Changes in / [17f057d:6e9ae72]

Files:

• doc/user-guide/commands.xml (modified) (1 diff)
• irc_im.c (modified) (2 diffs)
• lib/Makefile (modified) (1 diff)
• lib/md5.c (modified) (2 diffs)
• lib/md5.h (modified) (1 diff)
• lib/oauth.c (modified) (2 diffs)
• lib/oauth.h (modified) (1 diff)
• lib/oauth2.c (added)
• lib/oauth2.h (added)
• protocols/jabber/jabber.c (modified) (5 diffs)
• protocols/jabber/jabber.h (modified) (4 diffs)
• protocols/jabber/sasl.c (modified) (10 diffs)

doc/user-guide/commands.xml

@@ -1126 +1126 @@
                 <description>
                         <para>
-                                This enables OAuth authentication for Twitter accounts. From June 2010 this will be mandatory.
-                        </para>
-
-                        <para>
-                                With OAuth enabled, you shouldn't tell BitlBee your Twitter password. Just add your account with a bogus password and type <emphasis>account on</emphasis>. BitlBee will then give you a URL to authenticate with Twitter. If this succeeds, Twitter will return a PIN code which you can give back to BitlBee to finish the process.
-                        </para>
-
-                        <para>
-                                The resulting access token will be saved permanently, so you have to do this only once.
+                                This enables OAuth authentication for accounts that support it; right now Twitter and Google Talk (if you have 2-factor authentication enabled on your account) support it.
+                        </para>
+
+                        <para>
+                                With OAuth enabled, you shouldn't tell BitlBee your Twitter password. Just add your account with a bogus password and type <emphasis>account on</emphasis>. BitlBee will then give you a URL to authenticate with the service. If this succeeds, you will get a PIN code which you can give back to BitlBee to finish the process.
+                        </para>
+
+                        <para>
+                                The resulting access token will be saved permanently, so you have to do this only once. If for any reason you want to/have to reauthenticate, you can use <emphasis>account set</emphasis> to reset the account password to something random.
                         </para>
                 </description>

irc_im.c

@@ -442 +442 @@
 {
         irc_user_t *iu = data;
-        char *msg = g_string_free( iu->pastebuf, FALSE );
+        char *msg;
         GSList *l;
+        
+        msg = g_string_free( iu->pastebuf, FALSE );
+        iu->pastebuf = NULL;
+        iu->pastebuf_timer = 0;
         
         for( l = irc_plugins; l; l = l->next )
@@ -470 +474 @@
         
         g_free( msg );
-        iu->pastebuf = NULL;
-        iu->pastebuf_timer = 0;
         
         return FALSE;

lib/Makefile

@@ -13 +13 @@
 
 # [SH] Program variables
-objects = arc.o base64.o $(DES) $(EVENT_HANDLER) ftutil.o http_client.o ini.o md5.o misc.o oauth.o proxy.o sha1.o $(SSL_CLIENT) url.o xmltree.o
+objects = arc.o base64.o $(DES) $(EVENT_HANDLER) ftutil.o http_client.o ini.o md5.o misc.o oauth.o oauth2.o proxy.o sha1.o $(SSL_CLIENT) url.o xmltree.o
 
 LFLAGS += -r

lib/md5.c

@@ -24 +24 @@
 #include <sys/types.h>
 #include <string.h>             /* for memcpy() */
+#include <stdio.h>
 #include "md5.h"
 
@@ -160 +161 @@
         memcpy(digest, ctx->buf, 16);
         memset(ctx, 0, sizeof(ctx));    /* In case it's sensitive */
+}
+
+void md5_finish_ascii(struct MD5Context *context, char *ascii)
+{
+        md5_byte_t bin[16];
+        int i;
+        
+        md5_finish(context, bin);
+        for (i = 0; i < 16; i ++)
+                sprintf(ascii + i * 2, "%02x", bin[i]);
 }
 

lib/md5.h

@@ -43 +43 @@
 G_MODULE_EXPORT void md5_append(struct MD5Context *context, const md5_byte_t *buf, unsigned int len);
 G_MODULE_EXPORT void md5_finish(struct MD5Context *context, md5_byte_t digest[16]);
+G_MODULE_EXPORT void md5_finish_ascii(struct MD5Context *context, char *ascii);
 
 #endif

lib/oauth.c

@@ -122 +122 @@
         char *item;
         
+        if( !key || !value )
+                return;
+        
         item = g_strdup_printf( "%s=%s", key, value );
         *params = g_slist_insert_sorted( *params, item, (GCompareFunc) strcmp );
@@ -165 +168 @@
 }
 
-static void oauth_params_parse( GSList **params, char *in )
+void oauth_params_parse( GSList **params, char *in )
 {
         char *amp, *eq, *s;

lib/oauth.h

@@ -92 +92 @@
 
 /* For reading misc. data. */
+void oauth_params_add( GSList **params, const char *key, const char *value );
+void oauth_params_parse( GSList **params, char *in );
+void oauth_params_free( GSList **params );
+char *oauth_params_string( GSList *params );
 const char *oauth_params_get( GSList **params, const char *key );

protocols/jabber/jabber.c

@@ -60 +60 @@
         s = set_add( &acc->set, "activity_timeout", "600", set_eval_int, acc );
         
+        s = set_add( &acc->set, "oauth", "false", set_eval_bool, acc );
+
         g_snprintf( str, sizeof( str ), "%d", jabber_port_list[0] );
         s = set_add( &acc->set, "port", str, set_eval_int, acc );
@@ -99 +101 @@
         struct im_connection *ic = imcb_new( acc );
         struct jabber_data *jd = g_new0( struct jabber_data, 1 );
-        struct ns_srv_reply **srvl = NULL, *srv = NULL;
-        char *connect_to, *s;
-        int i;
+        char *s;
         
         /* For now this is needed in the _connected() handlers if using
@@ -138 +138 @@
         }
         
-        /* This code isn't really pretty. Backwards compatibility never is... */
-        s = acc->server;
-        while( s )
-        {
-                static int had_port = 0;
-                
-                if( strncmp( s, "ssl", 3 ) == 0 )
-                {
-                        set_setstr( &acc->set, "ssl", "true" );
-                        
-                        /* Flush this part so that (if this was the first
-                           part of the server string) acc->server gets
-                           flushed. We don't want to have to do this another
-                           time. :-) */
-                        *s = 0;
-                        s ++;
-                        
-                        /* Only set this if the user didn't specify a custom
-                           port number already... */
-                        if( !had_port )
-                                set_setint( &acc->set, "port", 5223 );
-                }
-                else if( isdigit( *s ) )
-                {
-                        int i;
-                        
-                        /* The first character is a digit. It could be an
-                           IP address though. Only accept this as a port#
-                           if there are only digits. */
-                        for( i = 0; isdigit( s[i] ); i ++ );
-                        
-                        /* If the first non-digit character is a colon or
-                           the end of the string, save the port number
-                           where it should be. */
-                        if( s[i] == ':' || s[i] == 0 )
-                        {
-                                sscanf( s, "%d", &i );
-                                set_setint( &acc->set, "port", i );
-                                
-                                /* See above. */
-                                *s = 0;
-                                s ++;
-                        }
-                        
-                        had_port = 1;
-                }
-                
-                s = strchr( s, ':' );
-                if( s )
-                {
-                        *s = 0;
-                        s ++;
-                }
-        }
-        
         jd->node_cache = g_hash_table_new_full( g_str_hash, g_str_equal, NULL, jabber_cache_entry_free );
         jd->buddies = g_hash_table_new( g_str_hash, g_str_equal );
+        
+        if( set_getbool( &acc->set, "oauth" ) )
+        {
+                jd->fd = jd->r_inpa = jd->w_inpa = -1;
+                
+                /* For the first login with OAuth, we have to authenticate via the browser.
+                   For subsequent logins, exchange the refresh token for a valid access
+                   token (even though the last one maybe didn't expire yet). */
+                if( strncmp( acc->pass, "refresh_token=", 14 ) != 0 )
+                {
+                        sasl_oauth2_init( ic );
+                        ic->flags |= OPT_SLOW_LOGIN;
+                }
+                else
+                        sasl_oauth2_refresh( ic, acc->pass + 14 );
+        }
+        else
+                jabber_connect( ic );
+}
+
+/* Separate this from jabber_login() so we can do OAuth first if necessary.
+   Putting this in io.c would probably be more correct. */
+void jabber_connect( struct im_connection *ic )
+{
+        account_t *acc = ic->acc;
+        struct jabber_data *jd = ic->proto_data;
+        int i;
+        char *connect_to;
+        struct ns_srv_reply **srvl = NULL, *srv = NULL;
         
         /* Figure out the hostname to connect to. */
@@ -319 +293 @@
         xt_free( jd->xt );
         
+        g_free( jd->oauth2_access_token );
         g_free( jd->away_message );
         g_free( jd->username );
@@ -336 +311 @@
         if( g_strcasecmp( who, JABBER_XMLCONSOLE_HANDLE ) == 0 )
                 return jabber_write( ic, message, strlen( message ) );
+        
+        if( g_strcasecmp( who, "jabber_oauth" ) == 0 )
+        {
+                if( sasl_oauth2_get_refresh_token( ic, message ) )
+                {
+                        return 1;
+                }
+                else
+                {
+                        imcb_error( ic, "OAuth failure" );
+                        imc_logout( ic, TRUE );
+                        return 0;
+                }
+        }
         
         if( ( s = strchr( who, '=' ) ) && jabber_chat_by_jid( ic, s + 1 ) )

protocols/jabber/jabber.h

@@ -47 +47 @@
         JFLAG_XMLCONSOLE = 64,          /* If the user added an xmlconsole buddy. */
         JFLAG_STARTTLS_DONE = 128,      /* If a plaintext session was converted to TLS. */
+        
+        JFLAG_SASL_FB = 0x10000,        /* Trying Facebook authentication. */
 } jabber_flags_t;
 
@@ -92 +94 @@
         char *username;         /* USERNAME@server */
         char *server;           /* username@SERVER -=> server/domain, not hostname */
+        
+        char *oauth2_access_token;
         
         /* After changing one of these two (or the priority setting), call
@@ -232 +236 @@
 #define XMLNS_IBB          "http://jabber.org/protocol/ibb"                      /* XEP-0047 */
 
+/* jabber.c */
+void jabber_connect( struct im_connection *ic );
+
 /* iq.c */
 xt_status jabber_pkt_iq( struct xt_node *node, gpointer data );
@@ -316 +323 @@
 xt_status sasl_pkt_result( struct xt_node *node, gpointer data );
 gboolean sasl_supported( struct im_connection *ic );
+void sasl_oauth2_init( struct im_connection *ic );
+int sasl_oauth2_get_refresh_token( struct im_connection *ic, const char *msg );
+int sasl_oauth2_refresh( struct im_connection *ic, const char *refresh_token );
 
 /* conference.c */

protocols/jabber/sasl.c

@@ -26 +26 @@
 #include "jabber.h"
 #include "base64.h"
+#include "oauth2.h"
+#include "oauth.h"
 
 xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data )
@@ -33 +35 @@
         struct xt_node *c, *reply;
         char *s;
-        int sup_plain = 0, sup_digest = 0;
+        int sup_plain = 0, sup_digest = 0, sup_oauth2 = 0, sup_fb = 0;
         
         if( !sasl_supported( ic ) )
@@ -59 +61 @@
                 if( c->text && g_strcasecmp( c->text, "DIGEST-MD5" ) == 0 )
                         sup_digest = 1;
+                if( c->text && g_strcasecmp( c->text, "X-OAUTH2" ) == 0 )
+                        sup_oauth2 = 1;
+                if( c->text && g_strcasecmp( c->text, "X-FACEBOOK-PLATFORM" ) == 0 )
+                        sup_fb = 1;
                 
                 c = c->next;
@@ -73 +79 @@
         xt_add_attr( reply, "xmlns", XMLNS_SASL );
         
-        if( sup_digest )
+        if( set_getbool( &ic->acc->set, "oauth" ) )
+        {
+                int len;
+                
+                if( !sup_oauth2 )
+                {
+                        imcb_error( ic, "OAuth requested, but not supported by server" );
+                        imc_logout( ic, FALSE );
+                        xt_free_node( reply );
+                        return XT_ABORT;
+                }
+                
+                /* X-OAUTH2 is, not *the* standard OAuth2 SASL/XMPP implementation.
+                   It's currently used by GTalk and vaguely documented on
+                   http://code.google.com/apis/cloudprint/docs/rawxmpp.html . */
+                xt_add_attr( reply, "mechanism", "X-OAUTH2" );
+                
+                len = strlen( jd->username ) + strlen( jd->oauth2_access_token ) + 2;
+                s = g_malloc( len + 1 );
+                s[0] = 0;
+                strcpy( s + 1, jd->username );
+                strcpy( s + 2 + strlen( jd->username ), jd->oauth2_access_token );
+                reply->text = base64_encode( (unsigned char *)s, len );
+                reply->text_len = strlen( reply->text );
+                g_free( s );
+        }
+        else if( sup_fb && strstr( ic->acc->pass, "session_key=" ) )
+        {
+                xt_add_attr( reply, "mechanism", "X-FACEBOOK-PLATFORM" );
+                jd->flags |= JFLAG_SASL_FB;
+        }
+        else if( sup_digest )
         {
                 xt_add_attr( reply, "mechanism", "DIGEST-MD5" );
@@ -96 +133 @@
         }
         
-        if( !jabber_write_packet( ic, reply ) )
+        if( reply && !jabber_write_packet( ic, reply ) )
         {
                 xt_free_node( reply );
@@ -197 +234 @@
         struct im_connection *ic = data;
         struct jabber_data *jd = ic->proto_data;
-        struct xt_node *reply = NULL;
+        struct xt_node *reply_pkt = NULL;
         char *nonce = NULL, *realm = NULL, *cnonce = NULL;
         unsigned char cnonce_bin[30];
         char *digest_uri = NULL;
         char *dec = NULL;
-        char *s = NULL;
+        char *s = NULL, *reply = NULL;
         xt_status ret = XT_ABORT;
         
@@ -210 +247 @@
         dec = frombase64( node->text );
         
-        if( !( s = sasl_get_part( dec, "rspauth" ) ) )
+        if( jd->flags & JFLAG_SASL_FB )
+        {
+                /* Facebook proprietary authentication. Not as useful as it seemed, but
+                   the code's written now, may as well keep it..
+                   
+                   Mechanism is described on http://developers.facebook.com/docs/chat/
+                   and in their Python module. It's all mostly useless because the tokens
+                   expire after 24h. */
+                GSList *p_in = NULL, *p_out = NULL, *p;
+                md5_state_t md5;
+                char time[33], *token;
+                const char *secret;
+                
+                oauth_params_parse( &p_in, dec );
+                oauth_params_add( &p_out, "nonce", oauth_params_get( &p_in, "nonce" ) );
+                oauth_params_add( &p_out, "method", oauth_params_get( &p_in, "method" ) );
+                oauth_params_free( &p_in );
+                
+                token = g_strdup( ic->acc->pass );
+                oauth_params_parse( &p_in, token );
+                g_free( token );
+                oauth_params_add( &p_out, "session_key", oauth_params_get( &p_in, "session_key" ) );
+                
+                g_snprintf( time, sizeof( time ), "%lld", (long long) ( gettime() * 1000 ) );
+                oauth_params_add( &p_out, "call_id", time );
+                oauth_params_add( &p_out, "api_key", oauth2_service_facebook.consumer_key );
+                oauth_params_add( &p_out, "v", "1.0" );
+                oauth_params_add( &p_out, "format", "XML" );
+                
+                md5_init( &md5 );
+                for( p = p_out; p; p = p->next )
+                        md5_append( &md5, p->data, strlen( p->data ) );
+                
+                secret = oauth_params_get( &p_in, "secret" );
+                if( secret )
+                        md5_append( &md5, (unsigned char*) secret, strlen( secret ) );
+                md5_finish_ascii( &md5, time );
+                oauth_params_add( &p_out, "sig", time );
+                
+                reply = oauth_params_string( p_out );
+                oauth_params_free( &p_out );
+                oauth_params_free( &p_in );
+        }
+        else if( !( s = sasl_get_part( dec, "rspauth" ) ) )
         {
                 /* See RFC 2831 for for information. */
@@ -271 +351 @@
                 
                 /* Now build the SASL response string: */
-                g_free( dec );
-                dec = g_strdup_printf( "username=\"%s\",realm=\"%s\",nonce=\"%s\",cnonce=\"%s\","
-                                       "nc=%08x,qop=auth,digest-uri=\"%s\",response=%s,charset=%s",
-                                       jd->username, realm, nonce, cnonce, 1, digest_uri, Hh, "utf-8" );
-                s = tobase64( dec );
+                reply = g_strdup_printf( "username=\"%s\",realm=\"%s\",nonce=\"%s\",cnonce=\"%s\","
+                                         "nc=%08x,qop=auth,digest-uri=\"%s\",response=%s,charset=%s",
+                                         jd->username, realm, nonce, cnonce, 1, digest_uri, Hh, "utf-8" );
         }
         else
         {
                 /* We found rspauth, but don't really care... */
-                g_free( s );
-                s = NULL;
-        }
-        
-        reply = xt_new_node( "response", s, NULL );
-        xt_add_attr( reply, "xmlns", XMLNS_SASL );
-        
-        if( !jabber_write_packet( ic, reply ) )
+        }
+        
+        s = reply ? tobase64( reply ) : NULL;
+        reply_pkt = xt_new_node( "response", s, NULL );
+        xt_add_attr( reply_pkt, "xmlns", XMLNS_SASL );
+        
+        if( !jabber_write_packet( ic, reply_pkt ) )
                 goto silent_error;
         
@@ -301 +378 @@
         g_free( cnonce );
         g_free( nonce );
+        g_free( reply );
         g_free( realm );
         g_free( dec );
         g_free( s );
-        xt_free_node( reply );
+        xt_free_node( reply_pkt );
         
         return ret;
@@ -347 +425 @@
         return ( jd->xt && jd->xt->root && xt_find_attr( jd->xt->root, "version" ) ) != 0;
 }
+
+void sasl_oauth2_init( struct im_connection *ic )
+{
+        char *msg, *url;
+        
+        imcb_log( ic, "Starting OAuth authentication" );
+        
+        /* Temporary contact, just used to receive the OAuth response. */
+        imcb_add_buddy( ic, "jabber_oauth", NULL );
+        url = oauth2_url( &oauth2_service_google,
+                          "https://www.googleapis.com/auth/googletalk" );
+        msg = g_strdup_printf( "Open this URL in your browser to authenticate: %s", url );
+        imcb_buddy_msg( ic, "jabber_oauth", msg, 0, 0 );
+        imcb_buddy_msg( ic, "jabber_oauth", "Respond to this message with the returned "
+                                            "authorization token.", 0, 0 );
+        
+        g_free( msg );
+        g_free( url );
+}
+
+static gboolean sasl_oauth2_remove_contact( gpointer data, gint fd, b_input_condition cond )
+{
+        struct im_connection *ic = data;
+        if( g_slist_find( jabber_connections, ic ) )
+                imcb_remove_buddy( ic, "jabber_oauth", NULL );
+        return FALSE;
+}
+
+static void sasl_oauth2_got_token( gpointer data, const char *access_token, const char *refresh_token );
+
+int sasl_oauth2_get_refresh_token( struct im_connection *ic, const char *msg )
+{
+        char *code;
+        int ret;
+        
+        imcb_log( ic, "Requesting OAuth access token" );
+        
+        /* Don't do it here because the caller may get confused if the contact
+           we're currently sending a message to is deleted. */
+        b_timeout_add( 1, sasl_oauth2_remove_contact, ic );
+        
+        code = g_strdup( msg );
+        g_strstrip( code );
+        ret = oauth2_access_token( &oauth2_service_google, OAUTH2_AUTH_CODE,
+                                   code, sasl_oauth2_got_token, ic );
+        
+        g_free( code );
+        return ret;
+}
+
+int sasl_oauth2_refresh( struct im_connection *ic, const char *refresh_token )
+{
+        return oauth2_access_token( &oauth2_service_google, OAUTH2_AUTH_REFRESH,
+                                    refresh_token, sasl_oauth2_got_token, ic );
+}
+
+static void sasl_oauth2_got_token( gpointer data, const char *access_token, const char *refresh_token )
+{
+        struct im_connection *ic = data;
+        struct jabber_data *jd;
+        
+        if( g_slist_find( jabber_connections, ic ) == NULL )
+                return;
+        
+        jd = ic->proto_data;
+        
+        if( access_token == NULL )
+        {
+                imcb_error( ic, "OAuth failure (missing access token)" );
+                imc_logout( ic, TRUE );
+                return;
+        }
+        if( refresh_token != NULL )
+        {
+                g_free( ic->acc->pass );
+                ic->acc->pass = g_strdup_printf( "refresh_token=%s", refresh_token );
+        }
+        
+        g_free( jd->oauth2_access_token );
+        jd->oauth2_access_token = g_strdup( access_token );
+        
+        jabber_connect( ic );
+}