fixed auth

This commit is contained in:
Daniel Gultsch 2018-09-26 10:39:36 +02:00
parent ef4cfacaf4
commit 6121217df5

View file

@ -20,215 +20,214 @@ import eu.siacs.conversations.xml.TagWriter;
@TargetApi(Build.VERSION_CODES.HONEYCOMB_MR1) @TargetApi(Build.VERSION_CODES.HONEYCOMB_MR1)
abstract class ScramMechanism extends SaslMechanism { abstract class ScramMechanism extends SaslMechanism {
// TODO: When channel binding (SCRAM-SHA1-PLUS) is supported in future, generalize this to indicate support and/or usage. // TODO: When channel binding (SCRAM-SHA1-PLUS) is supported in future, generalize this to indicate support and/or usage.
private final static String GS2_HEADER = "n,,"; private final static String GS2_HEADER = "n,,";
private String clientFirstMessageBare; private static final byte[] CLIENT_KEY_BYTES = "Client Key".getBytes();
private final String clientNonce; private static final byte[] SERVER_KEY_BYTES = "Server Key".getBytes();
private byte[] serverSignature = null; private static final LruCache<String, KeyPair> CACHE;
static HMac HMAC; static HMac HMAC;
static Digest DIGEST; static Digest DIGEST;
private static final byte[] CLIENT_KEY_BYTES = "Client Key".getBytes();
private static final byte[] SERVER_KEY_BYTES = "Server Key".getBytes();
private static class KeyPair { static {
final byte[] clientKey; CACHE = new LruCache<String, KeyPair>(10) {
final byte[] serverKey; protected KeyPair create(final String k) {
// Map keys are "bytesToHex(JID),bytesToHex(password),bytesToHex(salt),iterations,SASL-Mechanism".
// Changing any of these values forces a cache miss. `CryptoHelper.bytesToHex()'
// is applied to prevent commas in the strings breaking things.
final String[] kparts = k.split(",", 5);
try {
final byte[] saltedPassword, serverKey, clientKey;
saltedPassword = hi(CryptoHelper.hexToString(kparts[1]).getBytes(),
Base64.decode(CryptoHelper.hexToString(kparts[2]), Base64.DEFAULT), Integer.valueOf(kparts[3]));
serverKey = hmac(saltedPassword, SERVER_KEY_BYTES);
clientKey = hmac(saltedPassword, CLIENT_KEY_BYTES);
KeyPair(final byte[] clientKey, final byte[] serverKey) { return new KeyPair(clientKey, serverKey);
this.clientKey = clientKey; } catch (final InvalidKeyException | NumberFormatException e) {
this.serverKey = serverKey; return null;
} }
} }
};
}
static { private final String clientNonce;
CACHE = new LruCache<String, KeyPair>(10) { protected State state = State.INITIAL;
protected KeyPair create(final String k) { private String clientFirstMessageBare;
// Map keys are "bytesToHex(JID),bytesToHex(password),bytesToHex(salt),iterations,SASL-Mechanism". private byte[] serverSignature = null;
// Changing any of these values forces a cache miss. `CryptoHelper.bytesToHex()'
// is applied to prevent commas in the strings breaking things.
final String[] kparts = k.split(",", 4);
try {
final byte[] saltedPassword, serverKey, clientKey;
saltedPassword = hi(CryptoHelper.hexToString(kparts[1]).getBytes(),
Base64.decode(CryptoHelper.hexToString(kparts[2]), Base64.DEFAULT), Integer.valueOf(kparts[3]));
serverKey = hmac(saltedPassword, SERVER_KEY_BYTES);
clientKey = hmac(saltedPassword, CLIENT_KEY_BYTES);
return new KeyPair(clientKey, serverKey); ScramMechanism(final TagWriter tagWriter, final Account account, final SecureRandom rng) {
} catch (final InvalidKeyException | NumberFormatException e) { super(tagWriter, account, rng);
return null;
}
}
};
}
private static final LruCache<String, KeyPair> CACHE; // This nonce should be different for each authentication attempt.
clientNonce = CryptoHelper.random(100, rng);
clientFirstMessageBare = "";
}
protected State state = State.INITIAL; private static synchronized byte[] hmac(final byte[] key, final byte[] input)
throws InvalidKeyException {
HMAC.init(new KeyParameter(key));
HMAC.update(input, 0, input.length);
final byte[] out = new byte[HMAC.getMacSize()];
HMAC.doFinal(out, 0);
return out;
}
ScramMechanism(final TagWriter tagWriter, final Account account, final SecureRandom rng) { public static synchronized byte[] digest(byte[] bytes) {
super(tagWriter, account, rng); DIGEST.reset();
DIGEST.update(bytes, 0, bytes.length);
final byte[] out = new byte[DIGEST.getDigestSize()];
DIGEST.doFinal(out, 0);
return out;
}
// This nonce should be different for each authentication attempt. /*
clientNonce = CryptoHelper.random(100,rng); * Hi() is, essentially, PBKDF2 [RFC2898] with HMAC() as the
clientFirstMessageBare = ""; * pseudorandom function (PRF) and with dkLen == output length of
} * HMAC() == output length of H().
*/
private static synchronized byte[] hi(final byte[] key, final byte[] salt, final int iterations)
throws InvalidKeyException {
byte[] u = hmac(key, CryptoHelper.concatenateByteArrays(salt, CryptoHelper.ONE));
byte[] out = u.clone();
for (int i = 1; i < iterations; i++) {
u = hmac(key, u);
for (int j = 0; j < u.length; j++) {
out[j] ^= u[j];
}
}
return out;
}
@Override @Override
public String getClientFirstMessage() { public String getClientFirstMessage() {
if (clientFirstMessageBare.isEmpty() && state == State.INITIAL) { if (clientFirstMessageBare.isEmpty() && state == State.INITIAL) {
clientFirstMessageBare = "n=" + CryptoHelper.saslEscape(CryptoHelper.saslPrep(account.getUsername())) + clientFirstMessageBare = "n=" + CryptoHelper.saslEscape(CryptoHelper.saslPrep(account.getUsername())) +
",r=" + this.clientNonce; ",r=" + this.clientNonce;
state = State.AUTH_TEXT_SENT; state = State.AUTH_TEXT_SENT;
} }
return Base64.encodeToString( return Base64.encodeToString(
(GS2_HEADER + clientFirstMessageBare).getBytes(Charset.defaultCharset()), (GS2_HEADER + clientFirstMessageBare).getBytes(Charset.defaultCharset()),
Base64.NO_WRAP); Base64.NO_WRAP);
} }
@Override @Override
public String getResponse(final String challenge) throws AuthenticationException { public String getResponse(final String challenge) throws AuthenticationException {
switch (state) { switch (state) {
case AUTH_TEXT_SENT: case AUTH_TEXT_SENT:
if (challenge == null) { if (challenge == null) {
throw new AuthenticationException("challenge can not be null"); throw new AuthenticationException("challenge can not be null");
} }
byte[] serverFirstMessage; byte[] serverFirstMessage;
try { try {
serverFirstMessage = Base64.decode(challenge, Base64.DEFAULT); serverFirstMessage = Base64.decode(challenge, Base64.DEFAULT);
} catch (IllegalArgumentException e) { } catch (IllegalArgumentException e) {
throw new AuthenticationException("Unable to decode server challenge",e); throw new AuthenticationException("Unable to decode server challenge", e);
} }
final Tokenizer tokenizer = new Tokenizer(serverFirstMessage); final Tokenizer tokenizer = new Tokenizer(serverFirstMessage);
String nonce = ""; String nonce = "";
int iterationCount = -1; int iterationCount = -1;
String salt = ""; String salt = "";
for (final String token : tokenizer) { for (final String token : tokenizer) {
if (token.charAt(1) == '=') { if (token.charAt(1) == '=') {
switch (token.charAt(0)) { switch (token.charAt(0)) {
case 'i': case 'i':
try { try {
iterationCount = Integer.parseInt(token.substring(2)); iterationCount = Integer.parseInt(token.substring(2));
} catch (final NumberFormatException e) { } catch (final NumberFormatException e) {
throw new AuthenticationException(e); throw new AuthenticationException(e);
} }
break; break;
case 's': case 's':
salt = token.substring(2); salt = token.substring(2);
break; break;
case 'r': case 'r':
nonce = token.substring(2); nonce = token.substring(2);
break; break;
case 'm': case 'm':
/* /*
* RFC 5802: * RFC 5802:
* m: This attribute is reserved for future extensibility. In this * m: This attribute is reserved for future extensibility. In this
* version of SCRAM, its presence in a client or a server message * version of SCRAM, its presence in a client or a server message
* MUST cause authentication failure when the attribute is parsed by * MUST cause authentication failure when the attribute is parsed by
* the other end. * the other end.
*/ */
throw new AuthenticationException("Server sent reserved token: `m'"); throw new AuthenticationException("Server sent reserved token: `m'");
} }
} }
} }
if (iterationCount < 0) { if (iterationCount < 0) {
throw new AuthenticationException("Server did not send iteration count"); throw new AuthenticationException("Server did not send iteration count");
} }
if (nonce.isEmpty() || !nonce.startsWith(clientNonce)) { if (nonce.isEmpty() || !nonce.startsWith(clientNonce)) {
throw new AuthenticationException("Server nonce does not contain client nonce: " + nonce); throw new AuthenticationException("Server nonce does not contain client nonce: " + nonce);
} }
if (salt.isEmpty()) { if (salt.isEmpty()) {
throw new AuthenticationException("Server sent empty salt"); throw new AuthenticationException("Server sent empty salt");
} }
final String clientFinalMessageWithoutProof = "c=" + Base64.encodeToString( final String clientFinalMessageWithoutProof = "c=" + Base64.encodeToString(
GS2_HEADER.getBytes(), Base64.NO_WRAP) + ",r=" + nonce; GS2_HEADER.getBytes(), Base64.NO_WRAP) + ",r=" + nonce;
final byte[] authMessage = (clientFirstMessageBare + ',' + new String(serverFirstMessage) + ',' final byte[] authMessage = (clientFirstMessageBare + ',' + new String(serverFirstMessage) + ','
+ clientFinalMessageWithoutProof).getBytes(); + clientFinalMessageWithoutProof).getBytes();
// Map keys are "bytesToHex(JID),bytesToHex(password),bytesToHex(salt),iterations,SASL-Mechanism". // Map keys are "bytesToHex(JID),bytesToHex(password),bytesToHex(salt),iterations,SASL-Mechanism".
final KeyPair keys = CACHE.get( final KeyPair keys = CACHE.get(
CryptoHelper.bytesToHex(account.getJid().asBareJid().toString().getBytes()) + "," CryptoHelper.bytesToHex(account.getJid().asBareJid().toString().getBytes()) + ","
+ CryptoHelper.bytesToHex(account.getPassword().getBytes()) + "," + CryptoHelper.bytesToHex(account.getPassword().getBytes()) + ","
+ CryptoHelper.bytesToHex(salt.getBytes()) + "," + CryptoHelper.bytesToHex(salt.getBytes()) + ","
+ String.valueOf(iterationCount) + String.valueOf(iterationCount) + ","
+ getMechanism() + getMechanism()
); );
if (keys == null) { if (keys == null) {
throw new AuthenticationException("Invalid keys generated"); throw new AuthenticationException("Invalid keys generated");
} }
final byte[] clientSignature; final byte[] clientSignature;
try { try {
serverSignature = hmac(keys.serverKey, authMessage); serverSignature = hmac(keys.serverKey, authMessage);
final byte[] storedKey = digest(keys.clientKey); final byte[] storedKey = digest(keys.clientKey);
clientSignature = hmac(storedKey, authMessage); clientSignature = hmac(storedKey, authMessage);
} catch (final InvalidKeyException e) { } catch (final InvalidKeyException e) {
throw new AuthenticationException(e); throw new AuthenticationException(e);
} }
final byte[] clientProof = new byte[keys.clientKey.length]; final byte[] clientProof = new byte[keys.clientKey.length];
for (int i = 0; i < clientProof.length; i++) { for (int i = 0; i < clientProof.length; i++) {
clientProof[i] = (byte) (keys.clientKey[i] ^ clientSignature[i]); clientProof[i] = (byte) (keys.clientKey[i] ^ clientSignature[i]);
} }
final String clientFinalMessage = clientFinalMessageWithoutProof + ",p=" + final String clientFinalMessage = clientFinalMessageWithoutProof + ",p=" +
Base64.encodeToString(clientProof, Base64.NO_WRAP); Base64.encodeToString(clientProof, Base64.NO_WRAP);
state = State.RESPONSE_SENT; state = State.RESPONSE_SENT;
return Base64.encodeToString(clientFinalMessage.getBytes(), Base64.NO_WRAP); return Base64.encodeToString(clientFinalMessage.getBytes(), Base64.NO_WRAP);
case RESPONSE_SENT: case RESPONSE_SENT:
try { try {
final String clientCalculatedServerFinalMessage = "v=" + final String clientCalculatedServerFinalMessage = "v=" +
Base64.encodeToString(serverSignature, Base64.NO_WRAP); Base64.encodeToString(serverSignature, Base64.NO_WRAP);
if (!clientCalculatedServerFinalMessage.equals(new String(Base64.decode(challenge, Base64.DEFAULT)))) { if (!clientCalculatedServerFinalMessage.equals(new String(Base64.decode(challenge, Base64.DEFAULT)))) {
throw new Exception(); throw new Exception();
} }
state = State.VALID_SERVER_RESPONSE; state = State.VALID_SERVER_RESPONSE;
return ""; return "";
} catch(Exception e) { } catch (Exception e) {
throw new AuthenticationException("Server final message does not match calculated final message"); throw new AuthenticationException("Server final message does not match calculated final message");
} }
default: default:
throw new InvalidStateException(state); throw new InvalidStateException(state);
} }
} }
private static synchronized byte[] hmac(final byte[] key, final byte[] input) private static class KeyPair {
throws InvalidKeyException { final byte[] clientKey;
HMAC.init(new KeyParameter(key)); final byte[] serverKey;
HMAC.update(input, 0, input.length);
final byte[] out = new byte[HMAC.getMacSize()];
HMAC.doFinal(out, 0);
return out;
}
public static synchronized byte[] digest(byte[] bytes) { KeyPair(final byte[] clientKey, final byte[] serverKey) {
DIGEST.reset(); this.clientKey = clientKey;
DIGEST.update(bytes, 0, bytes.length); this.serverKey = serverKey;
final byte[] out = new byte[DIGEST.getDigestSize()]; }
DIGEST.doFinal(out, 0); }
return out;
}
/*
* Hi() is, essentially, PBKDF2 [RFC2898] with HMAC() as the
* pseudorandom function (PRF) and with dkLen == output length of
* HMAC() == output length of H().
*/
private static synchronized byte[] hi(final byte[] key, final byte[] salt, final int iterations)
throws InvalidKeyException {
byte[] u = hmac(key, CryptoHelper.concatenateByteArrays(salt, CryptoHelper.ONE));
byte[] out = u.clone();
for (int i = 1; i < iterations; i++) {
u = hmac(key, u);
for (int j = 0; j < u.length; j++) {
out[j] ^= u[j];
}
}
return out;
}
} }