Remove useless comparison
[pidgin-git.git] / libpurple / protocols / oscar / clientlogin.c
blob549fb69b80cf5561e075ae19c32d55b88d5faf07
1 /*
2 * Purple's oscar protocol plugin
3 * This file is the legal property of its developers.
4 * Please see the AUTHORS file distributed alongside this file.
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA
21 /**
22 * This file implements AIM's clientLogin procedure for authenticating
23 * users. This replaces the older MD5-based and XOR-based
24 * authentication methods that use SNAC family 0x0017.
26 * This doesn't use SNACs or FLAPs at all. It makes http and https
27 * POSTs to AOL to validate the user based on the password they
28 * provided to us. Upon successful authentication we request a
29 * connection to the BOS server by calling startOSCARsession. The
30 * AOL server gives us the hostname and port number to use, as well
31 * as the cookie to use to authenticate to the BOS server. And then
32 * everything else is the same as with BUCP.
34 * For details, see:
35 * http://dev.aol.com/aim/oscar/#AUTH
36 * http://dev.aol.com/authentication_for_clients
39 #include "oscar.h"
40 #include "oscarcommon.h"
42 #include "cipher.h"
43 #include "core.h"
45 #define AIM_LOGIN_HOST "api.screenname.aol.com"
46 #define ICQ_LOGIN_HOST "api.login.icq.net"
48 #define AIM_API_HOST "api.oscar.aol.com"
49 #define ICQ_API_HOST "api.icq.net"
51 #define CLIENT_LOGIN_PAGE "/auth/clientLogin"
52 #define START_OSCAR_SESSION_PAGE "/aim/startOSCARSession"
54 #define HTTPS_FORMAT_URL(host, page) "https://" host page
56 static const gchar *client_login_urls[] = {
57 HTTPS_FORMAT_URL(AIM_LOGIN_HOST, CLIENT_LOGIN_PAGE),
58 HTTPS_FORMAT_URL(ICQ_LOGIN_HOST, CLIENT_LOGIN_PAGE),
61 static const gchar *start_oscar_session_urls[] = {
62 HTTPS_FORMAT_URL(AIM_API_HOST, START_OSCAR_SESSION_PAGE),
63 HTTPS_FORMAT_URL(ICQ_API_HOST, START_OSCAR_SESSION_PAGE),
66 static const gchar *get_client_login_url(OscarData *od)
68 return client_login_urls[od->icq ? 1 : 0];
71 static const gchar *get_start_oscar_session_url(OscarData *od)
73 return start_oscar_session_urls[od->icq ? 1 : 0];
76 static const char *get_client_key(OscarData *od)
78 return oscar_get_ui_info_string(
79 od->icq ? "prpl-icq-clientkey" : "prpl-aim-clientkey",
80 od->icq ? ICQ_DEFAULT_CLIENT_KEY : AIM_DEFAULT_CLIENT_KEY);
83 static gchar *generate_error_message(xmlnode *resp, const char *url)
85 xmlnode *text;
86 xmlnode *status_code_node;
87 gboolean have_error_code = TRUE;
88 gchar *err = NULL;
89 gchar *details = NULL;
91 status_code_node = xmlnode_get_child(resp, "statusCode");
92 if (status_code_node) {
93 gchar *status_code;
95 /* We can get 200 OK here if the server omitted something we think it shouldn't have (see #12783).
96 * No point in showing the "Ok" string to the user.
98 status_code = xmlnode_get_data_unescaped(status_code_node);
99 if (purple_strequal(status_code, "200")) {
100 have_error_code = FALSE;
103 if (have_error_code && resp && (text = xmlnode_get_child(resp, "statusText"))) {
104 details = xmlnode_get_data(text);
107 if (details && *details) {
108 err = g_strdup_printf(_("Received unexpected response from %s: %s"), url, details);
109 } else {
110 err = g_strdup_printf(_("Received unexpected response from %s"), url);
113 g_free(details);
114 return err;
118 * @return A null-terminated base64 encoded version of the HMAC
119 * calculated using the given key and data.
121 static gchar *hmac_sha256(const char *key, const char *message)
123 PurpleCipherContext *context;
124 guchar digest[32];
126 context = purple_cipher_context_new_by_name("hmac", NULL);
127 purple_cipher_context_set_option(context, "hash", "sha256");
128 purple_cipher_context_set_key(context, (guchar *)key);
129 purple_cipher_context_append(context, (guchar *)message, strlen(message));
130 purple_cipher_context_digest(context, sizeof(digest), digest, NULL);
131 purple_cipher_context_destroy(context);
133 return purple_base64_encode(digest, sizeof(digest));
137 * @return A base-64 encoded HMAC-SHA256 signature created using the
138 * technique documented at
139 * http://dev.aol.com/authentication_for_clients#signing
141 static gchar *generate_signature(const char *method, const char *url, const char *parameters, const char *session_key)
143 char *encoded_url, *signature_base_string, *signature;
144 const char *encoded_parameters;
146 encoded_url = g_strdup(purple_url_encode(url));
147 encoded_parameters = purple_url_encode(parameters);
148 signature_base_string = g_strdup_printf("%s&%s&%s",
149 method, encoded_url, encoded_parameters);
150 g_free(encoded_url);
152 signature = hmac_sha256(session_key, signature_base_string);
153 g_free(signature_base_string);
155 return signature;
158 static gboolean parse_start_oscar_session_response(PurpleConnection *gc, const gchar *response, gsize response_len, char **host, unsigned short *port, char **cookie, char **tls_certname)
160 OscarData *od = purple_connection_get_protocol_data(gc);
161 xmlnode *response_node, *tmp_node, *data_node;
162 xmlnode *host_node = NULL, *port_node = NULL, *cookie_node = NULL, *tls_node = NULL;
163 char *tmp;
164 guint code;
165 const gchar *encryption_type = purple_account_get_string(purple_connection_get_account(gc), "encryption", OSCAR_DEFAULT_ENCRYPTION);
167 /* Parse the response as XML */
168 response_node = xmlnode_from_str(response, response_len);
169 if (response_node == NULL)
171 char *msg;
172 purple_debug_error("oscar", "startOSCARSession could not parse "
173 "response as XML: %s\n", response);
174 /* Note to translators: %s in this string is a URL */
175 msg = generate_error_message(response_node,
176 get_start_oscar_session_url(od));
177 purple_connection_error_reason(gc,
178 PURPLE_CONNECTION_ERROR_NETWORK_ERROR, msg);
179 g_free(msg);
180 return FALSE;
183 /* Grab the necessary XML nodes */
184 tmp_node = xmlnode_get_child(response_node, "statusCode");
185 data_node = xmlnode_get_child(response_node, "data");
186 if (data_node != NULL) {
187 host_node = xmlnode_get_child(data_node, "host");
188 port_node = xmlnode_get_child(data_node, "port");
189 cookie_node = xmlnode_get_child(data_node, "cookie");
192 /* Make sure we have a status code */
193 if (tmp_node == NULL || (tmp = xmlnode_get_data_unescaped(tmp_node)) == NULL) {
194 char *msg;
195 purple_debug_error("oscar", "startOSCARSession response was "
196 "missing statusCode: %s\n", response);
197 msg = generate_error_message(response_node,
198 get_start_oscar_session_url(od));
199 purple_connection_error_reason(gc,
200 PURPLE_CONNECTION_ERROR_NETWORK_ERROR, msg);
201 g_free(msg);
202 xmlnode_free(response_node);
203 return FALSE;
206 /* Make sure the status code was 200 */
207 code = atoi(tmp);
208 if (code != 200)
210 xmlnode *status_detail_node;
211 guint status_detail = 0;
213 status_detail_node = xmlnode_get_child(response_node,
214 "statusDetailCode");
215 if (status_detail_node) {
216 gchar *data = xmlnode_get_data(status_detail_node);
217 if (data) {
218 status_detail = atoi(data);
219 g_free(data);
223 purple_debug_error("oscar", "startOSCARSession response statusCode "
224 "was %s: %s\n", tmp, response);
226 if ((code == 401 && status_detail != 1014) || code == 607)
227 purple_connection_error_reason(gc,
228 PURPLE_CONNECTION_ERROR_OTHER_ERROR,
229 _("You have been connecting and disconnecting too "
230 "frequently. Wait ten minutes and try again. If "
231 "you continue to try, you will need to wait even "
232 "longer."));
233 else {
234 char *msg;
235 msg = generate_error_message(response_node,
236 get_start_oscar_session_url(od));
237 purple_connection_error_reason(gc,
238 PURPLE_CONNECTION_ERROR_OTHER_ERROR, msg);
239 g_free(msg);
242 g_free(tmp);
243 xmlnode_free(response_node);
244 return FALSE;
246 g_free(tmp);
248 /* Make sure we have everything else */
249 if (data_node == NULL || host_node == NULL || port_node == NULL || cookie_node == NULL)
251 char *msg;
252 purple_debug_error("oscar", "startOSCARSession response was missing "
253 "something: %s\n", response);
254 msg = generate_error_message(response_node,
255 get_start_oscar_session_url(od));
256 purple_connection_error_reason(gc,
257 PURPLE_CONNECTION_ERROR_NETWORK_ERROR, msg);
258 g_free(msg);
259 xmlnode_free(response_node);
260 return FALSE;
263 if (!purple_strequal(encryption_type, OSCAR_NO_ENCRYPTION)) {
264 tls_node = xmlnode_get_child(data_node, "tlsCertName");
265 if (tls_node != NULL) {
266 *tls_certname = xmlnode_get_data_unescaped(tls_node);
267 } else {
268 if (purple_strequal(encryption_type, OSCAR_OPPORTUNISTIC_ENCRYPTION)) {
269 purple_debug_warning("oscar", "We haven't received a tlsCertName to use. We will not do SSL to BOS.\n");
270 } else {
271 purple_debug_error("oscar", "startOSCARSession was missing tlsCertName: %s\n", response);
272 purple_connection_error_reason(
274 PURPLE_CONNECTION_ERROR_NO_SSL_SUPPORT,
275 _("You required encryption in your account settings, but one of the servers doesn't support it."));
276 xmlnode_free(response_node);
277 return FALSE;
282 /* Extract data from the XML */
283 *host = xmlnode_get_data_unescaped(host_node);
284 tmp = xmlnode_get_data_unescaped(port_node);
285 *cookie = xmlnode_get_data_unescaped(cookie_node);
287 if (*host == NULL || **host == '\0' || tmp == NULL || *tmp == '\0' || *cookie == NULL || **cookie == '\0')
289 char *msg;
290 purple_debug_error("oscar", "startOSCARSession response was missing "
291 "something: %s\n", response);
292 msg = generate_error_message(response_node,
293 get_start_oscar_session_url(od));
294 purple_connection_error_reason(gc,
295 PURPLE_CONNECTION_ERROR_NETWORK_ERROR, msg);
296 g_free(msg);
297 g_free(*host);
298 g_free(tmp);
299 g_free(*cookie);
300 xmlnode_free(response_node);
301 return FALSE;
304 *port = atoi(tmp);
305 g_free(tmp);
307 return TRUE;
310 static void start_oscar_session_cb(PurpleUtilFetchUrlData *url_data, gpointer user_data, const gchar *url_text, gsize len, const gchar *error_message)
312 OscarData *od;
313 PurpleConnection *gc;
314 char *host, *cookie;
315 char *tls_certname = NULL;
316 unsigned short port;
317 guint8 *cookiedata;
318 gsize cookiedata_len = 0;
320 od = user_data;
321 gc = od->gc;
323 od->url_data = NULL;
325 if (error_message != NULL || len == 0) {
326 gchar *tmp;
327 /* Note to translators: The first %s is a URL, the second is an
328 error message. */
329 tmp = g_strdup_printf(_("Error requesting %s: %s"),
330 get_start_oscar_session_url(od), error_message ?
331 error_message : _("The server returned an empty response"));
332 purple_connection_error_reason(gc,
333 PURPLE_CONNECTION_ERROR_NETWORK_ERROR, tmp);
334 g_free(tmp);
335 return;
338 if (!parse_start_oscar_session_response(gc, url_text, len, &host, &port, &cookie, &tls_certname))
339 return;
341 cookiedata = purple_base64_decode(cookie, &cookiedata_len);
342 oscar_connect_to_bos(gc, od, host, port, cookiedata, cookiedata_len, tls_certname);
343 g_free(cookiedata);
345 g_free(host);
346 g_free(cookie);
347 g_free(tls_certname);
350 static void send_start_oscar_session(OscarData *od, const char *token, const char *session_key, time_t hosttime)
352 char *query_string, *signature, *url;
353 PurpleAccount *account = purple_connection_get_account(od->gc);
354 const gchar *encryption_type = purple_account_get_string(account, "encryption", OSCAR_DEFAULT_ENCRYPTION);
357 * Construct the GET parameters.
359 query_string = g_strdup_printf("a=%s"
360 "&distId=%d"
361 "&f=xml"
362 "&k=%s"
363 "&ts=%" PURPLE_TIME_T_MODIFIER
364 "&useTLS=%d",
365 purple_url_encode(token),
366 oscar_get_ui_info_int(od->icq ? "prpl-icq-distid" : "prpl-aim-distid",
367 od->icq ? ICQ_DEFAULT_DIST_ID : AIM_DEFAULT_DIST_ID),
368 get_client_key(od),
369 hosttime,
370 !purple_strequal(encryption_type, OSCAR_NO_ENCRYPTION));
371 signature = generate_signature("GET", get_start_oscar_session_url(od),
372 query_string, session_key);
373 url = g_strdup_printf("%s?%s&sig_sha256=%s", get_start_oscar_session_url(od),
374 query_string, signature);
375 g_free(query_string);
376 g_free(signature);
378 /* Make the request */
379 od->url_data = purple_util_fetch_url_request_len_with_account(account,
380 url, TRUE, NULL, FALSE, NULL, FALSE, -1,
381 start_oscar_session_cb, od);
382 g_free(url);
386 * This function parses the given response from a clientLogin request
387 * and extracts the useful information.
389 * @param gc The PurpleConnection. If the response data does
390 * not indicate then purple_connection_error_reason()
391 * will be called to close this connection.
392 * @param response The response data from the clientLogin request.
393 * @param response_len The length of the above response, or -1 if
394 * @response is NUL terminated.
395 * @param token If parsing was successful then this will be set to
396 * a newly allocated string containing the token. The
397 * caller should g_free this string when it is finished
398 * with it. On failure this value will be untouched.
399 * @param secret If parsing was successful then this will be set to
400 * a newly allocated string containing the secret. The
401 * caller should g_free this string when it is finished
402 * with it. On failure this value will be untouched.
403 * @param hosttime If parsing was successful then this will be set to
404 * the time on the OpenAuth Server in seconds since the
405 * Unix epoch. On failure this value will be untouched.
407 * @return TRUE if the request was successful and we were able to
408 * extract all info we need. Otherwise FALSE.
410 static gboolean parse_client_login_response(PurpleConnection *gc, const gchar *response, gsize response_len, char **token, char **secret, time_t *hosttime)
412 OscarData *od = purple_connection_get_protocol_data(gc);
413 xmlnode *response_node, *tmp_node, *data_node;
414 xmlnode *secret_node = NULL, *hosttime_node = NULL, *token_node = NULL, *tokena_node = NULL;
415 char *tmp;
417 /* Parse the response as XML */
418 response_node = xmlnode_from_str(response, response_len);
419 if (response_node == NULL)
421 char *msg;
422 purple_debug_error("oscar", "clientLogin could not parse "
423 "response as XML: %s\n", response);
424 msg = generate_error_message(response_node,
425 get_client_login_url(od));
426 purple_connection_error_reason(gc,
427 PURPLE_CONNECTION_ERROR_NETWORK_ERROR, msg);
428 g_free(msg);
429 return FALSE;
432 /* Grab the necessary XML nodes */
433 tmp_node = xmlnode_get_child(response_node, "statusCode");
434 data_node = xmlnode_get_child(response_node, "data");
435 if (data_node != NULL) {
436 secret_node = xmlnode_get_child(data_node, "sessionSecret");
437 hosttime_node = xmlnode_get_child(data_node, "hostTime");
438 token_node = xmlnode_get_child(data_node, "token");
439 if (token_node != NULL)
440 tokena_node = xmlnode_get_child(token_node, "a");
443 /* Make sure we have a status code */
444 if (tmp_node == NULL || (tmp = xmlnode_get_data_unescaped(tmp_node)) == NULL) {
445 char *msg;
446 purple_debug_error("oscar", "clientLogin response was "
447 "missing statusCode: %s\n", response);
448 msg = generate_error_message(response_node,
449 get_client_login_url(od));
450 purple_connection_error_reason(gc,
451 PURPLE_CONNECTION_ERROR_NETWORK_ERROR, msg);
452 g_free(msg);
453 xmlnode_free(response_node);
454 return FALSE;
457 /* Make sure the status code was 200 */
458 if (!purple_strequal(tmp, "200"))
460 int status_code, status_detail_code = 0;
462 status_code = atoi(tmp);
463 g_free(tmp);
464 tmp_node = xmlnode_get_child(response_node, "statusDetailCode");
465 if (tmp_node != NULL && (tmp = xmlnode_get_data_unescaped(tmp_node)) != NULL) {
466 status_detail_code = atoi(tmp);
467 g_free(tmp);
470 purple_debug_error("oscar", "clientLogin response statusCode "
471 "was %d (%d): %s\n", status_code, status_detail_code, response);
473 if (status_code == 330 && status_detail_code == 3011) {
474 PurpleAccount *account = purple_connection_get_account(gc);
475 if (!purple_account_get_remember_password(account))
476 purple_account_set_password(account, NULL);
477 purple_connection_error_reason(gc,
478 PURPLE_CONNECTION_ERROR_AUTHENTICATION_FAILED,
479 _("Incorrect password"));
480 } else if (status_code == 330 && status_detail_code == 3015) {
481 purple_connection_error_reason(gc,
482 PURPLE_CONNECTION_ERROR_AUTHENTICATION_FAILED,
483 _("Server requested that you fill out a CAPTCHA in order to "
484 "sign in, but this client does not currently support CAPTCHAs."));
485 } else if (status_code == 401 && status_detail_code == 3019) {
486 purple_connection_error_reason(gc,
487 PURPLE_CONNECTION_ERROR_OTHER_ERROR,
488 _("AOL does not allow your screen name to authenticate here"));
489 } else {
490 char *msg;
491 msg = generate_error_message(response_node,
492 get_client_login_url(od));
493 purple_connection_error_reason(gc,
494 PURPLE_CONNECTION_ERROR_OTHER_ERROR, msg);
495 g_free(msg);
498 xmlnode_free(response_node);
499 return FALSE;
501 g_free(tmp);
503 /* Make sure we have everything else */
504 if (data_node == NULL || secret_node == NULL ||
505 token_node == NULL || tokena_node == NULL)
507 char *msg;
508 purple_debug_error("oscar", "clientLogin response was missing "
509 "something: %s\n", response);
510 msg = generate_error_message(response_node,
511 get_client_login_url(od));
512 purple_connection_error_reason(gc,
513 PURPLE_CONNECTION_ERROR_NETWORK_ERROR, msg);
514 g_free(msg);
515 xmlnode_free(response_node);
516 return FALSE;
519 /* Extract data from the XML */
520 *token = xmlnode_get_data_unescaped(tokena_node);
521 *secret = xmlnode_get_data_unescaped(secret_node);
522 tmp = xmlnode_get_data_unescaped(hosttime_node);
523 if (*token == NULL || **token == '\0' || *secret == NULL || **secret == '\0' || tmp == NULL || *tmp == '\0')
525 char *msg;
526 purple_debug_error("oscar", "clientLogin response was missing "
527 "something: %s\n", response);
528 msg = generate_error_message(response_node,
529 get_client_login_url(od));
530 purple_connection_error_reason(gc,
531 PURPLE_CONNECTION_ERROR_NETWORK_ERROR, msg);
532 g_free(msg);
533 g_free(*token);
534 g_free(*secret);
535 g_free(tmp);
536 xmlnode_free(response_node);
537 return FALSE;
540 *hosttime = strtol(tmp, NULL, 10);
541 g_free(tmp);
543 xmlnode_free(response_node);
545 return TRUE;
548 static void client_login_cb(PurpleUtilFetchUrlData *url_data, gpointer user_data, const gchar *url_text, gsize len, const gchar *error_message)
550 OscarData *od;
551 PurpleConnection *gc;
552 char *token, *secret, *session_key;
553 time_t hosttime;
554 int password_len;
555 char *password;
557 od = user_data;
558 gc = od->gc;
560 od->url_data = NULL;
562 if (error_message != NULL || len == 0) {
563 gchar *tmp;
564 tmp = g_strdup_printf(_("Error requesting %s: %s"),
565 get_client_login_url(od), error_message ?
566 error_message : _("The server returned an empty response"));
567 purple_connection_error_reason(gc,
568 PURPLE_CONNECTION_ERROR_NETWORK_ERROR, tmp);
569 g_free(tmp);
570 return;
573 if (!parse_client_login_response(gc, url_text, len, &token, &secret, &hosttime))
574 return;
576 password_len = strlen(purple_connection_get_password(gc));
577 password = g_strdup_printf("%.*s",
578 od->icq ? MIN(password_len, MAXICQPASSLEN) : password_len,
579 purple_connection_get_password(gc));
580 session_key = hmac_sha256(password, secret);
581 g_free(password);
582 g_free(secret);
584 send_start_oscar_session(od, token, session_key, hosttime);
586 g_free(token);
587 g_free(session_key);
591 * This function sends a request to
592 * https://api.screenname.aol.com/auth/clientLogin with the user's
593 * username and password and receives the user's session key, which is
594 * used to request a connection to the BOSS server.
596 void send_client_login(OscarData *od, const char *username)
598 PurpleConnection *gc;
599 GString *request, *body;
600 const char *tmp;
601 char *password;
602 int password_len;
604 gc = od->gc;
607 * We truncate ICQ passwords to 8 characters. There is probably a
608 * limit for AIM passwords, too, but we really only need to do
609 * this for ICQ because older ICQ clients let you enter a password
610 * as long as you wanted and then they truncated it silently.
612 * And we can truncate based on the number of bytes and not the
613 * number of characters because passwords for AIM and ICQ are
614 * supposed to be plain ASCII (I don't know if this has always been
615 * the case, though).
617 tmp = purple_connection_get_password(gc);
618 password_len = strlen(tmp);
619 password = g_strndup(tmp, od->icq ? MIN(password_len, MAXICQPASSLEN) : password_len);
621 /* Construct the body of the HTTP POST request */
622 body = g_string_new("");
623 g_string_append_printf(body, "devId=%s", get_client_key(od));
624 g_string_append_printf(body, "&f=xml");
625 g_string_append_printf(body, "&pwd=%s", purple_url_encode(password));
626 g_string_append_printf(body, "&s=%s", purple_url_encode(username));
627 g_free(password);
629 /* Construct an HTTP POST request */
630 request = g_string_new("POST /auth/clientLogin HTTP/1.0\r\n"
631 "Connection: close\r\n"
632 "Accept: */*\r\n");
634 /* Tack on the body */
635 g_string_append_printf(request, "Content-Type: application/x-www-form-urlencoded; charset=UTF-8\r\n");
636 g_string_append_printf(request, "Content-Length: %" G_GSIZE_FORMAT "\r\n\r\n", body->len);
637 g_string_append_len(request, body->str, body->len);
638 g_string_free(body, TRUE);
640 /* Send the POST request */
641 od->url_data = purple_util_fetch_url_request_len_with_account(
642 purple_connection_get_account(gc), get_client_login_url(od),
643 TRUE, NULL, FALSE, request->str, FALSE, -1,
644 client_login_cb, od);
645 g_string_free(request, TRUE);