Swiftdiff options
| -rw-r--r-- | Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp | 33 | ||||
| -rw-r--r-- | Swiften/SASL/SCRAMSHA1ClientAuthenticator.h | 3 | ||||
| -rw-r--r-- | Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp | 12 |
3 files changed, 32 insertions, 16 deletions
diff --git a/Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp b/Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp index 8621b85..a261810 100644 --- a/Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp +++ b/Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp @@ -1,62 +1,79 @@ #include "Swiften/SASL/SCRAMSHA1ClientAuthenticator.h" #include <cassert> #include <map> #include <boost/lexical_cast.hpp> #include "Swiften/StringCodecs/SHA1.h" #include "Swiften/StringCodecs/Base64.h" #include "Swiften/StringCodecs/HMACSHA1.h" #include "Swiften/StringCodecs/PBKDF2.h" #include "Swiften/StringPrep/StringPrep.h" namespace Swift { +static String escape(const String& s) { + String result; + for (size_t i = 0; i < s.getUTF8Size(); ++i) { + if (s[i] == ',') { + result += "=2C"; + } + else if (s[i] == '=') { + result += "=3D"; + } + else { + result += s[i]; + } + } + return result; +} + + SCRAMSHA1ClientAuthenticator::SCRAMSHA1ClientAuthenticator(const String& nonce) : ClientAuthenticator("SCRAM-SHA-1"), step(Initial), clientnonce(nonce) { } ByteArray SCRAMSHA1ClientAuthenticator::getResponse() const { if (step == Initial) { return getGS2Header() + getInitialBareClientMessage(); } else { ByteArray clientKey = HMACSHA1::getResult(saltedPassword, "Client Key"); ByteArray storedKey = SHA1::getBinaryHash(clientKey); ByteArray clientSignature = HMACSHA1::getResult(storedKey, authMessage); ByteArray clientProof = clientKey; for (unsigned int i = 0; i < clientProof.getSize(); ++i) { clientProof[i] ^= clientSignature[i]; } ByteArray result = ByteArray("c=") + Base64::encode(getGS2Header()) + ",r=" + clientnonce + serverNonce + ",p=" + Base64::encode(clientProof); return result; } } bool SCRAMSHA1ClientAuthenticator::setChallenge(const ByteArray& challenge) { if (step == Initial) { initialServerMessage = challenge; std::map<char, String> keys = parseMap(String(initialServerMessage.getData(), initialServerMessage.getSize())); // Extract the salt ByteArray salt = Base64::decode(keys['s']); // Extract the server nonce String clientServerNonce = keys['r']; if (clientServerNonce.getUTF8Size() <= clientnonce.getUTF8Size()) { return false; } String receivedClientNonce = clientServerNonce.getSubstring(0, clientnonce.getUTF8Size()); if (receivedClientNonce != clientnonce) { return false; } serverNonce = clientServerNonce.getSubstring(clientnonce.getUTF8Size(), clientServerNonce.npos()); // Extract the number of iterations int iterations = 0; try { iterations = boost::lexical_cast<int>(keys['i'].getUTF8String()); } catch (const boost::bad_lexical_cast&) { return false; } @@ -64,68 +81,56 @@ bool SCRAMSHA1ClientAuthenticator::setChallenge(const ByteArray& challenge) { return false; } // Compute all the values needed for the server signature saltedPassword = PBKDF2::encode(StringPrep::getPrepared(getPassword(), StringPrep::SASLPrep), salt, iterations); authMessage = getInitialBareClientMessage() + "," + initialServerMessage + "," + "c=" + Base64::encode(getGS2Header()) + ",r=" + clientnonce + serverNonce; ByteArray serverKey = HMACSHA1::getResult(saltedPassword, "Server Key"); serverSignature = HMACSHA1::getResult(serverKey, authMessage); step = Proof; return true; } else { ByteArray result = ByteArray("v=") + ByteArray(Base64::encode(serverSignature)); return challenge == result; } } std::map<char, String> SCRAMSHA1ClientAuthenticator::parseMap(const String& s) { std::map<char, String> result; if (s.getUTF8Size() > 0) { char key; String value; size_t i = 0; bool expectKey = true; while (i < s.getUTF8Size()) { if (expectKey) { key = s[i]; expectKey = false; i++; } else if (s[i] == ',') { result[key] = value; value = ""; expectKey = true; } else { value += s[i]; } i++; } result[key] = value; } return result; } ByteArray SCRAMSHA1ClientAuthenticator::getInitialBareClientMessage() const { String authenticationID = StringPrep::getPrepared(getAuthenticationID(), StringPrep::SASLPrep); - String escapedAuthenticationID; - for (size_t i = 0; i < authenticationID.getUTF8Size(); ++i) { - if (authenticationID[i] == ',') { - escapedAuthenticationID += "=2C"; - } - else if (authenticationID[i] == '=') { - escapedAuthenticationID += "=3D"; - } - else { - escapedAuthenticationID += authenticationID[i]; - } - } - return ByteArray(String("n=" + escapedAuthenticationID + ",r=" + clientnonce)); + return ByteArray(String("n=" + escape(authenticationID) + ",r=" + clientnonce)); } ByteArray SCRAMSHA1ClientAuthenticator::getGS2Header() const { - return ByteArray("n,") + getAuthorizationID() + ","; + return ByteArray("n,") + (getAuthorizationID().isEmpty() ? "" : "a=" + escape(getAuthorizationID())) + ","; } } diff --git a/Swiften/SASL/SCRAMSHA1ClientAuthenticator.h b/Swiften/SASL/SCRAMSHA1ClientAuthenticator.h index b8aaa17..6636139 100644 --- a/Swiften/SASL/SCRAMSHA1ClientAuthenticator.h +++ b/Swiften/SASL/SCRAMSHA1ClientAuthenticator.h @@ -1,34 +1,35 @@ #pragma once #include <map> #include "Swiften/Base/String.h" #include "Swiften/Base/ByteArray.h" #include "Swiften/SASL/ClientAuthenticator.h" namespace Swift { class SCRAMSHA1ClientAuthenticator : public ClientAuthenticator { public: SCRAMSHA1ClientAuthenticator(const String& nonce); virtual ByteArray getResponse() const; virtual bool setChallenge(const ByteArray&); private: ByteArray getInitialBareClientMessage() const; - static std::map<char, String> parseMap(const String&); ByteArray getGS2Header() const; + static std::map<char, String> parseMap(const String&); + private: enum Step { Initial, Proof } step; String clientnonce; ByteArray initialServerMessage; ByteArray serverNonce; ByteArray authMessage; ByteArray saltedPassword; ByteArray serverSignature; }; } diff --git a/Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp b/Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp index 6f64100..5eedeb2 100644 --- a/Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp +++ b/Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp @@ -1,102 +1,112 @@ #include <cppunit/extensions/HelperMacros.h> #include <cppunit/extensions/TestFactoryRegistry.h> #include "Swiften/SASL/SCRAMSHA1ClientAuthenticator.h" #include "Swiften/Base/ByteArray.h" using namespace Swift; class SCRAMSHA1ClientAuthenticatorTest : public CppUnit::TestFixture { CPPUNIT_TEST_SUITE(SCRAMSHA1ClientAuthenticatorTest); CPPUNIT_TEST(testGetInitialResponse); CPPUNIT_TEST(testGetInitialResponse_UsernameHasSpecialChars); CPPUNIT_TEST(testGetInitialResponse_WithAuthorizationID); + CPPUNIT_TEST(testGetInitialResponse_WithAuthorizationIDWithSpecialChars); CPPUNIT_TEST(testGetFinalResponse); CPPUNIT_TEST(testSetChallenge); CPPUNIT_TEST(testSetChallenge_InvalidClientNonce); CPPUNIT_TEST(testSetChallenge_OnlyClientNonce); CPPUNIT_TEST(testSetChallenge_InvalidIterations); CPPUNIT_TEST(testSetChallenge_ZeroIterations); CPPUNIT_TEST(testSetChallenge_NegativeIterations); CPPUNIT_TEST(testSetChallenge_MissingIterations); CPPUNIT_TEST(testSetFinalChallenge); CPPUNIT_TEST(testSetFinalChallenge_InvalidChallenge); CPPUNIT_TEST_SUITE_END(); public: void setUp() { } void testGetInitialResponse() { SCRAMSHA1ClientAuthenticator testling("abcdefghABCDEFGH"); testling.setCredentials("user", "pass", ""); ByteArray response = testling.getResponse(); CPPUNIT_ASSERT_EQUAL(String("n,,n=user,r=abcdefghABCDEFGH"), testling.getResponse().toString()); } void testGetInitialResponse_UsernameHasSpecialChars() { SCRAMSHA1ClientAuthenticator testling("abcdefghABCDEFGH"); testling.setCredentials(",us=,er=", "pass", ""); ByteArray response = testling.getResponse(); CPPUNIT_ASSERT_EQUAL(String("n,,n==2Cus=3D=2Cer=3D,r=abcdefghABCDEFGH"), testling.getResponse().toString()); } void testGetInitialResponse_WithAuthorizationID() { SCRAMSHA1ClientAuthenticator testling("abcdefghABCDEFGH"); testling.setCredentials("user", "pass", "auth"); ByteArray response = testling.getResponse(); - CPPUNIT_ASSERT_EQUAL(String("n,auth,n=user,r=abcdefghABCDEFGH"), testling.getResponse().toString()); + CPPUNIT_ASSERT_EQUAL(String("n,a=auth,n=user,r=abcdefghABCDEFGH"), testling.getResponse().toString()); + } + + void testGetInitialResponse_WithAuthorizationIDWithSpecialChars() { + SCRAMSHA1ClientAuthenticator testling("abcdefghABCDEFGH"); + testling.setCredentials("user", "pass", "a=u,th"); + + ByteArray response = testling.getResponse(); + + CPPUNIT_ASSERT_EQUAL(String("n,a=a=3Du=2Cth,n=user,r=abcdefghABCDEFGH"), testling.getResponse().toString()); } void testGetFinalResponse() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); testling.setChallenge(ByteArray("r=abcdefghABCDEFGH,s=MTIzNDU2NzgK,i=4096")); ByteArray response = testling.getResponse(); CPPUNIT_ASSERT_EQUAL(String("c=biws,r=abcdefghABCDEFGH,p=CZbjGDpIteIJwQNBgO0P8pKkMGY="), testling.getResponse().toString()); } void testSetFinalChallenge() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); testling.setChallenge(ByteArray("r=abcdefghABCDEFGH,s=MTIzNDU2NzgK,i=4096")); bool result = testling.setChallenge(ByteArray("v=Dd+Q20knZs9jeeK0pi1Mx1Se+yo=")); CPPUNIT_ASSERT(result); } void testSetChallenge() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); bool result = testling.setChallenge(ByteArray("r=abcdefghABCDEFGH,s=MTIzNDU2NzgK,i=4096")); CPPUNIT_ASSERT(result); } void testSetChallenge_InvalidClientNonce() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); bool result = testling.setChallenge(ByteArray("r=abcdefgiABCDEFGH,s=MTIzNDU2NzgK,i=4096")); CPPUNIT_ASSERT(!result); } void testSetChallenge_OnlyClientNonce() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); bool result = testling.setChallenge(ByteArray("r=abcdefgh,s=MTIzNDU2NzgK,i=4096")); CPPUNIT_ASSERT(!result); } |