bitbot-3.11-fork/modules/sasl/scram.py

import base64, enum, hashlib, hmac, typing, uuid

def _scram_nonce():
    return uuid.uuid4().hex.encode("utf8")
def _scram_escape(s):
    return s.replace(b"=", b"=3D").replace(b",", b"=2C")
def _scram_unescape(s):
    return s.replace(b"=3D", b"=").replace(b"=2C", b",")
def _scram_xor(s1, s2):
    return bytes(a ^ b for a, b in zip(s1, s2))

class SCRAMState(enum.Enum):
    Uninitialised = 0
    ClientFirst = 1
    ClientFinal = 2
    Success = 3
    VerifyFailed = 4

class SCRAMError(Exception):
    pass

class SCRAM(object):
    def __init__(self, algo, username, password):
        self._algo = algo
        self._username = username.encode("utf8")
        self._password = password.encode("utf8")

        self.state = SCRAMState.Uninitialised
        self._client_first = None
        self._salted_password = None
        self._auth_message = None

    def _get_pieces(self, data: bytes) -> typing.Dict[bytes, bytes]:
        pieces = (piece.split(b"=", 1) for piece in data.split(b","))
        return dict((piece[0], piece[1]) for piece in pieces)

    def _hmac(self, key: bytes, msg: bytes) -> bytes:
        return hmac.digest(key, msg, self._algo)
    def _hash(self, msg: bytes) -> bytes:
        return hashlib.new(self._algo, msg).digest()

    def client_first(self) -> bytes:
        self.state = SCRAMState.ClientFirst
        # start SCRAM handshake
        self._client_first = b"n=%s,r=%s" % (
            _scram_escape(self._username), _scram_nonce())
        return b"n,,%s" % self._client_first

    def server_first(self, data: bytes) -> bytes:
        self.state = SCRAMState.ClientFinal

        pieces = self._get_pieces(data)
        # server-first-message
        nonce = pieces[b"r"]
        salt = base64.b64decode(pieces[b"s"])
        iterations = pieces[b"i"]
        password = self._password

        salted_password = hashlib.pbkdf2_hmac(self._algo, password, salt,
            int(iterations), dklen=None)
        self._salted_password = salted_password

        client_key = self._hmac(salted_password, b"Client Key")
        stored_key = self._hash(client_key)

        channel = base64.b64encode(b"n,,")
        auth_noproof = b"c=%s,r=%s" % (channel, nonce)
        auth_message = b"%s,%s,%s" % (self._client_first, data, auth_noproof)
        self._auth_message = auth_message

        client_signature = self._hmac(stored_key, auth_message)
        client_proof = base64.b64encode(
            _scram_xor(client_key, client_signature))

        return auth_noproof + (b",p=%s" % client_proof)

    def server_final(self, data: bytes) -> bool:
        # server-final-message
        pieces = self._get_pieces(data)
        verifier = pieces[b"v"]

        server_key = self._hmac(self._salted_password, b"Server Key")
        server_signature = self._hmac(server_key, self._auth_message)

        if server_signature != base64.b64decode(verifier):
            self.state = SCRAMState.VerifyFailed
            return False
        else:
            self.state = SCRAMState.Success
            return True
Type annotate scram.py and don't pass base64 data to scram.py functions 2019-02-06 08:50:19 +00:00			`import base64, enum, hashlib, hmac, typing, uuid`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00
			`def _scram_nonce():`
			`return uuid.uuid4().hex.encode("utf8")`
			`def _scram_escape(s):`
			`return s.replace(b"=", b"=3D").replace(b",", b"=2C")`
			`def _scram_unescape(s):`
			`return s.replace(b"=3D", b"=").replace(b"=2C", b",")`
			`def _scram_xor(s1, s2):`
			`return bytes(a ^ b for a, b in zip(s1, s2))`

			`class SCRAMState(enum.Enum):`
			`Uninitialised = 0`
			`ClientFirst = 1`
			`ClientFinal = 2`
			`Success = 3`
			`VerifyFailed = 4`

			`class SCRAMError(Exception):`
			`pass`

			`class SCRAM(object):`
			`def __init__(self, algo, username, password):`
			`self._algo = algo`
			`self._username = username.encode("utf8")`
			`self._password = password.encode("utf8")`

			`self.state = SCRAMState.Uninitialised`
			`self._client_first = None`
			`self._salted_password = None`
			`self._auth_message = None`

Type annotate scram.py and don't pass base64 data to scram.py functions 2019-02-06 08:50:19 +00:00			`def _get_pieces(self, data: bytes) -> typing.Dict[bytes, bytes]:`
Fix mypy linting issue with dict creation (scram.py) 2019-02-06 11:09:45 +00:00			`pieces = (piece.split(b"=", 1) for piece in data.split(b","))`
			`return dict((piece[0], piece[1]) for piece in pieces)`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00
Type annotate scram.py and don't pass base64 data to scram.py functions 2019-02-06 08:50:19 +00:00			`def _hmac(self, key: bytes, msg: bytes) -> bytes:`
Split hash and hmac logic out to their own functions (sasl.scram) 2019-02-05 22:53:55 +00:00			`return hmac.digest(key, msg, self._algo)`
Type annotate scram.py and don't pass base64 data to scram.py functions 2019-02-06 08:50:19 +00:00			`def _hash(self, msg: bytes) -> bytes:`
Split hash and hmac logic out to their own functions (sasl.scram) 2019-02-05 22:53:55 +00:00			`return hashlib.new(self._algo, msg).digest()`

Type annotate scram.py and don't pass base64 data to scram.py functions 2019-02-06 08:50:19 +00:00			`def client_first(self) -> bytes:`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`self.state = SCRAMState.ClientFirst`
			`# start SCRAM handshake`
			`self._client_first = b"n=%s,r=%s" % (`
			`_scram_escape(self._username), _scram_nonce())`
			`return b"n,,%s" % self._client_first`

Type annotate scram.py and don't pass base64 data to scram.py functions 2019-02-06 08:50:19 +00:00			`def server_first(self, data: bytes) -> bytes:`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`self.state = SCRAMState.ClientFinal`

Type annotate scram.py and don't pass base64 data to scram.py functions 2019-02-06 08:50:19 +00:00			`pieces = self._get_pieces(data)`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`# server-first-message`
			`nonce = pieces[b"r"]`
			`salt = base64.b64decode(pieces[b"s"])`
			`iterations = pieces[b"i"]`
			`password = self._password`

			`salted_password = hashlib.pbkdf2_hmac(self._algo, password, salt,`
			`int(iterations), dklen=None)`
			`self._salted_password = salted_password`

Split hash and hmac logic out to their own functions (sasl.scram) 2019-02-05 22:53:55 +00:00			`client_key = self._hmac(salted_password, b"Client Key")`
			`stored_key = self._hash(client_key)`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00
			`channel = base64.b64encode(b"n,,")`
			`auth_noproof = b"c=%s,r=%s" % (channel, nonce)`
			`auth_message = b"%s,%s,%s" % (self._client_first, data, auth_noproof)`
			`self._auth_message = auth_message`

Split hash and hmac logic out to their own functions (sasl.scram) 2019-02-05 22:53:55 +00:00			`client_signature = self._hmac(stored_key, auth_message)`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`client_proof = base64.b64encode(`
			`_scram_xor(client_key, client_signature))`

			`return auth_noproof + (b",p=%s" % client_proof)`

"+" as part of a SASL handshake is irc-specific so remove it from scram.py 2019-02-06 11:07:50 +00:00			`def server_final(self, data: bytes) -> bool:`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`# server-final-message`
Type annotate scram.py and don't pass base64 data to scram.py functions 2019-02-06 08:50:19 +00:00			`pieces = self._get_pieces(data)`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`verifier = pieces[b"v"]`

Split hash and hmac logic out to their own functions (sasl.scram) 2019-02-05 22:53:55 +00:00			`server_key = self._hmac(self._salted_password, b"Server Key")`
			`server_signature = self._hmac(server_key, self._auth_message)`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00
			`if server_signature != base64.b64decode(verifier):`
			`self.state = SCRAMState.VerifyFailed`
"+" as part of a SASL handshake is irc-specific so remove it from scram.py 2019-02-06 11:07:50 +00:00			`return False`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`else:`
			`self.state = SCRAMState.Success`
"+" as part of a SASL handshake is irc-specific so remove it from scram.py 2019-02-06 11:07:50 +00:00			`return True`