Swiftdiff options
| -rw-r--r-- | Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp | 10 | ||||
| -rw-r--r-- | Swiften/SASL/SCRAMSHA1ClientAuthenticator.h | 1 | ||||
| -rw-r--r-- | Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp | 15 |
3 files changed, 21 insertions, 5 deletions
diff --git a/Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp b/Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp index b55e5e4..8621b85 100644 --- a/Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp +++ b/Swiften/SASL/SCRAMSHA1ClientAuthenticator.cpp @@ -1,127 +1,131 @@ #include "Swiften/SASL/SCRAMSHA1ClientAuthenticator.h" #include <cassert> #include <map> #include <boost/lexical_cast.hpp> #include "Swiften/StringCodecs/SHA1.h" #include "Swiften/StringCodecs/Base64.h" #include "Swiften/StringCodecs/HMACSHA1.h" #include "Swiften/StringCodecs/PBKDF2.h" #include "Swiften/StringPrep/StringPrep.h" namespace Swift { SCRAMSHA1ClientAuthenticator::SCRAMSHA1ClientAuthenticator(const String& nonce) : ClientAuthenticator("SCRAM-SHA-1"), step(Initial), clientnonce(nonce) { } ByteArray SCRAMSHA1ClientAuthenticator::getResponse() const { if (step == Initial) { - return "n,," + getInitialBareClientMessage(); + return getGS2Header() + getInitialBareClientMessage(); } else { ByteArray clientKey = HMACSHA1::getResult(saltedPassword, "Client Key"); ByteArray storedKey = SHA1::getBinaryHash(clientKey); ByteArray clientSignature = HMACSHA1::getResult(storedKey, authMessage); ByteArray clientProof = clientKey; for (unsigned int i = 0; i < clientProof.getSize(); ++i) { clientProof[i] ^= clientSignature[i]; } - ByteArray result = ByteArray("c=biwsCg==,r=") + clientnonce + serverNonce + ",p=" + Base64::encode(clientProof); + ByteArray result = ByteArray("c=") + Base64::encode(getGS2Header()) + ",r=" + clientnonce + serverNonce + ",p=" + Base64::encode(clientProof); return result; } } bool SCRAMSHA1ClientAuthenticator::setChallenge(const ByteArray& challenge) { if (step == Initial) { initialServerMessage = challenge; std::map<char, String> keys = parseMap(String(initialServerMessage.getData(), initialServerMessage.getSize())); // Extract the salt ByteArray salt = Base64::decode(keys['s']); // Extract the server nonce String clientServerNonce = keys['r']; if (clientServerNonce.getUTF8Size() <= clientnonce.getUTF8Size()) { return false; } String receivedClientNonce = clientServerNonce.getSubstring(0, clientnonce.getUTF8Size()); if (receivedClientNonce != clientnonce) { return false; } serverNonce = clientServerNonce.getSubstring(clientnonce.getUTF8Size(), clientServerNonce.npos()); // Extract the number of iterations int iterations = 0; try { iterations = boost::lexical_cast<int>(keys['i'].getUTF8String()); } catch (const boost::bad_lexical_cast&) { return false; } if (iterations <= 0) { return false; } // Compute all the values needed for the server signature saltedPassword = PBKDF2::encode(StringPrep::getPrepared(getPassword(), StringPrep::SASLPrep), salt, iterations); - authMessage = getInitialBareClientMessage() + "," + initialServerMessage + "," + "c=biwsCg==," + "r=" + clientnonce + serverNonce; + authMessage = getInitialBareClientMessage() + "," + initialServerMessage + "," + "c=" + Base64::encode(getGS2Header()) + ",r=" + clientnonce + serverNonce; ByteArray serverKey = HMACSHA1::getResult(saltedPassword, "Server Key"); serverSignature = HMACSHA1::getResult(serverKey, authMessage); step = Proof; return true; } else { ByteArray result = ByteArray("v=") + ByteArray(Base64::encode(serverSignature)); return challenge == result; } } std::map<char, String> SCRAMSHA1ClientAuthenticator::parseMap(const String& s) { std::map<char, String> result; if (s.getUTF8Size() > 0) { char key; String value; size_t i = 0; bool expectKey = true; while (i < s.getUTF8Size()) { if (expectKey) { key = s[i]; expectKey = false; i++; } else if (s[i] == ',') { result[key] = value; value = ""; expectKey = true; } else { value += s[i]; } i++; } result[key] = value; } return result; } ByteArray SCRAMSHA1ClientAuthenticator::getInitialBareClientMessage() const { String authenticationID = StringPrep::getPrepared(getAuthenticationID(), StringPrep::SASLPrep); String escapedAuthenticationID; for (size_t i = 0; i < authenticationID.getUTF8Size(); ++i) { if (authenticationID[i] == ',') { escapedAuthenticationID += "=2C"; } else if (authenticationID[i] == '=') { escapedAuthenticationID += "=3D"; } else { escapedAuthenticationID += authenticationID[i]; } } return ByteArray(String("n=" + escapedAuthenticationID + ",r=" + clientnonce)); } +ByteArray SCRAMSHA1ClientAuthenticator::getGS2Header() const { + return ByteArray("n,") + getAuthorizationID() + ","; +} + } diff --git a/Swiften/SASL/SCRAMSHA1ClientAuthenticator.h b/Swiften/SASL/SCRAMSHA1ClientAuthenticator.h index 108ac2e..b8aaa17 100644 --- a/Swiften/SASL/SCRAMSHA1ClientAuthenticator.h +++ b/Swiften/SASL/SCRAMSHA1ClientAuthenticator.h @@ -1,33 +1,34 @@ #pragma once #include <map> #include "Swiften/Base/String.h" #include "Swiften/Base/ByteArray.h" #include "Swiften/SASL/ClientAuthenticator.h" namespace Swift { class SCRAMSHA1ClientAuthenticator : public ClientAuthenticator { public: SCRAMSHA1ClientAuthenticator(const String& nonce); virtual ByteArray getResponse() const; virtual bool setChallenge(const ByteArray&); private: ByteArray getInitialBareClientMessage() const; static std::map<char, String> parseMap(const String&); + ByteArray getGS2Header() const; private: enum Step { Initial, Proof } step; String clientnonce; ByteArray initialServerMessage; ByteArray serverNonce; ByteArray authMessage; ByteArray saltedPassword; ByteArray serverSignature; }; } diff --git a/Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp b/Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp index 6558ec7..6f64100 100644 --- a/Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp +++ b/Swiften/SASL/UnitTest/SCRAMSHA1ClientAuthenticatorTest.cpp @@ -1,109 +1,120 @@ #include <cppunit/extensions/HelperMacros.h> #include <cppunit/extensions/TestFactoryRegistry.h> #include "Swiften/SASL/SCRAMSHA1ClientAuthenticator.h" #include "Swiften/Base/ByteArray.h" using namespace Swift; class SCRAMSHA1ClientAuthenticatorTest : public CppUnit::TestFixture { CPPUNIT_TEST_SUITE(SCRAMSHA1ClientAuthenticatorTest); CPPUNIT_TEST(testGetInitialResponse); CPPUNIT_TEST(testGetInitialResponse_UsernameHasSpecialChars); + CPPUNIT_TEST(testGetInitialResponse_WithAuthorizationID); CPPUNIT_TEST(testGetFinalResponse); CPPUNIT_TEST(testSetChallenge); CPPUNIT_TEST(testSetChallenge_InvalidClientNonce); CPPUNIT_TEST(testSetChallenge_OnlyClientNonce); CPPUNIT_TEST(testSetChallenge_InvalidIterations); CPPUNIT_TEST(testSetChallenge_ZeroIterations); CPPUNIT_TEST(testSetChallenge_NegativeIterations); CPPUNIT_TEST(testSetChallenge_MissingIterations); CPPUNIT_TEST(testSetFinalChallenge); CPPUNIT_TEST(testSetFinalChallenge_InvalidChallenge); CPPUNIT_TEST_SUITE_END(); public: void setUp() { } void testGetInitialResponse() { SCRAMSHA1ClientAuthenticator testling("abcdefghABCDEFGH"); testling.setCredentials("user", "pass", ""); ByteArray response = testling.getResponse(); CPPUNIT_ASSERT_EQUAL(String("n,,n=user,r=abcdefghABCDEFGH"), testling.getResponse().toString()); } void testGetInitialResponse_UsernameHasSpecialChars() { SCRAMSHA1ClientAuthenticator testling("abcdefghABCDEFGH"); testling.setCredentials(",us=,er=", "pass", ""); ByteArray response = testling.getResponse(); CPPUNIT_ASSERT_EQUAL(String("n,,n==2Cus=3D=2Cer=3D,r=abcdefghABCDEFGH"), testling.getResponse().toString()); } + void testGetInitialResponse_WithAuthorizationID() { + SCRAMSHA1ClientAuthenticator testling("abcdefghABCDEFGH"); + testling.setCredentials("user", "pass", "auth"); + + ByteArray response = testling.getResponse(); + + CPPUNIT_ASSERT_EQUAL(String("n,auth,n=user,r=abcdefghABCDEFGH"), testling.getResponse().toString()); + } + void testGetFinalResponse() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); testling.setChallenge(ByteArray("r=abcdefghABCDEFGH,s=MTIzNDU2NzgK,i=4096")); ByteArray response = testling.getResponse(); - CPPUNIT_ASSERT_EQUAL(String("c=biwsCg==,r=abcdefghABCDEFGH,p=bVzb1EAf2hXw5Z+QIMYPTy5TOsU="), testling.getResponse().toString()); + CPPUNIT_ASSERT_EQUAL(String("c=biws,r=abcdefghABCDEFGH,p=CZbjGDpIteIJwQNBgO0P8pKkMGY="), testling.getResponse().toString()); } void testSetFinalChallenge() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); testling.setChallenge(ByteArray("r=abcdefghABCDEFGH,s=MTIzNDU2NzgK,i=4096")); - bool result = testling.setChallenge(ByteArray("v=xWI/+vT8aAm0hKpqKIqctIDwtQE=")); + + bool result = testling.setChallenge(ByteArray("v=Dd+Q20knZs9jeeK0pi1Mx1Se+yo=")); CPPUNIT_ASSERT(result); } void testSetChallenge() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); bool result = testling.setChallenge(ByteArray("r=abcdefghABCDEFGH,s=MTIzNDU2NzgK,i=4096")); CPPUNIT_ASSERT(result); } void testSetChallenge_InvalidClientNonce() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); bool result = testling.setChallenge(ByteArray("r=abcdefgiABCDEFGH,s=MTIzNDU2NzgK,i=4096")); CPPUNIT_ASSERT(!result); } void testSetChallenge_OnlyClientNonce() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); bool result = testling.setChallenge(ByteArray("r=abcdefgh,s=MTIzNDU2NzgK,i=4096")); CPPUNIT_ASSERT(!result); } void testSetChallenge_InvalidIterations() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); bool result = testling.setChallenge(ByteArray("r=abcdefghABCDEFGH,s=MTIzNDU2NzgK,i=bla")); CPPUNIT_ASSERT(!result); } void testSetChallenge_MissingIterations() { SCRAMSHA1ClientAuthenticator testling("abcdefgh"); testling.setCredentials("user", "pass", ""); bool result = testling.setChallenge(ByteArray("r=abcdefghABCDEFGH,s=MTIzNDU2NzgK")); CPPUNIT_ASSERT(!result); } |