/* * Copyright (c) 2011, Florian Zeitz <florob@babelmonkeys.de> * Copyright (c) 2011, Jonathan Schleifer <js@webkeks.org> * * https://webkeks.org/hg/objxmpp/ * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice is present in all copies. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #include <string.h> #import "XMPPSCRAMAuth.h" #import "XMPPExceptions.h" #define HMAC_IPAD 0x36 #define HMAC_OPAD 0x5c #ifndef HAVE_ARC4RANDOM_UNIFORM extern uint32_t arc4random_uniform(uint32_t); #endif @implementation XMPPSCRAMAuth + SCRAMAuthWithAuthcid: (OFString*)authcid password: (OFString*)password hash: (Class)hash; { return [[[self alloc] initWithAuthcid: authcid password: password hash: hash] autorelease]; } + SCRAMAuthWithAuthzid: (OFString*)authzid authcid: (OFString*)authcid password: (OFString*)password hash: (Class)hash; { return [[[self alloc] initWithAuthzid: authzid authcid: authcid password: password hash: hash] autorelease]; } - initWithAuthcid: (OFString*)authcid_ password: (OFString*)password_ hash: (Class)hash; { return [self initWithAuthzid: nil authcid: authcid_ password: password_ hash: hash]; } - initWithAuthzid: (OFString*)authzid_ authcid: (OFString*)authcid_ password: (OFString*)password_ hash: (Class)hash; { self = [super initWithAuthzid: authzid_ authcid: authcid_ password: password_]; hashType = hash; return self; } - (void)dealloc { [GS2Header release]; [clientFirstMessageBare release]; [serverSignature release]; [cNonce release]; [super dealloc]; } - (void)setAuthzid: (OFString*)authzid_ { OFString *old = authzid; if (authzid_) { OFMutableString *new = [[authzid_ mutableCopy] autorelease]; [new replaceOccurrencesOfString: @"=" withString: @"=3D"]; [new replaceOccurrencesOfString: @"," withString: @"=2C"]; authzid = [new retain]; } else authzid = nil; [old release]; } - (void)setAuthcid: (OFString*)authcid_ { OFString *old = authcid; if (authcid_) { OFMutableString *new = [[authcid_ mutableCopy] autorelease]; [new replaceOccurrencesOfString: @"=" withString: @"=3D"]; [new replaceOccurrencesOfString: @"," withString: @"=2C"]; authcid = [new retain]; } else authcid = nil; [old release]; } - (OFString*)_genNonce { OFMutableString *nonce = [OFMutableString string]; uint32_t res, i; for (i = 0; i < 64; i++) { while ((res = arc4random_uniform('~' - '!' + 1) + '!') == ','); [nonce appendFormat: @"%c", res]; } return nonce; } - (uint8_t*)_HMACWithKey: (OFDataArray*)key data: (OFDataArray*)data { OFAutoreleasePool *pool = [[OFAutoreleasePool alloc] init]; OFDataArray *k = [OFDataArray dataArrayWithItemSize: 1]; size_t i, kSize, blockSize = [hashType blockSize]; uint8_t *kCArray, *kI = NULL, *kO = NULL; OFHash *hash; if (key.itemSize * key.count > blockSize) { hash = [[[hashType alloc] init] autorelease]; [hash updateWithBuffer: [key cArray] ofSize: key.itemSize * key.count]; [k addNItems: [hashType digestSize] fromCArray: [hash digest]]; } else [k addNItems: key.itemSize * key.count fromCArray: [key cArray]]; @try { kI = [self allocMemoryWithSize: blockSize * sizeof(uint8_t)]; memset(kI, HMAC_IPAD, blockSize * sizeof(uint8_t)); kO = [self allocMemoryWithSize: blockSize * sizeof(uint8_t)]; memset(kO, HMAC_OPAD, blockSize * sizeof(uint8_t)); kCArray = [k cArray]; kSize = k.count; for (i = 0; i < kSize; i++) { kI[i] ^= kCArray[i]; kO[i] ^= kCArray[i]; } k = [OFDataArray dataArrayWithItemSize: 1]; [k addNItems: blockSize fromCArray: kI]; [k addNItems: data.itemSize * data.count fromCArray: [data cArray]]; hash = [[[hashType alloc] init] autorelease]; [hash updateWithBuffer: [k cArray] ofSize: k.count]; k = [OFDataArray dataArrayWithItemSize: 1]; [k addNItems: blockSize fromCArray: kO]; [k addNItems: [hashType digestSize] fromCArray: [hash digest]]; } @finally { [self freeMemory: kI]; [self freeMemory: kO]; } hash = [[[hashType alloc] init] autorelease]; [hash updateWithBuffer: [k cArray] ofSize: k.count]; [hash retain]; [pool release]; return [hash digest]; } - (OFDataArray*)_hiWithData: (OFDataArray *)str salt: (OFDataArray *)salt_ iterationCount: (intmax_t)i { OFAutoreleasePool *pool = [[OFAutoreleasePool alloc] init]; size_t digestSize = [hashType digestSize]; uint8_t *result = NULL, *u, *uOld; intmax_t j, k; OFDataArray *salty, *tmp, *ret; result = [self allocMemoryWithSize: digestSize]; @try { memset(result, 0, digestSize); salty = [[salt_ copy] autorelease]; [salty addNItems: 4 fromCArray: "\0\0\0\1"]; uOld = [self _HMACWithKey: str data: salty]; for (j = 0; j < digestSize; j++) result[j] ^= uOld[j]; for (j = 0; j < i - 1; j++) { tmp = [OFDataArray dataArrayWithItemSize: 1]; [tmp addNItems: digestSize fromCArray: uOld]; u = [self _HMACWithKey: str data: tmp]; for (k = 0; k < digestSize; k++) result[k] ^= u[k]; uOld = u; [pool releaseObjects]; } ret = [OFDataArray dataArrayWithItemSize: 1]; [ret addNItems: digestSize fromCArray: result]; } @finally { [self freeMemory: result]; } [ret retain]; [pool release]; return [ret autorelease]; } - (OFDataArray*)clientFirstMessage { OFDataArray *ret = [OFDataArray dataArrayWithItemSize: 1]; [GS2Header release]; GS2Header = nil; if (authzid) GS2Header = [[OFString alloc] initWithFormat: @"n,a=%@,", authzid]; else GS2Header = @"n,,"; [cNonce release]; cNonce = nil; cNonce = [[self _genNonce] retain]; [clientFirstMessageBare release]; clientFirstMessageBare = nil; clientFirstMessageBare = [[OFString alloc] initWithFormat: @"n=%@,r=%@", authcid, cNonce]; [ret addNItems: [GS2Header cStringLength] fromCArray: [GS2Header cString]]; [ret addNItems: [clientFirstMessageBare cStringLength] fromCArray: [clientFirstMessageBare cString]]; return ret; } - (OFDataArray*)calculateResponseWithChallenge: (OFDataArray*)challenge { size_t i; uint8_t *clientKey, *serverKey, *clientSignature; intmax_t iterCount; OFHash *hash; OFDataArray *ret, *authMessage, *tmpArray, *salt, *saltedPassword; OFString *tmpString, *sNonce; OFAutoreleasePool *pool = [[OFAutoreleasePool alloc] init]; hash = [[[hashType alloc] init] autorelease]; ret = [OFDataArray dataArrayWithItemSize: 1]; authMessage = [OFDataArray dataArrayWithItemSize: 1]; OFString *chal = [OFString stringWithCString: [challenge cArray] length: [challenge count] * [challenge itemSize]]; for (OFString *comp in [chal componentsSeparatedByString: @","]) { OFString *entry = [comp substringFromIndex: 2 toIndex: [comp length]]; if ([comp hasPrefix: @"r="]) { if (![entry hasPrefix: cNonce]) @throw [XMPPAuthFailedException newWithClass: isa connection: nil reason: @"Received wrong nonce"]; sNonce = entry; } else if ([comp hasPrefix: @"s="]) salt = [OFDataArray dataArrayWithBase64EncodedString: entry]; else if ([comp hasPrefix: @"i="]) iterCount = [entry decimalValue]; } // Add c=<base64(GS2Header+channelBindingData)> // XXX: No channel binding for now tmpArray = [OFDataArray dataArrayWithItemSize: 1]; [tmpArray addNItems: [GS2Header cStringLength] fromCArray: [GS2Header cString]]; tmpString = [tmpArray stringByBase64Encoding]; [ret addNItems: 2 fromCArray: "c="]; [ret addNItems: [tmpString cStringLength] fromCArray: [tmpString cString]]; // Add r=<nonce> [ret addItem: ","]; [ret addNItems: 2 fromCArray: "r="]; [ret addNItems: [sNonce cStringLength] fromCArray: [sNonce cString]]; tmpArray = [OFDataArray dataArrayWithItemSize: 1]; [tmpArray addNItems: [password cStringLength] fromCArray: [password cString]]; /* * IETF RFC 5802: * SaltedPassword := Hi(Normalize(password), salt, i) */ saltedPassword = [self _hiWithData: tmpArray salt: salt iterationCount: iterCount]; /* * IETF RFC 5802: * AuthMessage := client-first-message-bare + "," + * server-first-message + "," + * client-final-message-without-proof */ [authMessage addNItems: [clientFirstMessageBare cStringLength] fromCArray: [clientFirstMessageBare cString]]; [authMessage addItem: ","]; [authMessage addNItems: [challenge count] * [challenge itemSize] fromCArray: [challenge cArray]]; [authMessage addItem: ","]; [authMessage addNItems: [ret count] fromCArray: [ret cArray]]; /* * IETF RFC 5802: * ClientKey := HMAC(SaltedPassword, "Client Key") */ tmpArray = [OFDataArray dataArrayWithItemSize: 1]; [tmpArray addNItems: 10 fromCArray: "Client Key"]; clientKey = [self _HMACWithKey: saltedPassword data: tmpArray]; /* * IETF RFC 5802: * StoredKey := H(ClientKey) */ [hash updateWithBuffer: (void*) clientKey ofSize: [hashType digestSize]]; tmpArray = [OFDataArray dataArrayWithItemSize: 1]; [tmpArray addNItems: [hashType digestSize] fromCArray: [hash digest]]; /* * IETF RFC 5802: * ClientSignature := HMAC(StoredKey, AuthMessage) */ clientSignature = [self _HMACWithKey: tmpArray data: authMessage]; /* * IETF RFC 5802: * ServerKey := HMAC(SaltedPassword, "Server Key") */ tmpArray = [OFDataArray dataArrayWithItemSize: 1]; [tmpArray addNItems: 10 fromCArray: "Server Key"]; serverKey = [self _HMACWithKey: saltedPassword data: tmpArray]; /* * IETF RFC 5802: * ServerSignature := HMAC(ServerKey, AuthMessage) */ tmpArray = [OFDataArray dataArrayWithItemSize: 1]; [tmpArray addNItems: [hashType digestSize] fromCArray: serverKey]; serverSignature = [[OFDataArray alloc] initWithItemSize: 1]; [serverSignature addNItems: [hashType digestSize] fromCArray: [self _HMACWithKey: tmpArray data: authMessage]]; /* * IETF RFC 5802: * ClientProof := ClientKey XOR ClientSignature */ tmpArray = [OFDataArray dataArrayWithItemSize: 1]; for (i = 0; i < [hashType digestSize]; i++) { uint8_t c = clientKey[i] ^ clientSignature[i]; [tmpArray addItem: &c]; } // Add p=<base64(ClientProof)> [ret addItem: ","]; [ret addNItems: 2 fromCArray: "p="]; tmpString = [tmpArray stringByBase64Encoding]; [ret addNItems: [tmpString cStringLength] fromCArray: [tmpString cString]]; [ret retain]; [pool release]; return [ret autorelease]; } - (void)parseServerFinalMessage: (OFDataArray*)message { OFAutoreleasePool *pool = [[OFAutoreleasePool alloc] init]; OFString *mess = [OFString stringWithCString: [message cArray] length: [message count] * [message itemSize]]; OFString *value = [mess substringFromIndex: 2 toIndex: [mess length]]; if ([mess hasPrefix: @"v="]) { if (![value isEqual: [serverSignature stringByBase64Encoding]]) @throw [XMPPAuthFailedException newWithClass: isa connection: nil reason: @"Received wrong ServerSignature"]; } else @throw [XMPPAuthFailedException newWithClass: isa connection: nil reason: value]; [pool release]; } @end