1package eu.siacs.conversations.crypto.sasl;
2
3import android.util.Base64;
4import android.util.LruCache;
5
6import org.bouncycastle.crypto.Digest;
7import org.bouncycastle.crypto.digests.SHA1Digest;
8import org.bouncycastle.crypto.macs.HMac;
9import org.bouncycastle.crypto.params.KeyParameter;
10
11import java.math.BigInteger;
12import java.nio.charset.Charset;
13import java.security.InvalidKeyException;
14import java.security.SecureRandom;
15
16import eu.siacs.conversations.entities.Account;
17import eu.siacs.conversations.utils.CryptoHelper;
18import eu.siacs.conversations.xml.TagWriter;
19
20public class ScramSha1 extends SaslMechanism {
21 // TODO: When channel binding (SCRAM-SHA1-PLUS) is supported in future, generalize this to indicate support and/or usage.
22 final private static String GS2_HEADER = "n,,";
23 private String clientFirstMessageBare;
24 final private String clientNonce;
25 private byte[] serverSignature = null;
26 private static HMac HMAC;
27 private static Digest DIGEST;
28 private static final byte[] CLIENT_KEY_BYTES = "Client Key".getBytes();
29 private static final byte[] SERVER_KEY_BYTES = "Server Key".getBytes();
30
31 public static class KeyPair {
32 final public byte[] clientKey;
33 final public byte[] serverKey;
34
35 public KeyPair(final byte[] clientKey, final byte[] serverKey) {
36 this.clientKey = clientKey;
37 this.serverKey = serverKey;
38 }
39 }
40
41 private static final LruCache<String, KeyPair> CACHE;
42
43 static {
44 DIGEST = new SHA1Digest();
45 HMAC = new HMac(new SHA1Digest());
46 CACHE = new LruCache<String, KeyPair>(10) {
47 protected KeyPair create(final String k) {
48 // Map keys are "bytesToHex(JID),bytesToHex(password),bytesToHex(salt),iterations".
49 // Changing any of these values forces a cache miss. `CryptoHelper.bytesToHex()'
50 // is applied to prevent commas in the strings breaking things.
51 final String[] kparts = k.split(",", 4);
52 try {
53 final byte[] saltedPassword, serverKey, clientKey;
54 saltedPassword = hi(CryptoHelper.hexToString(kparts[1]).getBytes(),
55 Base64.decode(CryptoHelper.hexToString(kparts[2]), Base64.DEFAULT), Integer.valueOf(kparts[3]));
56 serverKey = hmac(saltedPassword, SERVER_KEY_BYTES);
57 clientKey = hmac(saltedPassword, CLIENT_KEY_BYTES);
58
59 return new KeyPair(clientKey, serverKey);
60 } catch (final InvalidKeyException | NumberFormatException e) {
61 return null;
62 }
63 }
64 };
65 }
66
67 private State state = State.INITIAL;
68
69 public ScramSha1(final TagWriter tagWriter, final Account account, final SecureRandom rng) {
70 super(tagWriter, account, rng);
71
72 // This nonce should be different for each authentication attempt.
73 clientNonce = new BigInteger(100, this.rng).toString(32);
74 clientFirstMessageBare = "";
75 }
76
77 @Override
78 public int getPriority() {
79 return 20;
80 }
81
82 @Override
83 public String getMechanism() {
84 return "SCRAM-SHA-1";
85 }
86
87 @Override
88 public String getClientFirstMessage() {
89 if (clientFirstMessageBare.isEmpty() && state == State.INITIAL) {
90 clientFirstMessageBare = "n=" + CryptoHelper.saslEscape(CryptoHelper.saslPrep(account.getUsername())) +
91 ",r=" + this.clientNonce;
92 state = State.AUTH_TEXT_SENT;
93 }
94 return Base64.encodeToString(
95 (GS2_HEADER + clientFirstMessageBare).getBytes(Charset.defaultCharset()),
96 Base64.NO_WRAP);
97 }
98
99 @Override
100 public String getResponse(final String challenge) throws AuthenticationException {
101 switch (state) {
102 case AUTH_TEXT_SENT:
103 if (challenge == null) {
104 throw new AuthenticationException("challenge can not be null");
105 }
106 byte[] serverFirstMessage = Base64.decode(challenge, Base64.DEFAULT);
107 final Tokenizer tokenizer = new Tokenizer(serverFirstMessage);
108 String nonce = "";
109 int iterationCount = -1;
110 String salt = "";
111 for (final String token : tokenizer) {
112 if (token.charAt(1) == '=') {
113 switch (token.charAt(0)) {
114 case 'i':
115 try {
116 iterationCount = Integer.parseInt(token.substring(2));
117 } catch (final NumberFormatException e) {
118 throw new AuthenticationException(e);
119 }
120 break;
121 case 's':
122 salt = token.substring(2);
123 break;
124 case 'r':
125 nonce = token.substring(2);
126 break;
127 case 'm':
128 /*
129 * RFC 5802:
130 * m: This attribute is reserved for future extensibility. In this
131 * version of SCRAM, its presence in a client or a server message
132 * MUST cause authentication failure when the attribute is parsed by
133 * the other end.
134 */
135 throw new AuthenticationException("Server sent reserved token: `m'");
136 }
137 }
138 }
139
140 if (iterationCount < 0) {
141 throw new AuthenticationException("Server did not send iteration count");
142 }
143 if (nonce.isEmpty() || !nonce.startsWith(clientNonce)) {
144 throw new AuthenticationException("Server nonce does not contain client nonce: " + nonce);
145 }
146 if (salt.isEmpty()) {
147 throw new AuthenticationException("Server sent empty salt");
148 }
149
150 final String clientFinalMessageWithoutProof = "c=" + Base64.encodeToString(
151 GS2_HEADER.getBytes(), Base64.NO_WRAP) + ",r=" + nonce;
152 final byte[] authMessage = (clientFirstMessageBare + ',' + new String(serverFirstMessage) + ','
153 + clientFinalMessageWithoutProof).getBytes();
154
155 // Map keys are "bytesToHex(JID),bytesToHex(password),bytesToHex(salt),iterations".
156 final KeyPair keys = CACHE.get(
157 CryptoHelper.bytesToHex(account.getJid().toBareJid().toString().getBytes()) + ","
158 + CryptoHelper.bytesToHex(account.getPassword().getBytes()) + ","
159 + CryptoHelper.bytesToHex(salt.getBytes()) + ","
160 + String.valueOf(iterationCount)
161 );
162 if (keys == null) {
163 throw new AuthenticationException("Invalid keys generated");
164 }
165 final byte[] clientSignature;
166 try {
167 serverSignature = hmac(keys.serverKey, authMessage);
168 final byte[] storedKey = digest(keys.clientKey);
169
170 clientSignature = hmac(storedKey, authMessage);
171
172 } catch (final InvalidKeyException e) {
173 throw new AuthenticationException(e);
174 }
175
176 final byte[] clientProof = new byte[keys.clientKey.length];
177
178 for (int i = 0; i < clientProof.length; i++) {
179 clientProof[i] = (byte) (keys.clientKey[i] ^ clientSignature[i]);
180 }
181
182
183 final String clientFinalMessage = clientFinalMessageWithoutProof + ",p=" +
184 Base64.encodeToString(clientProof, Base64.NO_WRAP);
185 state = State.RESPONSE_SENT;
186 return Base64.encodeToString(clientFinalMessage.getBytes(), Base64.NO_WRAP);
187 case RESPONSE_SENT:
188 try {
189 final String clientCalculatedServerFinalMessage = "v=" +
190 Base64.encodeToString(serverSignature, Base64.NO_WRAP);
191 if (!clientCalculatedServerFinalMessage.equals(new String(Base64.decode(challenge, Base64.DEFAULT)))) {
192 throw new Exception();
193 };
194 state = State.VALID_SERVER_RESPONSE;
195 return "";
196 } catch(Exception e) {
197 throw new AuthenticationException("Server final message does not match calculated final message");
198 }
199 default:
200 throw new InvalidStateException(state);
201 }
202 }
203
204 public static synchronized byte[] hmac(final byte[] key, final byte[] input)
205 throws InvalidKeyException {
206 HMAC.init(new KeyParameter(key));
207 HMAC.update(input, 0, input.length);
208 final byte[] out = new byte[HMAC.getMacSize()];
209 HMAC.doFinal(out, 0);
210 return out;
211 }
212
213 public static synchronized byte[] digest(byte[] bytes) {
214 DIGEST.reset();
215 DIGEST.update(bytes, 0, bytes.length);
216 final byte[] out = new byte[DIGEST.getDigestSize()];
217 DIGEST.doFinal(out, 0);
218 return out;
219 }
220
221 /*
222 * Hi() is, essentially, PBKDF2 [RFC2898] with HMAC() as the
223 * pseudorandom function (PRF) and with dkLen == output length of
224 * HMAC() == output length of H().
225 */
226 private static synchronized byte[] hi(final byte[] key, final byte[] salt, final int iterations)
227 throws InvalidKeyException {
228 byte[] u = hmac(key, CryptoHelper.concatenateByteArrays(salt, CryptoHelper.ONE));
229 byte[] out = u.clone();
230 for (int i = 1; i < iterations; i++) {
231 u = hmac(key, u);
232 for (int j = 0; j < u.length; j++) {
233 out[j] ^= u[j];
234 }
235 }
236 return out;
237 }
238}