kiro-ruby-sasl 0.0.4.0

data/lib/sasl/gssapi.rb

@@ -0,0 +1,92 @@
+require 'sasl/socket'
+
+module SASL
+
+  class GssApi < Mechanism
+
+    begin
+      # gssapi (1.1.2) 
+      require 'gssapi'
+      HasGSSAPI = true
+    rescue LoadError
+      # :stopdoc:
+      HasGSSAPI = false
+      # :startdoc:
+    end
+
+    def initialize(*args)
+        raise LoadError.new("You need gssapi gem in order to use this class") if not HasGSSAPI
+        super(*args)
+        preferences.config[:gss_opts] = {} if not preferences.config.include? :gss_opts    
+        preferences.config[:secure_layer] = false if preferences.config[:secure_layer]==nil
+    end
+
+    def start
+        @state = :authneg
+        (@service,@host)=preferences.digest_uri.split("/")
+        @cli = GSSAPI::Simple.new(@host, @service)
+        tok = @cli.init_context(nil, preferences.gss_opts)
+        ['auth', tok ]
+    end
+
+    def receive(message_name, content)
+      case message_name
+      when 'challenge'
+        case @state
+        when :authneg
+            if @cli.init_context(content, preferences.gss_opts)
+                if false #http
+                    @state = :waiting_result
+                else
+                    @state = :ssfcap
+                end
+            else
+                @state = :failure
+            end
+            response = nil  
+        when :ssfcap
+            ssf = @cli.unwrap_message(content)
+            if not ssf.size == 4
+                raise "token too short or long (#{ssf.size}). Should be 4."
+            end
+
+            if not preferences.secure_layer 
+                # No security wanted
+                response = @cli.wrap_message(0)
+            else
+                response = @cli.wrap_message(ssf)
+            end
+            @state = :waiting_result
+        else
+            raise "Invalid state #{@state}. Did you called start method?"
+        end
+        result=['response', response]
+      when 'success'
+         result=super
+         if preferences.secure_layer 
+            securelayer_wrapper = proc {|io| SASL::GssSecureLayer.new(io,@cli) }
+            result=['securelayer_wrapper', securelayer_wrapper]
+         end
+      else
+        result=super
+      end
+      result
+    end
+  end
+
+  class GssSecureLayer < SecureLayer
+    def initialize(io,ctx)
+        super(io)
+        @ctx=ctx
+    end
+
+    def wrap(buf)
+        @ctx.wrap_message(buf)
+    end
+   
+    def unwrap(buf)
+        @ctx.unwrap_message(buf)
+    end
+  end
+end
+

data/lib/sasl/gssspnego.rb

@@ -0,0 +1,38 @@
+module SASL
+
+  class GssSpnego < Mechanism
+
+    begin
+      # rubyntlm (0.3.3)
+      require 'net/ntlm'
+      HasNTLM = true
+    rescue LoadError
+      # :stopdoc:
+      HasNTLM = false
+      # :startdoc:
+    end
+
+    def initialize(*args)
+        raise LoadError.new("You need rubyntlm gem in order to use this class") if not HasNTLM
+        super(*args)
+    end
+
+    def start
+      @state = nil
+      ['auth', Net::NTLM::Message::Type1.new.serialize]
+    end
+
+    def receive(message_name, content)
+      if message_name == 'challenge'
+        t2_msg = Net::NTLM::Message.parse(content)
+        t3_msg = t2_msg.response({ :user => preferences.username, :password => preferences.password},
+                                 { :ntlmv2 => true })
+        p message_name
+        ['response', t3_msg.serialize]
+      else
+        super
+      end
+    end
+  end
+end
+

data/lib/sasl/plain.rb

@@ -0,0 +1,14 @@
+module SASL
+  ##
+  # RFC 4616:
+  # http://tools.ietf.org/html/rfc4616
+  class Plain < Mechanism
+    def start
+      @state = nil
+      message = [preferences.authzid.to_s,
+                 preferences.username,
+                 preferences.password].join("\000")
+      ['auth', message]
+    end
+  end
+end

data/lib/sasl/socket.rb

@@ -0,0 +1,88 @@
+module SASL
+    
+    class SecureLayer
+        attr_reader :io
+
+        def initialize(io)
+            @io=io
+        end
+
+        def write(buf)
+            wbuf = wrap(buf)
+            @io.syswrite([wbuf.size].pack("N"))
+            @io.syswrite(wbuf)
+        end
+    
+        def read
+            bsize=@io.sysread(4)
+            raise "SASL Buffer size is nil!" if bsize==nil
+            size=bsize.unpack("N")
+            buf=@io.sysread(size.first)
+            unwrap(buf)
+        end
+
+        def wrap(buf)
+            raise AbstractMethod
+        end
+
+        def unwrap(buf)
+            raise AbstractMethod
+        end
+
+        def close
+            @io.close
+        end
+    end
+
+    module Buffering
+        begin
+          require 'openssl'
+          HasOpenSSL = true
+        rescue LoadError
+          # :stopdoc:
+          HasOpenSSL = false
+          # :startdoc:
+        end
+
+        # When an object is extended
+        def self.extended(base)
+            class << base
+                Buffering.included(self)
+            end
+            base.initialize_buffering
+        end
+      
+        # When a class is extended
+        def self.included(base)
+            raise LoadError.new("SASL::Buffering depends on OpenSSL::Buffering") if not HasOpenSSL
+            base.class_eval do
+                alias_method :nonbuf_read,  :read
+                alias_method :nonbuf_write, :write
+                alias_method :nonbuf_close, :close
+
+                # OpenSSL::Buffering replaces initialize. I should save it
+                alias_method :orig_initialize, :initialize
+                include OpenSSL::Buffering
+                alias_method :initialize_buffering, :initialize
+                public :initialize_buffering
+                
+                def initialize(*args)
+                    orig_initialize(*args)
+                    initialize_buffering
+                end
+            end
+        end
+
+        def sysread(size)
+            nonbuf_read   
+        end
+
+        def syswrite(buf)
+            nonbuf_write(buf)
+        end
+
+        def sysclose
+            nonbuf_close
+        end
+    end
+end

data/lib/sasl.rb

@@ -0,0 +1,5 @@
+SASL_PATH = File.dirname(__FILE__) + "/sasl"
+require 'sasl/base'
+Dir.foreach(SASL_PATH) do |f|
+  require "#{SASL_PATH}/#{f}" if f =~ /^[^\.].+\.rb$/ && f != 'base.rb'
+end

data/spec/anonymous_spec.rb

@@ -0,0 +1,19 @@
+require 'sasl'
+require 'rspec'
+
+describe SASL::Anonymous do
+  class MyAnonymousPreferences < SASL::Preferences
+    def username
+      'bob'
+    end
+  end
+  preferences = MyAnonymousPreferences.new({})
+
+  it 'should authenticate anonymously' do
+    sasl = SASL::Anonymous.new('ANONYMOUS', preferences)
+    sasl.start.should == ['auth', 'bob']
+    sasl.success?.should == false
+    sasl.receive('success', nil).should == nil
+    sasl.success?.should == true
+  end
+end

data/spec/digest_md5_spec.rb

@@ -0,0 +1,244 @@
+require 'sasl'
+require 'rspec'
+
+describe SASL::DigestMD5 do
+  # Preferences from http://tools.ietf.org/html/rfc2831#section-4
+  class MyDigestMD5Preferences < SASL::Preferences
+    attr_writer :serv_type
+    def realm
+      'elwood.innosoft.com'
+    end
+    def digest_uri
+      "#{@serv_type}/elwood.innosoft.com"
+    end
+    def username
+      'chris'
+    end
+    def has_password?
+      true
+    end
+    def password
+      'secret'
+    end
+  end
+  preferences = MyDigestMD5Preferences.new({})
+
+  it 'should authenticate (1)' do
+    preferences.serv_type = 'imap'
+    sasl = SASL::DigestMD5.new('DIGEST-MD5', preferences)
+    sasl.start.should == ['auth', nil]
+    sasl.cnonce = 'OA6MHXh6VqTrRk'
+    response = sasl.receive('challenge',
+                            'realm="elwood.innosoft.com",nonce="OA6MG9tEQGm2hh",qop="auth",
+                             algorithm=md5-sess,charset=utf-8')
+    response[0].should == 'response'
+    response[1].should =~ /charset="?utf-8"?/
+    response[1].should =~ /username="?chris"?/
+    response[1].should =~ /realm="?elwood.innosoft.com"?/
+    response[1].should =~ /nonce="?OA6MG9tEQGm2hh"?/
+    response[1].should =~ /nc="?00000001"?/
+    response[1].should =~ /cnonce="?OA6MHXh6VqTrRk"?/
+    response[1].should =~ /digest-uri="?imap\/elwood.innosoft.com"?/
+    response[1].should =~ /response=d388dad90d4bbd760a152321f2143af7"?/
+    response[1].should =~ /"?qop="?auth"?/
+
+    sasl.receive('challenge',
+                 'rspauth=ea40f60335c427b5527b84dbabcdfffd').should ==
+      ['response', nil]
+    sasl.receive('success', nil).should == nil
+    sasl.success?.should == true
+  end
+
+  it 'should authenticate (2)' do
+    preferences.serv_type = 'acap'
+    sasl = SASL::DigestMD5.new('DIGEST-MD5', preferences)
+    sasl.start.should == ['auth', nil]
+    sasl.cnonce = 'OA9BSuZWMSpW8m'
+    response = sasl.receive('challenge',
+                            'realm="elwood.innosoft.com",nonce="OA9BSXrbuRhWay",qop="auth",
+                             algorithm=md5-sess,charset=utf-8')
+    response[0].should == 'response'
+    response[1].should =~ /charset="?utf-8"?/
+    response[1].should =~ /username="?chris"?/
+    response[1].should =~ /realm="?elwood.innosoft.com"?/
+    response[1].should =~ /nonce="?OA9BSXrbuRhWay"?/
+    response[1].should =~ /nc="?00000001"?/
+    response[1].should =~ /cnonce="?OA9BSuZWMSpW8m"?/
+    response[1].should =~ /digest-uri="?acap\/elwood.innosoft.com"?/
+    response[1].should =~ /response=6084c6db3fede7352c551284490fd0fc"?/
+    response[1].should =~ /"?qop="?auth"?/
+
+    sasl.receive('challenge',
+                 'rspauth=2f0b3d7c3c2e486600ef710726aa2eae').should ==
+      ['response', nil]
+    sasl.receive('success', nil).should == nil
+    sasl.success?.should == true
+  end
+
+  it 'should reauthenticate' do
+    preferences.serv_type = 'imap'
+    sasl = SASL::DigestMD5.new('DIGEST-MD5', preferences)
+    sasl.start.should == ['auth', nil]
+    sasl.cnonce = 'OA6MHXh6VqTrRk'
+    sasl.receive('challenge',
+                 'realm="elwood.innosoft.com",nonce="OA6MG9tEQGm2hh",qop="auth",
+                  algorithm=md5-sess,charset=utf-8')
+    # reauth:
+    response = sasl.start
+    response[0].should == 'response'
+    response[1].should =~ /charset="?utf-8"?/
+    response[1].should =~ /username="?chris"?/
+    response[1].should =~ /realm="?elwood.innosoft.com"?/
+    response[1].should =~ /nonce="?OA6MG9tEQGm2hh"?/
+    response[1].should =~ /nc="?00000002"?/
+    response[1].should =~ /cnonce="?OA6MHXh6VqTrRk"?/
+    response[1].should =~ /digest-uri="?imap\/elwood.innosoft.com"?/
+    response[1].should =~ /response=b0b5d72a400655b8306e434566b10efb"?/ # my own result
+    response[1].should =~ /"?qop="?auth"?/
+  end
+
+  it 'should fail' do
+    sasl = SASL::DigestMD5.new('DIGEST-MD5', preferences)
+    sasl.start.should == ['auth', nil]
+    sasl.receive('failure', 'EPIC FAIL')
+    sasl.failure?.should == true
+    sasl.success?.should == false
+  end
+end
+
+describe SASL::DigestMD5SecureLayer do
+  HA1="1234567890ABCDEF" if not defined? HA1
+  MSG="plaintext" if not defined? MSG
+
+  it 'DigestMD5SecureLayer.kic should generate correct KIC' do
+    result   = SASL::DigestMD5SecureLayer.kic(HA1)
+    expected = "\xC6 6/\xFD\xD5\x0F\xF6E7=\x82Y\x16\r\x03"
+    expected.bytes.to_a.should == result.bytes.to_a
+  end
+
+  it 'DigestMD5SecureLayer.kcc should generate correct KIS' do
+    result   = SASL::DigestMD5SecureLayer.kis(HA1)
+    expected = "\x10\xBED)v\x1E#I\xA5\xF8RR\xF4\x80\t_"
+    expected.bytes.to_a.should == result.bytes.to_a
+  end
+
+  it 'DigestMD5SecureLayer.kcc should generate correct KCC (n=16)' do
+    result   = SASL::DigestMD5SecureLayer.kcc(HA1,16)
+    expected = "a\xA2\xF5\x9C\xD2g\x85\xF3\eOZ\x10^\xF9\x97v"
+    expected.bytes.to_a.should == result.bytes.to_a
+  end
+
+  it 'DigestMD5SecureLayer.kcc should generate correct KCC (n=7)' do
+    result   = SASL::DigestMD5SecureLayer.kcc(HA1,7)
+    expected = "E{\xC1\xE4\x14W\x12\xE4\x88d=\xA5\xFCY5M"
+    expected.bytes.to_a.should == result.bytes.to_a
+  end
+
+  it 'DigestMD5SecureLayer.kcc should generate correct KCC (n=5)' do
+    result   = SASL::DigestMD5SecureLayer.kcc(HA1,5)
+    expected = "\xD3\xBCK\x86\xF4\xC1\xEF\xA9\xAE\xCC\xB9K\xA4KJ\x99"
+    expected.bytes.to_a.should == result.bytes.to_a
+  end
+
+  it 'DigestMD5SecureLayer.kcs should generate correct KCS (n=5)' do
+    result   = SASL::DigestMD5SecureLayer.kcs(HA1,16)
+    expected = "\x18g\xDA\xD2\x99\xC41\xD3\x11\x0E\x8B\xA2\xAC&\x82\xA3"
+    expected.bytes.to_a.should == result.bytes.to_a
+  end
+
+  ###################
+  # Integrity tests
+  ###################
+  function="DigestMD5SecureLayer.wrap (integrity mode, client)"
+  io=StringIO.new("", "w")
+  dg=SASL::DigestMD5SecureLayer.new(io, HA1, false, nil, false)
+  dg.write(MSG)
+  buf=io.string
+
+  # Client mode (write)
+  it 'should generate correct bufsize' do
+    result   = buf[0,4]
+    expected = "\x00\x00\x00\x19" 
+    expected.bytes.to_a.should == result.bytes.to_a
+  end
+  # I should tested this twice to see if it increments
+  it 'should generate correct seq number' do
+    result   = buf[-4,4]
+    expected = "\x00\x00\x00\x00" 
+    expected.bytes.to_a.should == result.bytes.to_a
+  end
+  it 'should generate one number' do
+    result   = buf[-6,2]
+    expected = "\x00\x01"
+    expected.bytes.to_a.should == result.bytes.to_a
+  end
+  it 'should generate correct MAC field ' do
+    result   = buf[-16,10]
+    expected = "b\xD6\xD1#\xCF\xCE7\x97\x1D\xD4"
+    expected.bytes.to_a.should == result.bytes.to_a
+  end
+  it 'should preserve original msg content' do
+    result   = buf[4,9]
+    expected = MSG
+    expected.bytes.to_a.should == result.bytes.to_a
+  end
+
+  # Server mode (read)
+  it 'should return only the original msg content' do
+    io=StringIO.new(buf, "r")
+    dg=SASL::DigestMD5SecureLayer.new(io, HA1, false, nil, true)
+    result = dg.read
+    expected = MSG 
+    expected.bytes.to_a.should == result.bytes.to_a
+  end
+  it 'should raise exception when msgsize is changed' do
+     buf_def=buf.clone
+     buf_def[4]="\x18"
+     io=StringIO.new(buf_def, "r")
+     dg=SASL::DigestMD5SecureLayer.new(io, HA1, false, nil, true)
+     expect { dg.read }.to raise_error SASL::DigestMD5SecureLayer::DigestMD5SecureLayerError
+  end
+  it 'should raise exception when one field is missing' do
+     buf_def=buf.clone
+     buf_def[-5]="\x02"
+     io=StringIO.new(buf_def, "r")
+     dg=SASL::DigestMD5SecureLayer.new(io, HA1, false, nil, true)
+     expect { dg.read }.to raise_error SASL::DigestMD5SecureLayer::DigestMD5SecureLayerError
+  end
+  it 'should raise exception when MAC is changed' do
+     buf_def=buf.clone
+     buf_def[-16]="\x0F"
+     io=StringIO.new(buf_def, "r")
+     dg=SASL::DigestMD5SecureLayer.new(io, HA1, false, nil, true)
+     expect { dg.read }.to raise_error SASL::DigestMD5SecureLayer::DigestMD5SecureLayerError
+  end
+  it 'should raise exception when msg content is changed' do
+     buf_def=buf.clone
+     buf_def[4]="P"
+     io=StringIO.new(buf_def, "r")
+     dg=SASL::DigestMD5SecureLayer.new(io, HA1, false, nil, true)
+     expect { dg.read }.to raise_error SASL::DigestMD5SecureLayer::DigestMD5SecureLayerError
+  end
+
+  ###########################
+  # Confidentiality tests
+  ###########################
+  ["rc4","rc4-40","rc4-56","des","3des"].each do
+    |cipher|
+     it "should encrypt and decrypt messages with #{cipher} cipher" do
+       # client
+       io=StringIO.new("", "w")
+       dg=SASL::DigestMD5SecureLayer.new(io, HA1, true, cipher, false)
+       dg.write(MSG)
+       buf=io.string
+
+       # server
+       io=StringIO.new(buf, "r")
+       dg=SASL::DigestMD5SecureLayer.new(io, HA1, true, cipher, true)
+       result = dg.read
+       expected = MSG 
+       expected.bytes.to_a.should == result.bytes.to_a
+     end
+  end
+
+end

data/spec/mechanism_spec.rb

@@ -0,0 +1,65 @@
+require 'sasl'
+require 'rspec'
+
+describe SASL do
+  it 'should know DIGEST-MD5' do
+    sasl = SASL.new_mechanism('DIGEST-MD5', SASL::Preferences.new({}))
+    sasl.should be_an_instance_of SASL::DigestMD5
+  end
+  it 'should know PLAIN' do
+    sasl = SASL.new_mechanism('PLAIN', SASL::Preferences.new({}))
+    sasl.should be_an_instance_of SASL::Plain
+  end
+  it 'should know ANONYMOUS' do
+    sasl = SASL.new_mechanism('ANONYMOUS', SASL::Preferences.new({}))
+    sasl.should be_an_instance_of SASL::Anonymous
+  end
+  it 'should know GSSAPI' do
+    sasl = SASL.new_mechanism('GSSAPI', SASL::Preferences.new({}))
+    sasl.should be_an_instance_of SASL::GssApi
+  end
+  it 'should know GSS-SPNEGO' do
+    sasl = SASL.new_mechanism('GSS-SPNEGO', SASL::Preferences.new({}))
+    sasl.should be_an_instance_of SASL::GssSpnego
+  end
+
+  it 'should choose ANONYMOUS' do
+    preferences = SASL::Preferences.new({})
+    class << preferences
+      def want_anonymous?
+        true
+      end
+    end
+    SASL.new(%w(PLAIN DIGEST-MD5 ANONYMOUS), preferences).should be_an_instance_of SASL::Anonymous
+  end
+  it 'should choose DIGEST-MD5' do
+    preferences = SASL::Preferences.new({})
+    class << preferences
+      def has_password?
+        true
+      end
+    end
+    SASL.new(%w(PLAIN DIGEST-MD5 ANONYMOUS), preferences).should be_an_instance_of SASL::DigestMD5
+  end
+  it 'should choose PLAIN' do
+    preferences = SASL::Preferences.new({})
+    class << preferences
+      def has_password?
+        true
+      end
+      def allow_plaintext?
+        true
+      end
+    end
+    SASL.new(%w(PLAIN ANONYMOUS), preferences).should be_an_instance_of SASL::Plain
+  end
+  it 'should disallow PLAIN by default' do
+    preferences = SASL::Preferences.new({})
+    class << preferences
+      def has_password?
+        true
+      end
+    end
+    lambda { SASL.new(%w(PLAIN ANONYMOUS), preferences) }.should raise_error(SASL::UnknownMechanism)
+  end
+end

data/spec/plain_spec.rb

@@ -0,0 +1,39 @@
+require 'sasl'
+require 'rspec'
+
+describe SASL::Plain do
+  class MyPlainPreferences < SASL::Preferences
+    def authzid
+      'bob@example.com'
+    end
+    def username
+      'bob'
+    end
+    def has_password?
+      true
+    end
+    def password
+      's3cr3t'
+    end
+  end
+  preferences = MyPlainPreferences.new({})
+
+  it 'should authenticate' do
+    sasl = SASL::Plain.new('PLAIN', preferences)
+    sasl.start.should == ['auth', "bob@example.com\000bob\000s3cr3t"]
+    sasl.success?.should == false
+    sasl.receive('success', nil).should == nil
+    sasl.failure?.should == false
+    sasl.success?.should == true
+  end
+
+  it 'should recognize failure' do
+    sasl = SASL::Plain.new('PLAIN', preferences)
+    sasl.start.should == ['auth', "bob@example.com\000bob\000s3cr3t"]
+    sasl.success?.should == false
+    sasl.failure?.should == false
+    sasl.receive('failure', 'keep-idiots-out').should == nil
+    sasl.failure?.should == true
+    sasl.success?.should == false
+  end
+end

data/spec/socket_spec.rb

@@ -0,0 +1,49 @@
+require "sasl"
+require 'socket'
+require 'rspec'
+
+describe SASL::SecureLayer do
+
+  class PlainSecureLayer < SASL::SecureLayer
+    def wrap(buf)
+      buf
+    end
+    def unwrap(buf)
+      buf
+    end
+  end
+
+  MSG="plaintext" if not defined? MSG
+  io=StringIO.new("","w")
+  sl=PlainSecureLayer.new(io)
+  sl.write(MSG)
+  buf=io.string
+
+  it 'should send msg with correct size' do
+    buf[0,4].unpack("N").first.should == MSG.size
+  end
+  it 'should send msg with the correct content' do
+    msg=buf[4..-1]
+    msg.bytes.to_a.should == MSG.bytes.to_a
+  end
+
+  it 'should recv msg with the correct content' do
+    io=StringIO.new(buf,"r")
+    sl=PlainSecureLayer.new(io)
+    msg=sl.read
+    msg.bytes.to_a.should == MSG.bytes.to_a
+  end
+
+  class PlainSecureLayerBuffered < PlainSecureLayer
+    include SASL::Buffering
+  end
+
+  it 'should recv msg with the correct content, even when buffering' do
+    io=StringIO.new(buf,"r")
+    sl=PlainSecureLayerBuffered.new(io)
+    MSG.each_char {|chr|
+      sl.getc.ord.should == chr.ord
+    }
+  end
+
+end