1: /*
2: * Purple's oscar protocol plugin
3: * This file is the legal property of its developers.
4: * Please see the AUTHORS file distributed alongside this file.
5: *
6: * This library is free software; you can redistribute it and/or
7: * modify it under the terms of the GNU Lesser General Public
8: * License as published by the Free Software Foundation; either
9: * version 2 of the License, or (at your option) any later version.
10: *
11: * This library is distributed in the hope that it will be useful,
12: * but WITHOUT ANY WARRANTY; without even the implied warranty of
13: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14: * Lesser General Public License for more details.
15: *
16: * You should have received a copy of the GNU Lesser General Public
17: * License along with this library; if not, write to the Free Software
18: * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA
19: */
20:
21: /**
22: * This file implements AIM's kerberos procedure for authenticating
23: * users. This replaces the older MD5-based and XOR-based
24: * authentication methods that use SNAC family 0x0017.
25: *
26: * This doesn't use SNACs or FLAPs at all. It makes https
27: * POSTs to AOL KDC server to validate the user based on the password they
28: * provided to us. Upon successful authentication we receive two tokens
29: * in the response. One is assumed to be the kerberos ticket for authentication
30: * on the various AOL websites, while the other contains BOSS information, such
31: * as the hostname and port number to use, the TLS certificate name as well as
32: * the cookie to use to authenticate to the BOS server.
33: * And then everything else is the same as with BUCP.
34: *
35: */
36:
37: #include "oscar.h"
38: #include "oscarcommon.h"
39: #include "core.h"
40:
41: #define MAXAIMPASSLEN 16
42:
43: /*
44: * Incomplete X-SNAC format taken from reverse engineering doen by digsby:
45: * https://github.com/ifwe/digsby/blob/master/digsby/src/oscar/login2.py
46: */
47: typedef struct {
48: aim_tlv_t *main_tlv;
49: gchar *principal1;
50: gchar *service;
51: gchar *principal1_again;
52: gchar *principal2;
53: gchar unknown;
54: guint8 *footer;
55: struct {
56: guint32 unknown1;
57: guint32 unknown2;
58: guint32 epoch_now;
59: guint32 epoch_valid;
60: guint32 epoch_renew;
61: guint32 epoch_expire;
62: guint32 unknown3;
63: guint32 unknown4;
64: guint32 unknown5;
65: } dates;
66: GSList *tlvlist;
67: } aim_xsnac_token_t;
68:
69: typedef struct {
70: guint16 family;
71: guint16 subtype;
72: guint8 flags[8];
73: guint16 request_id;
74: guint32 epoch;
75: guint32 unknown;
76: gchar *principal1;
77: gchar *principal2;
78: guint16 num_tokens;
79: aim_xsnac_token_t *tokens;
80: GSList *tlvlist;
81: } aim_xsnac_t;
82:
83: static gchar *get_kdc_url(OscarData *od)
84: {
85: PurpleAccount *account = purple_connection_get_account(od->gc);
86: const gchar *server;
87: gchar *url;
88: gchar *port_str = NULL;
89: gint port;
90:
91: server = purple_account_get_string(account, "server", AIM_DEFAULT_KDC_SERVER);
92: port = purple_account_get_int(account, "port", AIM_DEFAULT_KDC_PORT);
93: if (port != 443)
94: port_str = g_strdup_printf(":%d", port);
95: url = g_strdup_printf("https://%s%s/", server, port_str ? port_str : "");
96: g_free(port_str);
97:
98: return url;
99: }
100:
101: static const char *get_client_key(OscarData *od)
102: {
103: return oscar_get_ui_info_string(
104: od->icq ? "prpl-icq-clientkey" : "prpl-aim-clientkey",
105: od->icq ? ICQ_DEFAULT_CLIENT_KEY : AIM_DEFAULT_CLIENT_KEY);
106: }
107:
108: static void
109: aim_encode_password(const char *password, gchar *encoded)
110: {
111: guint8 encoding_table[] = {
112: 0x76, 0x91, 0xc5, 0xe7,
113: 0xd0, 0xd9, 0x95, 0xdd,
114: 0x9e, 0x2F, 0xea, 0xd8,
115: 0x6B, 0x21, 0xc2, 0xbc,
116:
117: };
118: guint i;
119:
120: /*
121: * We truncate AIM passwords to 16 characters since that's what
122: * the official client does as well.
123: */
124: for (i = 0; i < strlen(password) && i < MAXAIMPASSLEN; i++)
125: encoded[i] = (password[i] ^ encoding_table[i]);
126: }
127:
128: static void
129: aim_xsnac_free(aim_xsnac_t *xsnac)
130: {
131: gint i;
132:
133: g_free(xsnac->principal1);
134: g_free(xsnac->principal2);
135: aim_tlvlist_free(xsnac->tlvlist);
136:
137: for (i = 0; i < xsnac->num_tokens; i++) {
138: g_free(xsnac->tokens[i].main_tlv->value);
139: g_free(xsnac->tokens[i].main_tlv);
140: g_free(xsnac->tokens[i].principal1);
141: g_free(xsnac->tokens[i].service);
142: g_free(xsnac->tokens[i].principal1_again);
143: g_free(xsnac->tokens[i].principal2);
144: g_free(xsnac->tokens[i].footer);
145: aim_tlvlist_free(xsnac->tokens[i].tlvlist);
146: }
147: g_free(xsnac->tokens);
148: }
149:
150: static void
151: kerberos_login_cb(PurpleUtilFetchUrlData *url_data, gpointer user_data,
152: const gchar *got_data, gsize got_len, const gchar *error_message)
153: {
154: OscarData *od = user_data;
155: PurpleConnection *gc;
156: ByteStream bs;
157: aim_xsnac_t xsnac = {0};
158: guint16 len;
159: gchar *bosip = NULL;
160: gchar *tlsCertName = NULL;
161: guint8 *cookie = NULL;
162: guint32 cookie_len = 0;
163: char *host; int port;
164: gsize i;
165:
166: gc = od->gc;
167:
168: od->url_data = NULL;
169:
170: if (error_message != NULL || got_len == 0) {
171: gchar *tmp;
172: gchar *url;
173:
174: url = get_kdc_url(od);
175: tmp = g_strdup_printf(_("Error requesting %s: %s"),
176: url, error_message ?
177: error_message : _("The server returned an empty response"));
178: purple_connection_error_reason(gc,
179: PURPLE_CONNECTION_ERROR_NETWORK_ERROR, tmp);
180: g_free(tmp);
181: g_free(url);
182: return;
183: }
184:
185: purple_debug_info("oscar", "Received kerberos login HTTP response %lu : ", got_len);
186:
187: byte_stream_init(&bs, (guint8 *)got_data, got_len);
188:
189: xsnac.family = byte_stream_get16(&bs);
190: xsnac.subtype = byte_stream_get16(&bs);
191: byte_stream_getrawbuf(&bs, (guint8 *) xsnac.flags, 8);
192:
193: if (xsnac.family == 0x50C && xsnac.subtype == 0x0005) {
194: purple_connection_error_reason(gc,
195: PURPLE_CONNECTION_ERROR_AUTHENTICATION_FAILED,
196: _("Incorrect password"));
197: return;
198: }
199: if (xsnac.family != 0x50C || xsnac.subtype != 0x0003) {
200: purple_connection_error_reason(gc,
201: PURPLE_CONNECTION_ERROR_NETWORK_ERROR,
202: _("Error parsing response from authentication server"));
203: return;
204: }
205: xsnac.request_id = byte_stream_get16(&bs);
206: xsnac.epoch = byte_stream_get32(&bs);
207: xsnac.unknown = byte_stream_get32(&bs);
208: len = byte_stream_get16(&bs);
209: xsnac.principal1 = byte_stream_getstr(&bs, len);
210: len = byte_stream_get16(&bs);
211: xsnac.principal2 = byte_stream_getstr(&bs, len);
212: xsnac.num_tokens = byte_stream_get16(&bs);
213:
214: purple_debug_info("oscar", "KDC: %d tokens between '%s' and '%s'\n",
215: xsnac.num_tokens, xsnac.principal1, xsnac.principal2);
216: xsnac.tokens = g_new0(aim_xsnac_token_t, xsnac.num_tokens);
217: for (i = 0; i < xsnac.num_tokens; i++) {
218: GSList *tlv;
219:
220: tlv = aim_tlvlist_readnum(&bs, 1);
221: if (tlv)
222: xsnac.tokens[i].main_tlv = tlv->data;
223: g_slist_free(tlv);
224:
225: len = byte_stream_get16(&bs);
226: xsnac.tokens[i].principal1 = byte_stream_getstr(&bs, len);
227: len = byte_stream_get16(&bs);
228: xsnac.tokens[i].service = byte_stream_getstr(&bs, len);
229: len = byte_stream_get16(&bs);
230: xsnac.tokens[i].principal1_again = byte_stream_getstr(&bs, len);
231: len = byte_stream_get16(&bs);
232: xsnac.tokens[i].principal2 = byte_stream_getstr(&bs, len);
233: xsnac.tokens[i].unknown = byte_stream_get8(&bs);
234: len = byte_stream_get16(&bs);
235: xsnac.tokens[i].footer = byte_stream_getraw(&bs, len);
236:
237: xsnac.tokens[i].dates.unknown1 = byte_stream_get32(&bs);
238: xsnac.tokens[i].dates.unknown2 = byte_stream_get32(&bs);
239: xsnac.tokens[i].dates.epoch_now = byte_stream_get32(&bs);
240: xsnac.tokens[i].dates.epoch_valid = byte_stream_get32(&bs);
241: xsnac.tokens[i].dates.epoch_renew = byte_stream_get32(&bs);
242: xsnac.tokens[i].dates.epoch_expire = byte_stream_get32(&bs);
243: xsnac.tokens[i].dates.unknown3 = byte_stream_get32(&bs);
244: xsnac.tokens[i].dates.unknown4 = byte_stream_get32(&bs);
245: xsnac.tokens[i].dates.unknown5 = byte_stream_get32(&bs);
246:
247: len = byte_stream_get16(&bs);
248: xsnac.tokens[i].tlvlist = aim_tlvlist_readnum(&bs, len);
249:
250: purple_debug_info("oscar", "Token %lu has %d TLVs for service '%s'\n",
251: i, len, xsnac.tokens[i].service);
252: }
253: len = byte_stream_get16(&bs);
254: xsnac.tlvlist = aim_tlvlist_readnum(&bs, len);
255:
256: for (i = 0; i < xsnac.num_tokens; i++) {
257: if (purple_strequal(xsnac.tokens[i].service, "im/boss")) {
258: aim_tlv_t *tlv;
259: GSList *tlvlist;
260: ByteStream tbs;
261:
262: tlv = aim_tlv_gettlv(xsnac.tokens[i].tlvlist, 0x0003, 1);
263: if (tlv != NULL) {
264: byte_stream_init(&tbs, tlv->value, tlv->length);
265: byte_stream_get32(&tbs);
266: tlvlist = aim_tlvlist_read(&tbs);
267: if (aim_tlv_gettlv(tlvlist, 0x0005, 1))
268: bosip = aim_tlv_getstr(tlvlist, 0x0005, 1);
269: if (aim_tlv_gettlv(tlvlist, 0x0005, 1))
270: tlsCertName = aim_tlv_getstr(tlvlist, 0x008D, 1);
271: tlv = aim_tlv_gettlv(tlvlist, 0x0006, 1);
272: if (tlv) {
273: cookie_len = tlv->length;
274: cookie = tlv->value;
275: }
276: }
277: break;
278: }
279: }
280: if (bosip && cookie) {
281: port = AIM_DEFAULT_KDC_PORT;
282: for (i = 0; i < strlen(bosip); i++) {
283: if (bosip[i] == ':') {
284: port = atoi(&(bosip[i+1]));
285: break;
286: }
287: }
288: host = g_strndup(bosip, i);
289: oscar_connect_to_bos(gc, od, host, port, cookie, cookie_len, tlsCertName);
290: g_free(host);
291: } else {
292: purple_connection_error_reason(gc,
293: PURPLE_CONNECTION_ERROR_NETWORK_ERROR,
294: _("Unknown error during authentication"));
295: }
296: aim_xsnac_free(&xsnac);
297: g_free(tlsCertName);
298: g_free(bosip);
299: }
300:
301: /**
302: * This function sends a binary blob request to the Kerberos KDC server
303: * https://kdc.uas.aol.com with the user's username and password and
304: * receives the IM cookie, which is used to request a connection to the
305: * BOSS server.
306: * The binary data below is what AIM 8.0.8.1 sends in order to authenticate
307: * to the KDC server. It is an 'X-SNAC' packet, which is relatively similar
308: * to SNAC packets but somehow different.
309: * The header starts with the 0x50C family follow by 0x0002 subtype, then
310: * some fixed length data and TLVs. The string "COOL" appears in there for
311: * some reason followed by the 'US' and 'en' strings.
312: * Then the 'imApp key=<client key>' comes after that, and then the username
313: * and the string "im/boss" which seems to represent the service we are
314: * requesting the authentication for. Changing that will lead to a
315: * 'unknown service' error. The client key is then added again (without the
316: * 'imApp key' string prepended to it) then a XOR-ed version of the password.
317: * The meaning of the header/footer/in-between bytes is not known but never
318: * seems to change so there is no need to reverse engineer their meaning at
319: * this point.
320: */
321: void send_kerberos_login(OscarData *od, const char *username)
322: {
323: PurpleConnection *gc;
324: GString *request;
325: gchar *url;
326: const gchar *password;
327: gchar password_xored[MAXAIMPASSLEN];
328: const gchar *client_key;
329: gchar *imapp_key;
330: GString *body;
331: guint16 len_be;
332: guint16 reqid;
333: const gchar header[] = {
334: 0x05, 0x0C, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
335: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
336: 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00,
337: 0x00, 0x08, 0x10, 0x00, 0x00, 0x00, 0x00, 0x05,
338: 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x05,
339: 0x00, 0x02, 0x00, 0x04, 0x00, 0x00, 0x18, 0x99,
340: 0x00, 0x05, 0x00, 0x04, 0x43, 0x4F, 0x4F, 0x4C,
341: 0x00, 0x0A, 0x00, 0x02, 0x00, 0x01, 0x00, 0x0B,
342: 0x00, 0x04, 0x00, 0x10, 0x00, 0x01, 0x00, 0x00,
343: 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
344: 0x55, 0x53, 0x00, 0x02, 0x65, 0x6E, 0x00, 0x04,
345: 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x0D,
346: 0x00, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04,
347: 0x00, 0x05};
348: const gchar pre_username[] = {
349: 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x01, 0x8B,
350: 0x01, 0x00, 0x00, 0x00, 0x00};
351: const gchar post_username[] = {
352: 0x00, 0x07, 0x69, 0x6D, 0x2F, 0x62, 0x6F, 0x73,
353: 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
354: 0x04, 0x00, 0x02};
355: const gchar pre_password[] = {
356: 0x40, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01,
357: 0x00, 0x00};
358: const gchar post_password[] = {0x00, 0x00, 0x00, 0x1D};
359: const gchar footer[] = {
360: 0x00, 0x21, 0x00, 0x32, 0x00, 0x01, 0x10, 0x03,
361: 0x00, 0x2C, 0x00, 0x07, 0x00, 0x14, 0x00, 0x04,
362: 0x00, 0x00, 0x01, 0x8B, 0x00, 0x16, 0x00, 0x02,
363: 0x00, 0x26, 0x00, 0x17, 0x00, 0x02, 0x00, 0x07,
364: 0x00, 0x18, 0x00, 0x02, 0x00, 0x00, 0x00, 0x19,
365: 0x00, 0x02, 0x00, 0x0D, 0x00, 0x1A, 0x00, 0x02,
366: 0x00, 0x04, 0x00, 0xAB, 0x00, 0x00, 0x00, 0x28,
367: 0x00, 0x00};
368:
369: gc = od->gc;
370:
371: password = purple_connection_get_password(gc);
372: aim_encode_password(password, password_xored);
373:
374: client_key = get_client_key(od);
375: imapp_key = g_strdup_printf("imApp key=%s", client_key);
376:
377: /* Construct the body of the HTTP POST request */
378: body = g_string_new(NULL);
379: g_string_append_len(body, header, sizeof(header));
380: reqid = (guint16) g_random_int();
381: g_string_overwrite_len(body, 0xC, (void *)&reqid, sizeof(guint16));
382:
383: len_be = GUINT16_TO_BE(strlen(imapp_key));
384: g_string_append_len(body, (void *)&len_be, sizeof(guint16));
385: g_string_append(body, imapp_key);
386:
387: len_be = GUINT16_TO_BE(strlen(username));
388: g_string_append_len(body, pre_username, sizeof(pre_username));
389: g_string_append_len(body, (void *)&len_be, sizeof(guint16));
390: g_string_append(body, username);
391: g_string_append_len(body, post_username, sizeof(post_username));
392:
393: len_be = GUINT16_TO_BE(strlen(password) + 0x10);
394: g_string_append_len(body, (void *)&len_be, sizeof(guint16));
395: g_string_append_len(body, pre_password, sizeof(pre_password));
396: len_be = GUINT16_TO_BE(strlen(password) + 4);
397: g_string_append_len(body, (void *)&len_be, sizeof(guint16));
398: len_be = GUINT16_TO_BE(strlen(password));
399: g_string_append_len(body, (void *)&len_be, sizeof(guint16));
400: g_string_append_len(body, password_xored, strlen(password));
401: g_string_append_len(body, post_password, sizeof(post_password));
402:
403: len_be = GUINT16_TO_BE(strlen(client_key));
404: g_string_append_len(body, (void *)&len_be, sizeof(guint16));
405: g_string_append(body, client_key);
406: g_string_append_len(body, footer, sizeof(footer));
407:
408: g_free(imapp_key);
409:
410: url = get_kdc_url(od);
411:
412: /* Construct an HTTP POST request */
413: request = g_string_new("POST / HTTP/1.1\n"
414: "Connection: close\n"
415: "Accept: application/x-snac\n"
416: "Host: kdc.uas.nina.chat\n");
417:
418: /* Tack on the body */
419: g_string_append_printf(request, "Content-Type: application/x-snac\n");
420: g_string_append_printf(request, "Content-Length: %" G_GSIZE_FORMAT "\n\n", body->len);
421: g_string_append_len(request, body->str, body->len);
422:
423: /* Send the POST request */
424: od->url_data = purple_util_fetch_url_request_data_len_with_account(
425: purple_connection_get_account(gc), url,
426: TRUE, NULL, TRUE, request->str, request->len, FALSE, -1,
427: kerberos_login_cb, od);
428: g_string_free(request, TRUE);
429:
430: g_string_free(body, TRUE);
431: g_free(url);
432: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to kerberos.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Coherent Logic Development] / ChivanetAimPidgin / oscarprpl / src / c