add server implementation

Author: ba0f3

scram.nimble

@@ -1,4 +1,4 @@
-version       = "0.1.1"
+version       = "0.1.2"
 author        = "Huy Doan"
 description   = "Salted Challenge Response Authentication Mechanism (SCRAM) "
 license       = "MIT"

scram/client.nim

@@ -1,55 +1,20 @@
 import base64, pegs, random, strutils, hmac, nimSHA2, securehash, md5, private/[utils,types]
 
-export MD5Digest, Sha256Digest, Sha512Digest
+export MD5Digest, SHA1Digest, SHA256Digest, SHA512Digest
 
 type
   ScramClient[T] = ref object of RootObj
     clientNonce: string
-    clientFirstBareMessage: string
+    clientFirstMessageBare: string
     state: ScramState
     isSuccessful: bool
     serverSignature: T
 
-const
-  GS2_HEADER = "n,,"
-  INT_1 = "\x0\x0\x0\x1"
-  CLIENT_KEY = "Client Key"
-  SERVER_KEY = "Server Key"
-
 let
   SERVER_FIRST_MESSAGE = peg"'r='{[^,]*}',s='{[^,]*}',i='{\d+}$"
   SERVER_FINAL_MESSAGE = peg"'v='{[^,]*}$"
 
 
-proc HMAC[T](password, salt: string): T =
-  when T is MD5Digest:
-    result = hmac_md5(password, salt)
-  elif T is Sha1Digest:
-    result = Sha1Digest(hmac_sha1(password, salt))
-  elif T is Sha256Digest:
-    result = hmac_sha256(password, salt)
-  elif T is Sha512Digest:
-    result = hmac_sha512(password, salt)
-
-proc HASH[T](s: string): T =
-  when T is MD5Digest:
-    result = hash_md5(s)
-  elif T is Sha1Digest:
-    result = Sha1Digest(hash_sha1(s))
-  elif T is Sha256Digest:
-    result = hash_sha256(s)
-  elif T is Sha512Digest:
-    result = hash_sha512(s)
-
-
-proc hi[T](s: ScramClient[T], password, salt: string, iterations: int): T =
-  var previous: T
-  result = HMAC[T](password, salt & INT_1)
-  previous = result
-  for _ in 1..<iterations:
-    previous = HMAC[T](password, $previous)
-    result ^= previous
-
 proc newScramClient*[T](): ScramClient[T] =
   result = new(ScramClient[T])
   result.state = INITIAL
@@ -60,27 +25,24 @@ proc prepareFirstMessage*(s: ScramClient, username: string): string {.raises: [S
   if username.isNilOrEmpty:
     raise newException(ScramError, "username cannot be nil or empty")
   var username = username.replace("=", "=3D").replace(",", "=2C")
-  s.clientFirstBareMessage = "n="
-  s.clientFirstBareMessage.add(username)
-  s.clientFirstBareMessage.add(",r=")
-  s.clientFirstBareMessage.add(s.clientNonce)
+  s.clientFirstMessageBare = "n="
+  s.clientFirstMessageBare.add(username)
+  s.clientFirstMessageBare.add(",r=")
+  s.clientFirstMessageBare.add(s.clientNonce)
 
-  result = GS2_HEADER & s.clientFirstBareMessage
+  result = GS2_HEADER & s.clientFirstMessageBare
   s.state = FIRST_PREPARED
 
 proc prepareFinalMessage*[T](s: ScramClient[T], password, serverFirstMessage: string): string {.raises: [ScramError, OverflowError, ValueError].} =
   if s.state != FIRST_PREPARED:
     raise newException(ScramError, "First message have not been prepared, call prepareFirstMessage() first")
-
   var
     nonce, salt: string
     iterations: int
-
   var matches: array[3, string]
   if match(serverFirstMessage, SERVER_FIRST_MESSAGE, matches):
-#  if serverFirstMessage =~ SERVER_FIRST_MESSAGE:
     nonce = matches[0]
-    salt = decode(matches[1])
+    salt = base64.decode(matches[1])
     iterations = parseInt(matches[2])
   else:
     s.state = ENDED
@@ -91,28 +53,26 @@ proc prepareFinalMessage*[T](s: ScramClient[T], password, serverFirstMessage: st
     return nil
 
   let
-    saltedPassword = s.hi(password, salt, iterations)
+    saltedPassword = hi[T](password, salt, iterations)
     clientKey = HMAC[T]($saltedPassword, CLIENT_KEY)
     storedKey = HASH[T]($clientKey)
     serverKey = HMAC[T]($saltedPassword, SERVER_KEY)
-    clientFinalMessageWithoutProof = "c=" & encode(GS2_HEADER) & ",r=" & nonce
-    authMessage = s.clientFirstBareMessage & "," & serverFirstMessage & "," & clientFinalMessageWithoutProof
+    clientFinalMessageWithoutProof = "c=" & base64.encode(GS2_HEADER) & ",r=" & nonce
+    authMessage = s.clientFirstMessageBare & "," & serverFirstMessage & "," & clientFinalMessageWithoutProof
     clientSignature = HMAC[T]($storedKey, authMessage)
-
   s.serverSignature = HMAC[T]($serverKey, authMessage)
-
   var clientProof = clientKey
   clientProof ^= clientSignature
   s.state = FINAL_PREPARED
-  result = clientFinalMessageWithoutProof & ",p=" & encode(clientProof, newLine="")
+  result = clientFinalMessageWithoutProof & ",p=" & base64.encode(clientProof, newLine="")
 
 proc verifyServerFinalMessage*(s: ScramClient, serverFinalMessage: string): bool =
   if s.state != FINAL_PREPARED:
     raise newException(ScramError, "You can call this method only once after calling prepareFinalMessage()")
   s.state = ENDED
   var matches: array[1, string]
   if match(serverFinalMessage, SERVER_FINAL_MESSAGE, matches):
-    let proposedServerSignature = decode(matches[0])
+    let proposedServerSignature = base64.decode(matches[0])
     s.isSuccessful = proposedServerSignature == s.serverSignature
   result = s.isSuccessful
 

scram/private/types.nim

@@ -13,4 +13,11 @@ type
     INITIAL
     FIRST_PREPARED
     FINAL_PREPARED
+    FIRST_CLIENT_MESSAGE_HANDLED
     ENDED
+
+const
+  GS2_HEADER* = "n,,"
+  INT_1* = "\x0\x0\x0\x1"
+  CLIENT_KEY* = "Client Key"
+  SERVER_KEY* = "Server Key"

scram/private/utils.nim

@@ -1,16 +1,49 @@
-import random, base64, strutils, types
+import random, base64, strutils, types, hmac
 randomize()
 
 proc `$`*(sha: Sha1Digest): string =
   result = ""
   for v in sha:
     result.add(toHex(int(v), 2))
 
-proc makeNonce*(): string {.inline.} = result = encode($random(1.0))[0..^3]
+proc makeNonce*(): string {.inline.} = result = base64.encode($random(1.0))[0..^3]
 
 template `^=`*[T](a, b: T) =
-  for x in 0..<sizeof(a):
+  for x in 0..<a.len:
     when T is Sha1Digest:
       a[x] = (a[x].int32 xor b[x].int32).uint8
     else:
       a[x] = (a[x].int32 xor b[x].int32).char
+
+proc HMAC*[T](password, salt: string): T =
+  when T is MD5Digest:
+    result = hmac_md5(password, salt)
+  elif T is Sha1Digest:
+    result = Sha1Digest(hmac_sha1(password, salt))
+  elif T is Sha256Digest:
+    result = hmac_sha256(password, salt)
+  elif T is Sha512Digest:
+    result = hmac_sha512(password, salt)
+
+proc HASH*[T](s: string): T =
+  when T is MD5Digest:
+    result = hash_md5(s)
+  elif T is Sha1Digest:
+    result = Sha1Digest(hash_sha1(s))
+  elif T is Sha256Digest:
+    result = hash_sha256(s)
+  elif T is Sha512Digest:
+    result = hash_sha512(s)
+
+proc hi*[T](password, salt: string, iterations: int): T =
+  var previous: T
+  result = HMAC[T](password, salt & INT_1)
+  previous = result
+  for _ in 1..<iterations:
+    previous = HMAC[T](password, $previous)
+    result ^= previous
+
+proc debug*[T](s: T): string =
+  result = ""
+  for x in s:
+    result.add x.uint8.toHex & " "

scram/server.nim

@@ -0,0 +1,143 @@
+import base64, pegs, random, strutils, hmac, nimSHA2, securehash, md5, private/[utils,types]
+
+type
+  ScramServer*[T] = ref object of RootObj
+    serverNonce: string
+    clientFirstMessageBare: string
+    serverFirstMessage: string
+    state: ScramState
+    isSuccessful: bool
+    userData: UserData
+
+  UserData* = object
+    salt: string
+    iterations: int
+    serverKey: string
+    storedKey: string
+
+let
+  CLIENT_FIRST_MESSAGE = peg"^([pny]'='?([^,]*)','([^,]*)','){('m='([^,]*)',')?'n='{[^,]*}',r='{[^,]*}(','(.*))*}$"
+  CLIENT_FINAL_MESSAGE = peg"{'c='{[^,]*}',r='{[^,]*}}',p='{.*}$"
+
+proc initUserData*(password: string, iterations = 4096): UserData =
+  var iterations = iterations
+  var password = password
+  if password.isNilOrEmpty:
+    password =""
+    iterations = 1
+
+  let
+    salt = makeNonce()[0..24]
+    saltedPassword = hi[SHA256Digest](password, salt, iterations)
+    clientKey = HMAC[SHA256Digest]($saltedPassword, CLIENT_KEY)
+    storedKey = HASH[SHA256Digest]($clientKey)
+    serverKey = HMAC[SHA256Digest]($saltedPassword, SERVER_KEY)
+
+  result.salt = base64.encode(salt)
+  result.iterations = iterations
+  result.storedKey = base64.encode($storedKey)
+  result.serverKey = base64.encode($serverKey)
+
+proc initUserData*(salt: string, iterations: int, serverKey, storedKey: string): UserData =
+  result.salt = salt
+  result.iterations = iterations
+  result.serverKey = serverKey
+  result.storedKey = storedKey
+
+proc newScramServer*[T](salt: string = nil, iterations = 4096): ScramServer[T] =
+  result = new(ScramServer[T])
+  result.state = INITIAL
+  result.isSuccessful = false
+
+proc handleClientFirstMessage*[T](s: ScramServer[T],clientFirstMessage: string): string =
+  var matches: array[3, string]
+  if not match(clientFirstMessage, CLIENT_FIRST_MESSAGE, matches):
+    s.state = ENDED
+    return nil
+  s.clientFirstMessageBare = matches[0]
+  s.serverNonce = matches[2] & makeNonce()
+  s.state = FIRST_CLIENT_MESSAGE_HANDLED
+  result = matches[1] # username
+
+proc prepareFirstMessage*(s: ScramServer, userData: UserData): string =
+  s.state = FIRST_PREPARED
+  s.userData = userData
+  s.serverFirstMessage = "r=$#,s=$#,i=$#" % [s.serverNonce, userData.salt, $userData.iterations]
+  result = s.serverFirstMessage
+
+proc prepareFinalMessage*[T](s: ScramServer[T], clientFinalMessage: string): string =
+  var matches: array[4, string]
+  if not match(clientFinalMessage, CLIENT_FINAL_MESSAGE, matches):
+    s.state = ENDED
+    return nil
+  let
+    clientFinalMessageWithoutProof = matches[0]
+    nonce = matches[2]
+    proof = matches[3]
+
+  if nonce != s.serverNonce:
+    s.state = ENDED
+    return nil
+
+  let
+    authMessage = join([s.clientFirstMessageBare, s.serverFirstMessage, clientFinalMessageWithoutProof], ",")
+    storedKey = base64.decode(s.userData.storedKey)
+    clientSignature = HMAC[T](storedKey, authMessage)
+    serverSignature = HMAC[T](decode(s.userData.serverKey), authMessage)
+    decodedProof = base64.decode(proof)
+  var clientKey = $clientSignature
+  clientKey ^= decodedProof
+
+  let resultKey = $HASH[T](clientKey)
+  echo "Result Key: ", base64.encode(resultKey)
+  if resultKey != storedKey:
+    return nil
+
+  s.isSuccessful = true
+  s.state = ENDED
+  result = "v=" & base64.encode(serverSignature, newLine="")
+
+
+proc isSuccessful*(s: ScramServer): bool =
+  if s.state != ENDED:
+    raise newException(ScramError, "You cannot call this method before authentication is ended")
+    return s.isSuccessful
+
+proc isEnded*(s: ScramServer): bool =
+  result = s.state == ENDED
+
+proc getState*(s: ScramServer): ScramState =
+  result = s.state
+
+when isMainModule:
+  import client as c
+  var
+    username = "bob"
+    password = "secret"
+    userdata = initUserData(password)
+
+    server = newScramServer[SHA256Digest]()
+    client = newScramClient[SHA256Digest]()
+
+  let clientFirstMessage = client.prepareFirstMessage(username)
+  echo "Client first message: ", clientFirstMessage
+
+  let username1 = server.handleClientFirstMessage(clientFirstMessage)
+  assert(username1 == username)
+
+  let serverFirstMessage = server.prepareFirstMessage(userdata)
+  echo "Server first message: ", serverFirstMessage
+
+  let clientFinalMessage = client.prepareFinalMessage(password, serverFirstMessage)
+  echo "Client final mesage: ", clientFinalMessage
+
+  let serverFinalMessage = server.prepareFinalMessage(clientFinalMessage)
+  echo "Server final mesage: ", serverFinalMessage
+
+  assert client.verifyServerFinalMessage(serverFinalMessage) == true
+  assert client.isSuccessful() == true
+
+
+
+
+