Context Navigation

source: protocols/jabber/sasl.c @ 39a939c

Last change on this file since 39a939c was 4a5d885, checked in by Wilmer van der Gaast <wilmer@…>, at 2011-07-26T11:58:38Z
Working OAuth2 support. Needs some more debugging (error handling is not great and imc_logout() gets (rightfully) confused when jabber_data is empty).
Property mode set to `100644`
File size: 12.6 KB

Line
1	/***************************************************************************\
2	* *
3	* BitlBee - An IRC to IM gateway *
4	* Jabber module - SASL authentication *
5	* *
6	* Copyright 2006 Wilmer van der Gaast <wilmer@gaast.net> *
7	* *
8	* This program is free software; you can redistribute it and/or modify *
9	* it under the terms of the GNU General Public License as published by *
10	* the Free Software Foundation; either version 2 of the License, or *
11	* (at your option) any later version. *
12	* *
13	* This program is distributed in the hope that it will be useful, *
14	* but WITHOUT ANY WARRANTY; without even the implied warranty of *
15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
16	* GNU General Public License for more details. *
17	* *
18	* You should have received a copy of the GNU General Public License along *
19	* with this program; if not, write to the Free Software Foundation, Inc., *
20	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. *
21	* *
22	\***************************************************************************/
23
24	#include <ctype.h>
25
26	#include "jabber.h"
27	#include "base64.h"
28	#include "oauth2.h"
29
30	xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data )
31	{
32	struct im_connection *ic = data;
33	struct jabber_data *jd = ic->proto_data;
34	struct xt_node c, reply;
35	char *s;
36	int sup_plain = 0, sup_digest = 0, sup_oauth2 = 0;
37
38	if( !sasl_supported( ic ) )
39	{
40	/* Should abort this now, since we should already be doing
41	IQ authentication. Strange things happen when you try
42	to do both... */
43	imcb_log( ic, "XMPP 1.0 non-compliant server seems to support SASL, please report this as a BitlBee bug!" );
44	return XT_HANDLED;
45	}
46
47	s = xt_find_attr( node, "xmlns" );
48	if( !s \|\| strcmp( s, XMLNS_SASL ) != 0 )
49	{
50	imcb_log( ic, "Stream error while authenticating" );
51	imc_logout( ic, FALSE );
52	return XT_ABORT;
53	}
54
55	c = node->children;
56	while( ( c = xt_find_node( c, "mechanism" ) ) )
57	{
58	if( c->text && g_strcasecmp( c->text, "PLAIN" ) == 0 )
59	sup_plain = 1;
60	if( c->text && g_strcasecmp( c->text, "DIGEST-MD5" ) == 0 )
61	sup_digest = 1;
62	if( c->text && g_strcasecmp( c->text, "X-OAUTH2" ) == 0 )
63	sup_oauth2 = 1;
64
65	c = c->next;
66	}
67
68	if( !sup_plain && !sup_digest )
69	{
70	imcb_error( ic, "No known SASL authentication schemes supported" );
71	imc_logout( ic, FALSE );
72	return XT_ABORT;
73	}
74
75	reply = xt_new_node( "auth", NULL, NULL );
76	xt_add_attr( reply, "xmlns", XMLNS_SASL );
77
78	if( set_getbool( &ic->acc->set, "oauth" ) )
79	{
80	int len;
81
82	if( !sup_oauth2 )
83	{
84	imcb_error( ic, "OAuth requested, but not supported by server" );
85	imc_logout( ic, FALSE );
86	xt_free_node( reply );
87	return XT_ABORT;
88	}
89
90	/* X-OAUTH2 is, not the standard OAuth2 SASL/XMPP implementation.
91	It's currently used by GTalk and vaguely documented on
92	http://code.google.com/apis/cloudprint/docs/rawxmpp.html . */
93	xt_add_attr( reply, "mechanism", "X-OAUTH2" );
94
95	len = strlen( jd->username ) + strlen( jd->oauth2_access_token ) + 2;
96	s = g_malloc( len + 1 );
97	s[0] = 0;
98	strcpy( s + 1, jd->username );
99	strcpy( s + 2 + strlen( jd->username ), jd->oauth2_access_token );
100	reply->text = base64_encode( (unsigned char *)s, len );
101	reply->text_len = strlen( reply->text );
102	g_free( s );
103	}
104	else if( sup_digest )
105	{
106	xt_add_attr( reply, "mechanism", "DIGEST-MD5" );
107
108	/* The rest will be done later, when we receive a <challenge/>. */
109	}
110	else if( sup_plain )
111	{
112	int len;
113
114	xt_add_attr( reply, "mechanism", "PLAIN" );
115
116	/* With SASL PLAIN in XMPP, the text should be b64(\0user\0pass) */
117	len = strlen( jd->username ) + strlen( ic->acc->pass ) + 2;
118	s = g_malloc( len + 1 );
119	s[0] = 0;
120	strcpy( s + 1, jd->username );
121	strcpy( s + 2 + strlen( jd->username ), ic->acc->pass );
122	reply->text = base64_encode( (unsigned char *)s, len );
123	reply->text_len = strlen( reply->text );
124	g_free( s );
125	}
126
127	if( reply && !jabber_write_packet( ic, reply ) )
128	{
129	xt_free_node( reply );
130	return XT_ABORT;
131	}
132	xt_free_node( reply );
133
134	/* To prevent classic authentication from happening. */
135	jd->flags \|= JFLAG_STREAM_STARTED;
136
137	return XT_HANDLED;
138	}
139
140	/* Non-static function, but not mentioned in jabber.h because it's for internal
141	use, just that the unittest should be able to reach it... */
142	char sasl_get_part( char data, char *field )
143	{
144	int i, len;
145
146	len = strlen( field );
147
148	while( isspace( data ) \|\| data == ',' )
149	data ++;
150
151	if( g_strncasecmp( data, field, len ) == 0 && data[len] == '=' )
152	{
153	i = strlen( field ) + 1;
154	}
155	else
156	{
157	for( i = 0; data[i]; i ++ )
158	{
159	/* If we have a ", skip until it's closed again. */
160	if( data[i] == '"' )
161	{
162	i ++;
163	while( data[i] != '"' \|\| data[i-1] == '\\' )
164	i ++;
165	}
166
167	/* If we got a comma, we got a new field. Check it,
168	find the next key after it. */
169	if( data[i] == ',' )
170	{
171	while( isspace( data[i] ) \|\| data[i] == ',' )
172	i ++;
173
174	if( g_strncasecmp( data + i, field, len ) == 0 &&
175	data[i+len] == '=' )
176	{
177	i += len + 1;
178	break;
179	}
180	}
181	}
182	}
183
184	if( data[i] == '"' )
185	{
186	int j;
187	char *ret;
188
189	i ++;
190	len = 0;
191	while( data[i+len] != '"' \|\| data[i+len-1] == '\\' )
192	len ++;
193
194	ret = g_strndup( data + i, len );
195	for( i = j = 0; ret[i]; i ++ )
196	{
197	if( ret[i] == '\\' )
198	{
199	ret[j++] = ret[++i];
200	}
201	else
202	{
203	ret[j++] = ret[i];
204	}
205	}
206	ret[j] = 0;
207
208	return ret;
209	}
210	else if( data[i] )
211	{
212	len = 0;
213	while( data[i+len] && data[i+len] != ',' )
214	len ++;
215
216	return g_strndup( data + i, len );
217	}
218	else
219	{
220	return NULL;
221	}
222	}
223
224	xt_status sasl_pkt_challenge( struct xt_node *node, gpointer data )
225	{
226	struct im_connection *ic = data;
227	struct jabber_data *jd = ic->proto_data;
228	struct xt_node *reply = NULL;
229	char nonce = NULL, realm = NULL, *cnonce = NULL;
230	unsigned char cnonce_bin[30];
231	char *digest_uri = NULL;
232	char *dec = NULL;
233	char *s = NULL;
234	xt_status ret = XT_ABORT;
235
236	if( node->text_len == 0 )
237	goto error;
238
239	dec = frombase64( node->text );
240
241	if( !( s = sasl_get_part( dec, "rspauth" ) ) )
242	{
243	/* See RFC 2831 for for information. */
244	md5_state_t A1, A2, H;
245	md5_byte_t A1r[16], A2r[16], Hr[16];
246	char A1h[33], A2h[33], Hh[33];
247	int i;
248
249	nonce = sasl_get_part( dec, "nonce" );
250	realm = sasl_get_part( dec, "realm" );
251
252	if( !nonce )
253	goto error;
254
255	/* Jabber.Org considers the realm part optional and doesn't
256	specify one. Oh well, actually they're right, but still,
257	don't know if this is right... */
258	if( !realm )
259	realm = g_strdup( jd->server );
260
261	random_bytes( cnonce_bin, sizeof( cnonce_bin ) );
262	cnonce = base64_encode( cnonce_bin, sizeof( cnonce_bin ) );
263	digest_uri = g_strdup_printf( "%s/%s", "xmpp", jd->server );
264
265	/* Generate the MD5 hash of username:realm:password,
266	I decided to call it H. */
267	md5_init( &H );
268	s = g_strdup_printf( "%s:%s:%s", jd->username, realm, ic->acc->pass );
269	md5_append( &H, (unsigned char *) s, strlen( s ) );
270	g_free( s );
271	md5_finish( &H, Hr );
272
273	/* Now generate the hex. MD5 hash of H:nonce:cnonce, called A1. */
274	md5_init( &A1 );
275	s = g_strdup_printf( ":%s:%s", nonce, cnonce );
276	md5_append( &A1, Hr, 16 );
277	md5_append( &A1, (unsigned char *) s, strlen( s ) );
278	g_free( s );
279	md5_finish( &A1, A1r );
280	for( i = 0; i < 16; i ++ )
281	sprintf( A1h + i * 2, "%02x", A1r[i] );
282
283	/* A2... */
284	md5_init( &A2 );
285	s = g_strdup_printf( "%s:%s", "AUTHENTICATE", digest_uri );
286	md5_append( &A2, (unsigned char *) s, strlen( s ) );
287	g_free( s );
288	md5_finish( &A2, A2r );
289	for( i = 0; i < 16; i ++ )
290	sprintf( A2h + i * 2, "%02x", A2r[i] );
291
292	/* Final result: A1:nonce:00000001:cnonce:auth:A2. Let's reuse H for it. */
293	md5_init( &H );
294	s = g_strdup_printf( "%s:%s:%s:%s:%s:%s", A1h, nonce, "00000001", cnonce, "auth", A2h );
295	md5_append( &H, (unsigned char *) s, strlen( s ) );
296	g_free( s );
297	md5_finish( &H, Hr );
298	for( i = 0; i < 16; i ++ )
299	sprintf( Hh + i * 2, "%02x", Hr[i] );
300
301	/* Now build the SASL response string: */
302	g_free( dec );
303	dec = g_strdup_printf( "username=\"%s\",realm=\"%s\",nonce=\"%s\",cnonce=\"%s\","
304	"nc=%08x,qop=auth,digest-uri=\"%s\",response=%s,charset=%s",
305	jd->username, realm, nonce, cnonce, 1, digest_uri, Hh, "utf-8" );
306	s = tobase64( dec );
307	}
308	else
309	{
310	/* We found rspauth, but don't really care... */
311	g_free( s );
312	s = NULL;
313	}
314
315	reply = xt_new_node( "response", s, NULL );
316	xt_add_attr( reply, "xmlns", XMLNS_SASL );
317
318	if( !jabber_write_packet( ic, reply ) )
319	goto silent_error;
320
321	ret = XT_HANDLED;
322	goto silent_error;
323
324	error:
325	imcb_error( ic, "Incorrect SASL challenge received" );
326	imc_logout( ic, FALSE );
327
328	silent_error:
329	g_free( digest_uri );
330	g_free( cnonce );
331	g_free( nonce );
332	g_free( realm );
333	g_free( dec );
334	g_free( s );
335	xt_free_node( reply );
336
337	return ret;
338	}
339
340	xt_status sasl_pkt_result( struct xt_node *node, gpointer data )
341	{
342	struct im_connection *ic = data;
343	struct jabber_data *jd = ic->proto_data;
344	char *s;
345
346	s = xt_find_attr( node, "xmlns" );
347	if( !s \|\| strcmp( s, XMLNS_SASL ) != 0 )
348	{
349	imcb_log( ic, "Stream error while authenticating" );
350	imc_logout( ic, FALSE );
351	return XT_ABORT;
352	}
353
354	if( strcmp( node->name, "success" ) == 0 )
355	{
356	imcb_log( ic, "Authentication finished" );
357	jd->flags \|= JFLAG_AUTHENTICATED \| JFLAG_STREAM_RESTART;
358	}
359	else if( strcmp( node->name, "failure" ) == 0 )
360	{
361	imcb_error( ic, "Authentication failure" );
362	imc_logout( ic, FALSE );
363	return XT_ABORT;
364	}
365
366	return XT_HANDLED;
367	}
368
369	/* This one is needed to judge if we'll do authentication using IQ or SASL.
370	It's done by checking if the <stream:stream> from the server has a
371	version attribute. I don't know if this is the right way though... */
372	gboolean sasl_supported( struct im_connection *ic )
373	{
374	struct jabber_data *jd = ic->proto_data;
375
376	return ( jd->xt && jd->xt->root && xt_find_attr( jd->xt->root, "version" ) ) != 0;
377	}
378
379	void sasl_oauth2_init( struct im_connection *ic )
380	{
381	char msg, url;
382
383	imcb_log( ic, "Starting OAuth authentication" );
384
385	/* Temporary contact, just used to receive the OAuth response. */
386	imcb_add_buddy( ic, "jabber_oauth", NULL );
387	url = oauth2_url( &oauth2_service_google,
388	"https://www.googleapis.com/auth/googletalk" );
389	msg = g_strdup_printf( "Open this URL in your browser to authenticate: %s", url );
390	imcb_buddy_msg( ic, "jabber_oauth", msg, 0, 0 );
391	imcb_buddy_msg( ic, "jabber_oauth", "Respond to this message with the returned "
392	"authorization token.", 0, 0 );
393
394	g_free( msg );
395	g_free( url );
396	}
397
398	static gboolean sasl_oauth2_remove_contact( gpointer data, gint fd, b_input_condition cond )
399	{
400	struct im_connection *ic = data;
401	imcb_remove_buddy( ic, "jabber_oauth", NULL );
402	return FALSE;
403	}
404
405	static void sasl_oauth2_got_token( gpointer data, const char access_token, const char refresh_token );
406
407	int sasl_oauth2_get_refresh_token( struct im_connection ic, const char msg )
408	{
409	char *code;
410	int ret;
411
412	imcb_log( ic, "Requesting OAuth access token" );
413
414	/* Don't do it here because the caller may get confused if the contact
415	we're currently sending a message to is deleted. */
416	b_timeout_add( 1, sasl_oauth2_remove_contact, ic );
417
418	code = g_strdup( msg );
419	g_strstrip( code );
420	ret = oauth2_access_token( &oauth2_service_google, OAUTH2_AUTH_CODE,
421	code, sasl_oauth2_got_token, ic );
422
423	g_free( code );
424	return ret;
425	}
426
427	int sasl_oauth2_refresh( struct im_connection ic, const char refresh_token )
428	{
429	return oauth2_access_token( &oauth2_service_google, OAUTH2_AUTH_REFRESH,
430	refresh_token, sasl_oauth2_got_token, ic );
431	}
432
433	static void sasl_oauth2_got_token( gpointer data, const char access_token, const char refresh_token )
434	{
435	struct im_connection *ic = data;
436	struct jabber_data *jd;
437
438	if( g_slist_find( jabber_connections, ic ) == NULL )
439	return;
440
441	jd = ic->proto_data;
442
443	if( access_token == NULL )
444	{
445	imcb_error( ic, "OAuth failure (missing access token)" );
446	imc_logout( ic, TRUE );
447	}
448	if( refresh_token != NULL )
449	{
450	g_free( ic->acc->pass );
451	ic->acc->pass = g_strdup_printf( "refresh_token=%s", refresh_token );
452	}
453
454	g_free( jd->oauth2_access_token );
455	jd->oauth2_access_token = g_strdup( access_token );
456
457	jabber_connect( ic );
458	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: