } |
---|
| 287 | |
---|
[346dfd9] | 288 | static void oauth_request_token_done( struct http_request *req ) |
---|
[da2efd4] | 289 | { |
---|
| 290 | struct oauth_info *st = req->data; |
---|
| 291 | |
---|
| 292 | st->http = req; |
---|
| 293 | |
---|
| 294 | if( req->status_code == 200 ) |
---|
| 295 | { |
---|
[508c340] | 296 | GSList *params = NULL; |
---|
[da2efd4] | 297 | |
---|
| 298 | st->auth_params = g_strdup( req->reply_body ); |
---|
[508c340] | 299 | oauth_params_parse( ¶ms, st->auth_params ); |
---|
[713d611] | 300 | st->request_token = g_strdup( oauth_params_get( ¶ms, "oauth_token" ) ); |
---|
[da2efd4] | 301 | oauth_params_free( ¶ms ); |
---|
| 302 | } |
---|
| 303 | |
---|
[c42e8b9] | 304 | st->stage = OAUTH_REQUEST_TOKEN; |
---|
[713d611] | 305 | st->func( st ); |
---|
[346dfd9] | 306 | } |
---|
| 307 | |
---|
| 308 | static void oauth_access_token_done( struct http_request *req ); |
---|
| 309 | |
---|
| 310 | void *oauth_access_token( const char *url, const char *pin, struct oauth_info *st ) |
---|
| 311 | { |
---|
| 312 | GSList *params = NULL; |
---|
| 313 | |
---|
[713d611] | 314 | oauth_params_add( ¶ms, "oauth_token", st->request_token ); |
---|
[346dfd9] | 315 | oauth_params_add( ¶ms, "oauth_verifier", pin ); |
---|
| 316 | |
---|
| 317 | return oauth_post_request( url, ¶ms, oauth_access_token_done, st ); |
---|
| 318 | } |
---|
| 319 | |
---|
| 320 | static void oauth_access_token_done( struct http_request *req ) |
---|
| 321 | { |
---|
[b2bc25c] | 322 | struct oauth_info *st = req->data; |
---|
| 323 | |
---|
| 324 | if( req->status_code == 200 ) |
---|
[c42e8b9] | 325 | { |
---|
| 326 | GSList *params; |
---|
| 327 | const char *token, *token_secret; |
---|
| 328 | |
---|
| 329 | oauth_params_parse( ¶ms, req->reply_body ); |
---|
| 330 | token = oauth_params_get( ¶ms, "oauth_token" ); |
---|
| 331 | token_secret = oauth_params_get( ¶ms, "oauth_token_secret" ); |
---|
| 332 | st->access_token = g_strdup_printf( |
---|
| 333 | "oauth_token=%s&oauth_token_secret=%s", token, token_secret ); |
---|
| 334 | oauth_params_free( ¶ms ); |
---|
| 335 | } |
---|
[b2bc25c] | 336 | |
---|
[c42e8b9] | 337 | st->stage = OAUTH_ACCESS_TOKEN; |
---|
[713d611] | 338 | st->func( st ); |
---|
[b2bc25c] | 339 | } |
---|
| 340 | |
---|
[508c340] | 341 | char *oauth_http_header( char *access_token, const char *method, const char *url, char *args ) |
---|
[b2bc25c] | 342 | { |
---|
[508c340] | 343 | GSList *params = NULL, *l; |
---|
| 344 | char *token_secret, *sig, *params_s, *s; |
---|
[b2bc25c] | 345 | GString *ret = NULL; |
---|
| 346 | |
---|
[508c340] | 347 | oauth_params_parse( ¶ms, access_token ); |
---|
[b2bc25c] | 348 | if( params == NULL ) |
---|
| 349 | goto err; |
---|
| 350 | token_secret = g_strdup( oauth_params_get( ¶ms, "oauth_token_secret" ) ); |
---|
| 351 | if( token_secret == NULL ) |
---|
| 352 | goto err; |
---|
| 353 | oauth_params_del( ¶ms, "oauth_token_secret" ); |
---|
| 354 | |
---|
| 355 | oauth_add_default_params( ¶ms ); |
---|
| 356 | |
---|
| 357 | ret = g_string_new( "OAuth " ); |
---|
| 358 | for( l = params; l; l = l->next ) |
---|
| 359 | { |
---|
| 360 | char *kv = l->data; |
---|
| 361 | char *eq = strchr( kv, '=' ); |
---|
| 362 | char esc[strlen(kv)*3+1]; |
---|
| 363 | |
---|
| 364 | if( eq == NULL ) |
---|
| 365 | break; /* WTF */ |
---|
| 366 | |
---|
| 367 | strcpy( esc, eq + 1 ); |
---|
| 368 | http_encode( esc ); |
---|
| 369 | |
---|
| 370 | g_string_append_len( ret, kv, eq - kv + 1 ); |
---|
| 371 | g_string_append_c( ret, '"' ); |
---|
| 372 | g_string_append( ret, esc ); |
---|
| 373 | g_string_append( ret, "\", " ); |
---|
| 374 | } |
---|
| 375 | |
---|
[508c340] | 376 | if( args ) |
---|
| 377 | oauth_params_parse( ¶ms, args ); |
---|
| 378 | if( ( s = strchr( url, '?' ) ) ) |
---|
| 379 | { |
---|
| 380 | s = g_strdup( s + 1 ); |
---|
| 381 | oauth_params_parse( ¶ms, s + 1 ); |
---|
| 382 | g_free( s ); |
---|
| 383 | } |
---|
| 384 | |
---|
| 385 | params_s = oauth_params_string( params ); |
---|
| 386 | sig = oauth_sign( method, url, params_s, token_secret ); |
---|
| 387 | g_free( params_s ); |
---|
| 388 | sig = g_realloc( sig, strlen( sig ) * 3 + 1 ); |
---|
| 389 | http_encode( sig ); |
---|
| 390 | |
---|
[b2bc25c] | 391 | g_string_append_printf( ret, "oauth_signature=\"%s\"", sig ); |
---|
| 392 | |
---|
| 393 | err: |
---|
| 394 | oauth_params_free( ¶ms ); |
---|
| 395 | g_free( sig ); |
---|
| 396 | g_free( token_secret ); |
---|
| 397 | |
---|
| 398 | return ret ? g_string_free( ret, FALSE ) : NULL; |
---|
[da2efd4] | 399 | } |
---|