Swiftdiff options
| -rw-r--r-- | Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp | 14 | ||||
| -rw-r--r-- | Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp | 30 |
2 files changed, 40 insertions, 4 deletions
diff --git a/Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp b/Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp index 16c938a..ab61ef5 100644 --- a/Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp +++ b/Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp @@ -1,109 +1,115 @@ #include "Swiften/SASL/SCRAMSHA1ClientAuthenticator.h" #include <cassert> #include <map> #include <boost/lexical_cast.hpp> #include "Swiften/StringCodecs/SHA1.h" #include "Swiften/StringCodecs/Base64.h" #include "Swiften/StringCodecs/HMACSHA1.h" #include "Swiften/StringCodecs/PBKDF2.h" #include "Swiften/StringPrep/StringPrep.h" namespace Swift { SCRAMSHA1ClientAuthenticator::SCRAMSHA1ClientAuthenticator(const String& nonce) : ClientAuthenticator("SCRAM-SHA-1"), step(Initial), clientnonce(nonce) { - // TODO: Normalize authentication id - // TODO: Normalize getPassword() } ByteArray SCRAMSHA1ClientAuthenticator::getResponse() const { if (step == Initial) { return "n,," + getInitialBareClientMessage(); } else { ByteArray clientKey = HMACSHA1::getResult(saltedPassword, "Client Key"); ByteArray storedKey = SHA1::getBinaryHash(clientKey); ByteArray clientSignature = HMACSHA1::getResult(storedKey, authMessage); ByteArray clientProof = clientKey; for (unsigned int i = 0; i < clientProof.getSize(); ++i) { clientProof[i] ^= clientSignature[i]; } ByteArray result = ByteArray("c=biwsCg==,r=") + clientnonce + serverNonce + ",p=" + Base64::encode(clientProof); return result; } } bool SCRAMSHA1ClientAuthenticator::setChallenge(const ByteArray& challenge) { if (step == Initial) { initialServerMessage = challenge; - // TODO: Check if these values are correct + // TODO: Check if this is correct std::map<char, String> keys = parseMap(String(initialServerMessage.getData(), initialServerMessage.getSize())); ByteArray salt = Base64::decode(keys['s']); String clientServerNonce = keys['r']; + + // Extract the server nonce + if (clientServerNonce.getUTF8Size() <= clientnonce.getUTF8Size()) { + return false; + } + String receivedClientNonce = clientServerNonce.getSubstring(0, clientnonce.getUTF8Size()); + if (receivedClientNonce != clientnonce) { + return false; + } serverNonce = clientServerNonce.getSubstring(clientnonce.getUTF8Size(), clientServerNonce.npos()); int iterations = boost::lexical_cast<int>(keys['i'].getUTF8String()); // Compute all the values needed for the server signature saltedPassword = PBKDF2::encode(StringPrep::getPrepared(getPassword(), StringPrep::SASLPrep), salt, iterations); authMessage = getInitialBareClientMessage() + "," + initialServerMessage + "," + "c=biwsCg==," + "r=" + clientnonce + serverNonce; ByteArray serverKey = HMACSHA1::getResult(saltedPassword, "Server Key"); serverSignature = HMACSHA1::getResult(serverKey, authMessage); step = Proof; return true; } else { ByteArray result = ByteArray("v=") + ByteArray(Base64::encode(serverSignature)); return challenge == result; } } std::map<char, String> SCRAMSHA1ClientAuthenticator::parseMap(const String& s) { - // TODO: Do some proper checking here std::map<char, String> result; if (s.getUTF8Size() > 0) { char key; String value; size_t i = 0; bool expectKey = true; while (i < s.getUTF8Size()) { if (expectKey) { key = s[i]; expectKey = false; i++; } else if (s[i] == ',') { result[key] = value; value = ""; expectKey = true; } else { value += s[i]; } i++; } result[key] = value; } return result; } ByteArray SCRAMSHA1ClientAuthenticator::getInitialBareClientMessage() const { String authenticationID = StringPrep::getPrepared(getAuthenticationID(), StringPrep::SASLPrep); String escapedAuthenticationID; for (size_t i = 0; i < authenticationID.getUTF8Size(); ++i) { if (authenticationID[i] == ',') { escapedAuthenticationID += "=2C"; } else if (authenticationID[i] == '=') { escapedAuthenticationID += "=3D"; } else { escapedAuthenticationID += authenticationID[i]; } } return ByteArray(String("n=" + escapedAuthenticationID + ",r=" + clientnonce)); } } diff --git a/Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp b/Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp index 618a748..01adc18 100644 --- a/Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp +++ b/Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp @@ -1,69 +1,99 @@ #include <cppunit/extensions/HelperMacros.h> #include <cppunit/extensions/TestFactoryRegistry.h> #include "Swiften/SASL/SCRAMSHA1ClientAuthenticator.h" #include "Swiften/Base/ByteArray.h" using namespace Swift; class SCRAMSHA1ClientAuthenticatorTest : public CppUnit::TestFixture { CPPUNIT_TEST_SUITE(SCRAMSHA1ClientAuthenticatorTest); CPPUNIT_TEST(testGetInitialResponse); CPPUNIT_TEST(testGetInitialResponse_UsernameHasSpecialChars); CPPUNIT_TEST(testGetFinalResponse); + CPPUNIT_TEST(testSetChallenge); + CPPUNIT_TEST(testSetChallenge_InvalidClientNonce); + CPPUNIT_TEST(testSetChallenge_OnlyClientNonce); CPPUNIT_TEST(testSetFinalChallenge); CPPUNIT_TEST(testSetFinalChallenge_InvalidChallenge); CPPUNIT_TEST_SUITE_END(); public: void setUp() { } void testGetInitialResponse() { SCRAMSHA1ClientAuthenticator testling("abcdefghABCDEFGH"); testling.setCredentials("user", "pass", ""); ByteArray response = testling.getResponse(); CPPUNIT_ASSERT_EQUAL(String("n,,n=user,r=abcdefghABCDEFGH"), testling.getResponse().toString()); } void testGetInitialResponse_UsernameHasSpecialChars() { SCRAMSHA1ClientAuthenticator testling("abcdefghABCDEFGH"); testling.setCredentials(",us=,er=", "pass", ""); ByteArray response = testling.getResponse(); CPPUNIT_ASSERT_EQUAL(String("n,,n==2Cus=3D=2Cer=3D,r=abcdefghABCDEFGH"), testling.getResponse().toString()); } void testGetFinalResponse() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); testling.setChallenge(ByteArray("r=abcdefghABCDEFGH,s=MTIzNDU2NzgK,i=4096")); ByteArray response = testling.getResponse(); CPPUNIT_ASSERT_EQUAL(String("c=biwsCg==,r=abcdefghABCDEFGH,p=bVzb1EAf2hXw5Z+QIMYPTy5TOsU="), testling.getResponse().toString()); } void testSetFinalChallenge() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); testling.setChallenge(ByteArray("r=abcdefghABCDEFGH,s=MTIzNDU2NzgK,i=4096")); bool result = testling.setChallenge(ByteArray("v=xWI/+vT8aAm0hKpqKIqctIDwtQE=")); CPPUNIT_ASSERT(result); } + void testSetChallenge() { + SCRAMSHA1ClientAuthenticator testling("abcdefgh"); + testling.setCredentials("user", "pass", ""); + + bool result = testling.setChallenge(ByteArray("r=abcdefghABCDEFGH,s=MTIzNDU2NzgK,i=4096")); + + CPPUNIT_ASSERT(result); + } + + void testSetChallenge_InvalidClientNonce() { + SCRAMSHA1ClientAuthenticator testling("abcdefgh"); + testling.setCredentials("user", "pass", ""); + + bool result = testling.setChallenge(ByteArray("r=abcdefgiABCDEFGH,s=MTIzNDU2NzgK,i=4096")); + + CPPUNIT_ASSERT(!result); + } + + void testSetChallenge_OnlyClientNonce() { + SCRAMSHA1ClientAuthenticator testling("abcdefgh"); + testling.setCredentials("user", "pass", ""); + + bool result = testling.setChallenge(ByteArray("r=abcdefgh,s=MTIzNDU2NzgK,i=4096")); + + CPPUNIT_ASSERT(!result); + } + void testSetFinalChallenge_InvalidChallenge() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); testling.setChallenge(ByteArray("r=abcdefghABCDEFGH,s=MTIzNDU2NzgK,i=4096")); bool result = testling.setChallenge(ByteArray("v=e26kI69ICb6zosapLLxrER/631A=")); CPPUNIT_ASSERT(!result); } }; CPPUNIT_TEST_SUITE_REGISTRATION(SCRAMSHA1ClientAuthenticatorTest); |