1package eu.siacs.conversations.crypto.sasl;
2
3import android.annotation.TargetApi;
4import android.os.Build;
5import android.util.Base64;
6import android.util.LruCache;
7
8import org.bouncycastle.crypto.Digest;
9import org.bouncycastle.crypto.macs.HMac;
10import org.bouncycastle.crypto.params.KeyParameter;
11
12import java.math.BigInteger;
13import java.nio.charset.Charset;
14import java.security.InvalidKeyException;
15import java.security.SecureRandom;
16
17import eu.siacs.conversations.entities.Account;
18import eu.siacs.conversations.utils.CryptoHelper;
19import eu.siacs.conversations.xml.TagWriter;
20
21@TargetApi(Build.VERSION_CODES.HONEYCOMB_MR1)
22abstract class ScramMechanism extends SaslMechanism {
23 // TODO: When channel binding (SCRAM-SHA1-PLUS) is supported in future, generalize this to indicate support and/or usage.
24 private final static String GS2_HEADER = "n,,";
25 private String clientFirstMessageBare;
26 private final String clientNonce;
27 private byte[] serverSignature = null;
28 static HMac HMAC;
29 static Digest DIGEST;
30 private static final byte[] CLIENT_KEY_BYTES = "Client Key".getBytes();
31 private static final byte[] SERVER_KEY_BYTES = "Server Key".getBytes();
32
33 private static class KeyPair {
34 final byte[] clientKey;
35 final byte[] serverKey;
36
37 KeyPair(final byte[] clientKey, final byte[] serverKey) {
38 this.clientKey = clientKey;
39 this.serverKey = serverKey;
40 }
41 }
42
43 static {
44 CACHE = new LruCache<String, KeyPair>(10) {
45 protected KeyPair create(final String k) {
46 // Map keys are "bytesToHex(JID),bytesToHex(password),bytesToHex(salt),iterations,SASL-Mechanism".
47 // Changing any of these values forces a cache miss. `CryptoHelper.bytesToHex()'
48 // is applied to prevent commas in the strings breaking things.
49 final String[] kparts = k.split(",", 4);
50 try {
51 final byte[] saltedPassword, serverKey, clientKey;
52 saltedPassword = hi(CryptoHelper.hexToString(kparts[1]).getBytes(),
53 Base64.decode(CryptoHelper.hexToString(kparts[2]), Base64.DEFAULT), Integer.valueOf(kparts[3]));
54 serverKey = hmac(saltedPassword, SERVER_KEY_BYTES);
55 clientKey = hmac(saltedPassword, CLIENT_KEY_BYTES);
56
57 return new KeyPair(clientKey, serverKey);
58 } catch (final InvalidKeyException | NumberFormatException e) {
59 return null;
60 }
61 }
62 };
63 }
64
65 private static final LruCache<String, KeyPair> CACHE;
66
67 protected State state = State.INITIAL;
68
69 ScramMechanism(final TagWriter tagWriter, final Account account, final SecureRandom rng) {
70 super(tagWriter, account, rng);
71
72 // This nonce should be different for each authentication attempt.
73 clientNonce = CryptoHelper.random(100,rng);
74 clientFirstMessageBare = "";
75 }
76
77 @Override
78 public String getClientFirstMessage() {
79 if (clientFirstMessageBare.isEmpty() && state == State.INITIAL) {
80 clientFirstMessageBare = "n=" + CryptoHelper.saslEscape(CryptoHelper.saslPrep(account.getUsername())) +
81 ",r=" + this.clientNonce;
82 state = State.AUTH_TEXT_SENT;
83 }
84 return Base64.encodeToString(
85 (GS2_HEADER + clientFirstMessageBare).getBytes(Charset.defaultCharset()),
86 Base64.NO_WRAP);
87 }
88
89 @Override
90 public String getResponse(final String challenge) throws AuthenticationException {
91 switch (state) {
92 case AUTH_TEXT_SENT:
93 if (challenge == null) {
94 throw new AuthenticationException("challenge can not be null");
95 }
96 byte[] serverFirstMessage;
97 try {
98 serverFirstMessage = Base64.decode(challenge, Base64.DEFAULT);
99 } catch (IllegalArgumentException e) {
100 throw new AuthenticationException("Unable to decode server challenge",e);
101 }
102 final Tokenizer tokenizer = new Tokenizer(serverFirstMessage);
103 String nonce = "";
104 int iterationCount = -1;
105 String salt = "";
106 for (final String token : tokenizer) {
107 if (token.charAt(1) == '=') {
108 switch (token.charAt(0)) {
109 case 'i':
110 try {
111 iterationCount = Integer.parseInt(token.substring(2));
112 } catch (final NumberFormatException e) {
113 throw new AuthenticationException(e);
114 }
115 break;
116 case 's':
117 salt = token.substring(2);
118 break;
119 case 'r':
120 nonce = token.substring(2);
121 break;
122 case 'm':
123 /*
124 * RFC 5802:
125 * m: This attribute is reserved for future extensibility. In this
126 * version of SCRAM, its presence in a client or a server message
127 * MUST cause authentication failure when the attribute is parsed by
128 * the other end.
129 */
130 throw new AuthenticationException("Server sent reserved token: `m'");
131 }
132 }
133 }
134
135 if (iterationCount < 0) {
136 throw new AuthenticationException("Server did not send iteration count");
137 }
138 if (nonce.isEmpty() || !nonce.startsWith(clientNonce)) {
139 throw new AuthenticationException("Server nonce does not contain client nonce: " + nonce);
140 }
141 if (salt.isEmpty()) {
142 throw new AuthenticationException("Server sent empty salt");
143 }
144
145 final String clientFinalMessageWithoutProof = "c=" + Base64.encodeToString(
146 GS2_HEADER.getBytes(), Base64.NO_WRAP) + ",r=" + nonce;
147 final byte[] authMessage = (clientFirstMessageBare + ',' + new String(serverFirstMessage) + ','
148 + clientFinalMessageWithoutProof).getBytes();
149
150 // Map keys are "bytesToHex(JID),bytesToHex(password),bytesToHex(salt),iterations,SASL-Mechanism".
151 final KeyPair keys = CACHE.get(
152 CryptoHelper.bytesToHex(account.getJid().asBareJid().toString().getBytes()) + ","
153 + CryptoHelper.bytesToHex(account.getPassword().getBytes()) + ","
154 + CryptoHelper.bytesToHex(salt.getBytes()) + ","
155 + String.valueOf(iterationCount)
156 + getMechanism()
157 );
158 if (keys == null) {
159 throw new AuthenticationException("Invalid keys generated");
160 }
161 final byte[] clientSignature;
162 try {
163 serverSignature = hmac(keys.serverKey, authMessage);
164 final byte[] storedKey = digest(keys.clientKey);
165
166 clientSignature = hmac(storedKey, authMessage);
167
168 } catch (final InvalidKeyException e) {
169 throw new AuthenticationException(e);
170 }
171
172 final byte[] clientProof = new byte[keys.clientKey.length];
173
174 for (int i = 0; i < clientProof.length; i++) {
175 clientProof[i] = (byte) (keys.clientKey[i] ^ clientSignature[i]);
176 }
177
178
179 final String clientFinalMessage = clientFinalMessageWithoutProof + ",p=" +
180 Base64.encodeToString(clientProof, Base64.NO_WRAP);
181 state = State.RESPONSE_SENT;
182 return Base64.encodeToString(clientFinalMessage.getBytes(), Base64.NO_WRAP);
183 case RESPONSE_SENT:
184 try {
185 final String clientCalculatedServerFinalMessage = "v=" +
186 Base64.encodeToString(serverSignature, Base64.NO_WRAP);
187 if (!clientCalculatedServerFinalMessage.equals(new String(Base64.decode(challenge, Base64.DEFAULT)))) {
188 throw new Exception();
189 }
190 state = State.VALID_SERVER_RESPONSE;
191 return "";
192 } catch(Exception e) {
193 throw new AuthenticationException("Server final message does not match calculated final message");
194 }
195 default:
196 throw new InvalidStateException(state);
197 }
198 }
199
200 private static synchronized byte[] hmac(final byte[] key, final byte[] input)
201 throws InvalidKeyException {
202 HMAC.init(new KeyParameter(key));
203 HMAC.update(input, 0, input.length);
204 final byte[] out = new byte[HMAC.getMacSize()];
205 HMAC.doFinal(out, 0);
206 return out;
207 }
208
209 public static synchronized byte[] digest(byte[] bytes) {
210 DIGEST.reset();
211 DIGEST.update(bytes, 0, bytes.length);
212 final byte[] out = new byte[DIGEST.getDigestSize()];
213 DIGEST.doFinal(out, 0);
214 return out;
215 }
216
217 /*
218 * Hi() is, essentially, PBKDF2 [RFC2898] with HMAC() as the
219 * pseudorandom function (PRF) and with dkLen == output length of
220 * HMAC() == output length of H().
221 */
222 private static synchronized byte[] hi(final byte[] key, final byte[] salt, final int iterations)
223 throws InvalidKeyException {
224 byte[] u = hmac(key, CryptoHelper.concatenateByteArrays(salt, CryptoHelper.ONE));
225 byte[] out = u.clone();
226 for (int i = 1; i < iterations; i++) {
227 u = hmac(key, u);
228 for (int j = 0; j < u.length; j++) {
229 out[j] ^= u[j];
230 }
231 }
232 return out;
233 }
234}