2 * Purple's oscar protocol plugin
3 * This file is the legal property of its developers.
4 * Please see the AUTHORS file distributed alongside this file.
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA
22 * This file implements AIM's clientLogin procedure for authenticating
23 * users. This replaces the older MD5-based and XOR-based
24 * authentication methods that use SNAC family 0x0017.
26 * This doesn't use SNACs or FLAPs at all. It makes http and https
27 * POSTs to AOL to validate the user based on the password they
28 * provided to us. Upon successful authentication we request a
29 * connection to the BOS server by calling startOSCARsession. The
30 * AOL server gives us the hostname and port number to use, as well
31 * as the cookie to use to authenticate to the BOS server. And then
32 * everything else is the same as with BUCP.
35 * http://dev.aol.com/aim/oscar/#AUTH
36 * http://dev.aol.com/authentication_for_clients
40 #include "oscarcommon.h"
45 #define AIM_LOGIN_HOST "api.screenname.aol.com"
46 #define ICQ_LOGIN_HOST "api.login.icq.net"
48 #define AIM_API_HOST "api.oscar.aol.com"
49 #define ICQ_API_HOST "api.icq.net"
51 #define CLIENT_LOGIN_PAGE "/auth/clientLogin"
52 #define START_OSCAR_SESSION_PAGE "/aim/startOSCARSession"
54 #define HTTPS_FORMAT_URL(host, page) "https://" host page
56 static const gchar
*client_login_urls
[] = {
57 HTTPS_FORMAT_URL(AIM_LOGIN_HOST
, CLIENT_LOGIN_PAGE
),
58 HTTPS_FORMAT_URL(ICQ_LOGIN_HOST
, CLIENT_LOGIN_PAGE
),
61 static const gchar
*start_oscar_session_urls
[] = {
62 HTTPS_FORMAT_URL(AIM_API_HOST
, START_OSCAR_SESSION_PAGE
),
63 HTTPS_FORMAT_URL(ICQ_API_HOST
, START_OSCAR_SESSION_PAGE
),
66 static const gchar
*get_client_login_url(OscarData
*od
)
68 return client_login_urls
[od
->icq
? 1 : 0];
71 static const gchar
*get_start_oscar_session_url(OscarData
*od
)
73 return start_oscar_session_urls
[od
->icq
? 1 : 0];
76 static const char *get_client_key(OscarData
*od
)
78 return oscar_get_ui_info_string(
79 od
->icq
? "prpl-icq-clientkey" : "prpl-aim-clientkey",
80 od
->icq
? ICQ_DEFAULT_CLIENT_KEY
: AIM_DEFAULT_CLIENT_KEY
);
83 static gchar
*generate_error_message(xmlnode
*resp
, const char *url
)
86 xmlnode
*status_code_node
;
87 gboolean have_error_code
= TRUE
;
89 gchar
*details
= NULL
;
91 status_code_node
= xmlnode_get_child(resp
, "statusCode");
92 if (status_code_node
) {
95 /* We can get 200 OK here if the server omitted something we think it shouldn't have (see #12783).
96 * No point in showing the "Ok" string to the user.
98 status_code
= xmlnode_get_data_unescaped(status_code_node
);
99 if (purple_strequal(status_code
, "200")) {
100 have_error_code
= FALSE
;
103 if (have_error_code
&& resp
&& (text
= xmlnode_get_child(resp
, "statusText"))) {
104 details
= xmlnode_get_data(text
);
107 if (details
&& *details
) {
108 err
= g_strdup_printf(_("Received unexpected response from %s: %s"), url
, details
);
110 err
= g_strdup_printf(_("Received unexpected response from %s"), url
);
118 * @return A null-terminated base64 encoded version of the HMAC
119 * calculated using the given key and data.
121 static gchar
*hmac_sha256(const char *key
, const char *message
)
123 PurpleCipherContext
*context
;
126 context
= purple_cipher_context_new_by_name("hmac", NULL
);
127 purple_cipher_context_set_option(context
, "hash", "sha256");
128 purple_cipher_context_set_key(context
, (guchar
*)key
);
129 purple_cipher_context_append(context
, (guchar
*)message
, strlen(message
));
130 purple_cipher_context_digest(context
, sizeof(digest
), digest
, NULL
);
131 purple_cipher_context_destroy(context
);
133 return purple_base64_encode(digest
, sizeof(digest
));
137 * @return A base-64 encoded HMAC-SHA256 signature created using the
138 * technique documented at
139 * http://dev.aol.com/authentication_for_clients#signing
141 static gchar
*generate_signature(const char *method
, const char *url
, const char *parameters
, const char *session_key
)
143 char *encoded_url
, *signature_base_string
, *signature
;
144 const char *encoded_parameters
;
146 encoded_url
= g_strdup(purple_url_encode(url
));
147 encoded_parameters
= purple_url_encode(parameters
);
148 signature_base_string
= g_strdup_printf("%s&%s&%s",
149 method
, encoded_url
, encoded_parameters
);
152 signature
= hmac_sha256(session_key
, signature_base_string
);
153 g_free(signature_base_string
);
158 static gboolean
parse_start_oscar_session_response(PurpleConnection
*gc
, const gchar
*response
, gsize response_len
, char **host
, unsigned short *port
, char **cookie
, char **tls_certname
)
160 OscarData
*od
= purple_connection_get_protocol_data(gc
);
161 xmlnode
*response_node
, *tmp_node
, *data_node
;
162 xmlnode
*host_node
= NULL
, *port_node
= NULL
, *cookie_node
= NULL
, *tls_node
= NULL
;
165 const gchar
*encryption_type
= purple_account_get_string(purple_connection_get_account(gc
), "encryption", OSCAR_DEFAULT_ENCRYPTION
);
167 /* Parse the response as XML */
168 response_node
= xmlnode_from_str(response
, response_len
);
169 if (response_node
== NULL
)
172 purple_debug_error("oscar", "startOSCARSession could not parse "
173 "response as XML: %s\n", response
);
174 /* Note to translators: %s in this string is a URL */
175 msg
= generate_error_message(response_node
,
176 get_start_oscar_session_url(od
));
177 purple_connection_error_reason(gc
,
178 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
, msg
);
183 /* Grab the necessary XML nodes */
184 tmp_node
= xmlnode_get_child(response_node
, "statusCode");
185 data_node
= xmlnode_get_child(response_node
, "data");
186 if (data_node
!= NULL
) {
187 host_node
= xmlnode_get_child(data_node
, "host");
188 port_node
= xmlnode_get_child(data_node
, "port");
189 cookie_node
= xmlnode_get_child(data_node
, "cookie");
192 /* Make sure we have a status code */
193 if (tmp_node
== NULL
|| (tmp
= xmlnode_get_data_unescaped(tmp_node
)) == NULL
) {
195 purple_debug_error("oscar", "startOSCARSession response was "
196 "missing statusCode: %s\n", response
);
197 msg
= generate_error_message(response_node
,
198 get_start_oscar_session_url(od
));
199 purple_connection_error_reason(gc
,
200 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
, msg
);
202 xmlnode_free(response_node
);
206 /* Make sure the status code was 200 */
210 xmlnode
*status_detail_node
;
211 guint status_detail
= 0;
213 status_detail_node
= xmlnode_get_child(response_node
,
215 if (status_detail_node
) {
216 gchar
*data
= xmlnode_get_data(status_detail_node
);
218 status_detail
= atoi(data
);
223 purple_debug_error("oscar", "startOSCARSession response statusCode "
224 "was %s: %s\n", tmp
, response
);
226 if ((code
== 401 && status_detail
!= 1014) || code
== 607)
227 purple_connection_error_reason(gc
,
228 PURPLE_CONNECTION_ERROR_OTHER_ERROR
,
229 _("You have been connecting and disconnecting too "
230 "frequently. Wait ten minutes and try again. If "
231 "you continue to try, you will need to wait even "
235 msg
= generate_error_message(response_node
,
236 get_start_oscar_session_url(od
));
237 purple_connection_error_reason(gc
,
238 PURPLE_CONNECTION_ERROR_OTHER_ERROR
, msg
);
243 xmlnode_free(response_node
);
248 /* Make sure we have everything else */
249 if (data_node
== NULL
|| host_node
== NULL
|| port_node
== NULL
|| cookie_node
== NULL
)
252 purple_debug_error("oscar", "startOSCARSession response was missing "
253 "something: %s\n", response
);
254 msg
= generate_error_message(response_node
,
255 get_start_oscar_session_url(od
));
256 purple_connection_error_reason(gc
,
257 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
, msg
);
259 xmlnode_free(response_node
);
263 if (!purple_strequal(encryption_type
, OSCAR_NO_ENCRYPTION
)) {
264 tls_node
= xmlnode_get_child(data_node
, "tlsCertName");
265 if (tls_node
!= NULL
) {
266 *tls_certname
= xmlnode_get_data_unescaped(tls_node
);
268 if (purple_strequal(encryption_type
, OSCAR_OPPORTUNISTIC_ENCRYPTION
)) {
269 purple_debug_warning("oscar", "We haven't received a tlsCertName to use. We will not do SSL to BOS.\n");
271 purple_debug_error("oscar", "startOSCARSession was missing tlsCertName: %s\n", response
);
272 purple_connection_error_reason(
274 PURPLE_CONNECTION_ERROR_NO_SSL_SUPPORT
,
275 _("You required encryption in your account settings, but one of the servers doesn't support it."));
276 xmlnode_free(response_node
);
282 /* Extract data from the XML */
283 *host
= xmlnode_get_data_unescaped(host_node
);
284 tmp
= xmlnode_get_data_unescaped(port_node
);
285 *cookie
= xmlnode_get_data_unescaped(cookie_node
);
287 if (*host
== NULL
|| **host
== '\0' || tmp
== NULL
|| *tmp
== '\0' || *cookie
== NULL
|| **cookie
== '\0')
290 purple_debug_error("oscar", "startOSCARSession response was missing "
291 "something: %s\n", response
);
292 msg
= generate_error_message(response_node
,
293 get_start_oscar_session_url(od
));
294 purple_connection_error_reason(gc
,
295 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
, msg
);
300 xmlnode_free(response_node
);
310 static void start_oscar_session_cb(PurpleUtilFetchUrlData
*url_data
, gpointer user_data
, const gchar
*url_text
, gsize len
, const gchar
*error_message
)
313 PurpleConnection
*gc
;
315 char *tls_certname
= NULL
;
318 gsize cookiedata_len
= 0;
325 if (error_message
!= NULL
|| len
== 0) {
327 /* Note to translators: The first %s is a URL, the second is an
329 tmp
= g_strdup_printf(_("Error requesting %s: %s"),
330 get_start_oscar_session_url(od
), error_message
?
331 error_message
: _("The server returned an empty response"));
332 purple_connection_error_reason(gc
,
333 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
, tmp
);
338 if (!parse_start_oscar_session_response(gc
, url_text
, len
, &host
, &port
, &cookie
, &tls_certname
))
341 cookiedata
= purple_base64_decode(cookie
, &cookiedata_len
);
342 oscar_connect_to_bos(gc
, od
, host
, port
, cookiedata
, cookiedata_len
, tls_certname
);
347 g_free(tls_certname
);
350 static void send_start_oscar_session(OscarData
*od
, const char *token
, const char *session_key
, time_t hosttime
)
352 char *query_string
, *signature
, *url
;
353 PurpleAccount
*account
= purple_connection_get_account(od
->gc
);
354 const gchar
*encryption_type
= purple_account_get_string(account
, "encryption", OSCAR_DEFAULT_ENCRYPTION
);
357 * Construct the GET parameters.
359 query_string
= g_strdup_printf("a=%s"
363 "&ts=%" PURPLE_TIME_T_MODIFIER
365 purple_url_encode(token
),
366 oscar_get_ui_info_int(od
->icq
? "prpl-icq-distid" : "prpl-aim-distid",
367 od
->icq
? ICQ_DEFAULT_DIST_ID
: AIM_DEFAULT_DIST_ID
),
370 !purple_strequal(encryption_type
, OSCAR_NO_ENCRYPTION
));
371 signature
= generate_signature("GET", get_start_oscar_session_url(od
),
372 query_string
, session_key
);
373 url
= g_strdup_printf("%s?%s&sig_sha256=%s", get_start_oscar_session_url(od
),
374 query_string
, signature
);
375 g_free(query_string
);
378 /* Make the request */
379 od
->url_data
= purple_util_fetch_url_request_len_with_account(account
,
380 url
, TRUE
, NULL
, FALSE
, NULL
, FALSE
, -1,
381 start_oscar_session_cb
, od
);
386 * This function parses the given response from a clientLogin request
387 * and extracts the useful information.
389 * @param gc The PurpleConnection. If the response data does
390 * not indicate then purple_connection_error_reason()
391 * will be called to close this connection.
392 * @param response The response data from the clientLogin request.
393 * @param response_len The length of the above response, or -1 if
394 * @response is NUL terminated.
395 * @param token If parsing was successful then this will be set to
396 * a newly allocated string containing the token. The
397 * caller should g_free this string when it is finished
398 * with it. On failure this value will be untouched.
399 * @param secret If parsing was successful then this will be set to
400 * a newly allocated string containing the secret. The
401 * caller should g_free this string when it is finished
402 * with it. On failure this value will be untouched.
403 * @param hosttime If parsing was successful then this will be set to
404 * the time on the OpenAuth Server in seconds since the
405 * Unix epoch. On failure this value will be untouched.
407 * @return TRUE if the request was successful and we were able to
408 * extract all info we need. Otherwise FALSE.
410 static gboolean
parse_client_login_response(PurpleConnection
*gc
, const gchar
*response
, gsize response_len
, char **token
, char **secret
, time_t *hosttime
)
412 OscarData
*od
= purple_connection_get_protocol_data(gc
);
413 xmlnode
*response_node
, *tmp_node
, *data_node
;
414 xmlnode
*secret_node
= NULL
, *hosttime_node
= NULL
, *token_node
= NULL
, *tokena_node
= NULL
;
417 /* Parse the response as XML */
418 response_node
= xmlnode_from_str(response
, response_len
);
419 if (response_node
== NULL
)
422 purple_debug_error("oscar", "clientLogin could not parse "
423 "response as XML: %s\n", response
);
424 msg
= generate_error_message(response_node
,
425 get_client_login_url(od
));
426 purple_connection_error_reason(gc
,
427 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
, msg
);
432 /* Grab the necessary XML nodes */
433 tmp_node
= xmlnode_get_child(response_node
, "statusCode");
434 data_node
= xmlnode_get_child(response_node
, "data");
435 if (data_node
!= NULL
) {
436 secret_node
= xmlnode_get_child(data_node
, "sessionSecret");
437 hosttime_node
= xmlnode_get_child(data_node
, "hostTime");
438 token_node
= xmlnode_get_child(data_node
, "token");
439 if (token_node
!= NULL
)
440 tokena_node
= xmlnode_get_child(token_node
, "a");
443 /* Make sure we have a status code */
444 if (tmp_node
== NULL
|| (tmp
= xmlnode_get_data_unescaped(tmp_node
)) == NULL
) {
446 purple_debug_error("oscar", "clientLogin response was "
447 "missing statusCode: %s\n", response
);
448 msg
= generate_error_message(response_node
,
449 get_client_login_url(od
));
450 purple_connection_error_reason(gc
,
451 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
, msg
);
453 xmlnode_free(response_node
);
457 /* Make sure the status code was 200 */
458 if (!purple_strequal(tmp
, "200"))
460 int status_code
, status_detail_code
= 0;
462 status_code
= atoi(tmp
);
464 tmp_node
= xmlnode_get_child(response_node
, "statusDetailCode");
465 if (tmp_node
!= NULL
&& (tmp
= xmlnode_get_data_unescaped(tmp_node
)) != NULL
) {
466 status_detail_code
= atoi(tmp
);
470 purple_debug_error("oscar", "clientLogin response statusCode "
471 "was %d (%d): %s\n", status_code
, status_detail_code
, response
);
473 if (status_code
== 330 && status_detail_code
== 3011) {
474 PurpleAccount
*account
= purple_connection_get_account(gc
);
475 if (!purple_account_get_remember_password(account
))
476 purple_account_set_password(account
, NULL
);
477 purple_connection_error_reason(gc
,
478 PURPLE_CONNECTION_ERROR_AUTHENTICATION_FAILED
,
479 _("Incorrect password"));
480 } else if (status_code
== 330 && status_detail_code
== 3015) {
481 purple_connection_error_reason(gc
,
482 PURPLE_CONNECTION_ERROR_AUTHENTICATION_FAILED
,
483 _("Server requested that you fill out a CAPTCHA in order to "
484 "sign in, but this client does not currently support CAPTCHAs."));
485 } else if (status_code
== 401 && status_detail_code
== 3019) {
486 purple_connection_error_reason(gc
,
487 PURPLE_CONNECTION_ERROR_OTHER_ERROR
,
488 _("AOL does not allow your screen name to authenticate here"));
491 msg
= generate_error_message(response_node
,
492 get_client_login_url(od
));
493 purple_connection_error_reason(gc
,
494 PURPLE_CONNECTION_ERROR_OTHER_ERROR
, msg
);
498 xmlnode_free(response_node
);
503 /* Make sure we have everything else */
504 if (data_node
== NULL
|| secret_node
== NULL
||
505 token_node
== NULL
|| tokena_node
== NULL
)
508 purple_debug_error("oscar", "clientLogin response was missing "
509 "something: %s\n", response
);
510 msg
= generate_error_message(response_node
,
511 get_client_login_url(od
));
512 purple_connection_error_reason(gc
,
513 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
, msg
);
515 xmlnode_free(response_node
);
519 /* Extract data from the XML */
520 *token
= xmlnode_get_data_unescaped(tokena_node
);
521 *secret
= xmlnode_get_data_unescaped(secret_node
);
522 tmp
= xmlnode_get_data_unescaped(hosttime_node
);
523 if (*token
== NULL
|| **token
== '\0' || *secret
== NULL
|| **secret
== '\0' || tmp
== NULL
|| *tmp
== '\0')
526 purple_debug_error("oscar", "clientLogin response was missing "
527 "something: %s\n", response
);
528 msg
= generate_error_message(response_node
,
529 get_client_login_url(od
));
530 purple_connection_error_reason(gc
,
531 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
, msg
);
536 xmlnode_free(response_node
);
540 *hosttime
= strtol(tmp
, NULL
, 10);
543 xmlnode_free(response_node
);
548 static void client_login_cb(PurpleUtilFetchUrlData
*url_data
, gpointer user_data
, const gchar
*url_text
, gsize len
, const gchar
*error_message
)
551 PurpleConnection
*gc
;
552 char *token
, *secret
, *session_key
;
562 if (error_message
!= NULL
|| len
== 0) {
564 tmp
= g_strdup_printf(_("Error requesting %s: %s"),
565 get_client_login_url(od
), error_message
?
566 error_message
: _("The server returned an empty response"));
567 purple_connection_error_reason(gc
,
568 PURPLE_CONNECTION_ERROR_NETWORK_ERROR
, tmp
);
573 if (!parse_client_login_response(gc
, url_text
, len
, &token
, &secret
, &hosttime
))
576 password_len
= strlen(purple_connection_get_password(gc
));
577 password
= g_strdup_printf("%.*s",
578 od
->icq
? MIN(password_len
, MAXICQPASSLEN
) : password_len
,
579 purple_connection_get_password(gc
));
580 session_key
= hmac_sha256(password
, secret
);
584 send_start_oscar_session(od
, token
, session_key
, hosttime
);
591 * This function sends a request to
592 * https://api.screenname.aol.com/auth/clientLogin with the user's
593 * username and password and receives the user's session key, which is
594 * used to request a connection to the BOSS server.
596 void send_client_login(OscarData
*od
, const char *username
)
598 PurpleConnection
*gc
;
599 GString
*request
, *body
;
607 * We truncate ICQ passwords to 8 characters. There is probably a
608 * limit for AIM passwords, too, but we really only need to do
609 * this for ICQ because older ICQ clients let you enter a password
610 * as long as you wanted and then they truncated it silently.
612 * And we can truncate based on the number of bytes and not the
613 * number of characters because passwords for AIM and ICQ are
614 * supposed to be plain ASCII (I don't know if this has always been
617 tmp
= purple_connection_get_password(gc
);
618 password_len
= strlen(tmp
);
619 password
= g_strndup(tmp
, od
->icq
? MIN(password_len
, MAXICQPASSLEN
) : password_len
);
621 /* Construct the body of the HTTP POST request */
622 body
= g_string_new("");
623 g_string_append_printf(body
, "devId=%s", get_client_key(od
));
624 g_string_append_printf(body
, "&f=xml");
625 g_string_append_printf(body
, "&pwd=%s", purple_url_encode(password
));
626 g_string_append_printf(body
, "&s=%s", purple_url_encode(username
));
629 /* Construct an HTTP POST request */
630 request
= g_string_new("POST /auth/clientLogin HTTP/1.0\r\n"
631 "Connection: close\r\n"
634 /* Tack on the body */
635 g_string_append_printf(request
, "Content-Type: application/x-www-form-urlencoded; charset=UTF-8\r\n");
636 g_string_append_printf(request
, "Content-Length: %" G_GSIZE_FORMAT
"\r\n\r\n", body
->len
);
637 g_string_append_len(request
, body
->str
, body
->len
);
638 g_string_free(body
, TRUE
);
640 /* Send the POST request */
641 od
->url_data
= purple_util_fetch_url_request_len_with_account(
642 purple_connection_get_account(gc
), get_client_login_url(od
),
643 TRUE
, NULL
, FALSE
, request
->str
, FALSE
, -1,
644 client_login_cb
, od
);
645 g_string_free(request
, TRUE
);