stem_rs/response/

authchallenge.rs

//! AUTHCHALLENGE response parsing.
//!
//! This module parses responses from the `AUTHCHALLENGE` command, which is used
//! during SAFECOOKIE authentication. SAFECOOKIE is the most secure authentication
//! method for local Tor connections, using HMAC-SHA256 challenge-response.
//!
//! # Protocol Overview
//!
//! SAFECOOKIE authentication works as follows:
//!
//! 1. Client sends `AUTHCHALLENGE SAFECOOKIE <client_nonce>`
//! 2. Server responds with `SERVERHASH` and `SERVERNONCE`
//! 3. Client computes `HMAC-SHA256(cookie || client_nonce || server_nonce)`
//! 4. Client sends `AUTHENTICATE <computed_hash>`
//!
//! # Response Format
//!
//! ```text
//! 250 AUTHCHALLENGE SERVERHASH=<64_hex_chars> SERVERNONCE=<64_hex_chars>
//! ```
//!
//! Both values are 32-byte (256-bit) values encoded as 64 hexadecimal characters.
//!
//! # Example
//!
//! ```rust
//! use stem_rs::response::{ControlMessage, AuthChallengeResponse};
//!
//! let response_text = "250 AUTHCHALLENGE \
//!     SERVERHASH=680A73C9836C4F557314EA1C4EDE54C285DB9DC89C83627401AEF9D7D27A95D5 \
//!     SERVERNONCE=F8EA4B1F2C8B40EF1AF68860171605B910E3BBCABADF6FC3DB1FA064F4690E85\r\n";
//! let msg = ControlMessage::from_str(response_text, None, false).unwrap();
//! let response = AuthChallengeResponse::from_message(&msg).unwrap();
//!
//! assert_eq!(response.server_hash.len(), 32);
//! assert_eq!(response.server_nonce.len(), 32);
//! ```
//!
//! # Security Considerations
//!
//! - The server hash proves the server knows the cookie file contents
//! - The server nonce prevents replay attacks
//! - Both values should be used exactly once per authentication attempt
//! - Failed authentication should trigger a new challenge with fresh nonces
//!
//! # See Also
//!
//! - [`crate::auth::authenticate_safecookie`]: High-level SAFECOOKIE authentication
//! - [`crate::response::ProtocolInfoResponse`]: Determines available auth methods
//! - [Tor Control Protocol: AUTHCHALLENGE](https://spec.torproject.org/control-spec/commands.html#authchallenge)

use super::ControlMessage;
use crate::Error;

/// Parsed response from the AUTHCHALLENGE command.
///
/// Contains the server's challenge values needed to complete SAFECOOKIE
/// authentication. These values are used to compute the HMAC-SHA256
/// authentication token.
///
/// # Fields
///
/// - `server_hash`: HMAC proving the server knows the cookie
/// - `server_nonce`: Random value to prevent replay attacks
///
/// # Security
///
/// Both values are cryptographically significant:
///
/// - **server_hash**: Computed as `HMAC-SHA256(cookie, "Tor safe cookie authentication server-to-controller hash" || client_nonce || server_nonce)`
/// - **server_nonce**: 32 random bytes generated by Tor for this challenge
///
/// The client must verify the server_hash before sending its authentication
/// response to prevent man-in-the-middle attacks.
///
/// # Example
///
/// ```rust
/// use stem_rs::response::{ControlMessage, AuthChallengeResponse};
///
/// // Parse a typical AUTHCHALLENGE response
/// let msg = ControlMessage::from_str(
///     "250 AUTHCHALLENGE \
///      SERVERHASH=B16F72DACD4B5ED1531F3FCC04B593D46A1E30267E636EA7C7F8DD7A2B7BAA05 \
///      SERVERNONCE=653574272ABBB49395BD1060D642D653CFB7A2FCE6A4955BCFED819703A9998C\r\n",
///     None,
///     false
/// ).unwrap();
///
/// let response = AuthChallengeResponse::from_message(&msg).unwrap();
///
/// // Both values are 32 bytes (256 bits)
/// assert_eq!(response.server_hash.len(), 32);
/// assert_eq!(response.server_nonce.len(), 32);
///
/// // First bytes match the hex encoding
/// assert_eq!(response.server_hash[0], 0xB1);
/// assert_eq!(response.server_nonce[0], 0x65);
/// ```
#[derive(Debug, Clone)]
pub struct AuthChallengeResponse {
    /// The server's HMAC-SHA256 hash proving knowledge of the cookie.
    ///
    /// This 32-byte value is computed by the server using the cookie file
    /// contents, the client nonce, and the server nonce. The client should
    /// verify this hash before proceeding with authentication.
    ///
    /// # Verification
    ///
    /// To verify, compute:
    /// ```text
    /// HMAC-SHA256(cookie, "Tor safe cookie authentication server-to-controller hash"
    ///             || client_nonce || server_nonce)
    /// ```
    /// and compare with this value using constant-time comparison.
    pub server_hash: Vec<u8>,

    /// The server's random nonce for this authentication attempt.
    ///
    /// This 32-byte random value is generated fresh for each AUTHCHALLENGE
    /// request. It prevents replay attacks by ensuring each authentication
    /// attempt uses unique values.
    ///
    /// # Usage
    ///
    /// Include this nonce when computing the client's authentication hash:
    /// ```text
    /// HMAC-SHA256(cookie, "Tor safe cookie authentication controller-to-server hash"
    ///             || client_nonce || server_nonce)
    /// ```
    pub server_nonce: Vec<u8>,
}

impl AuthChallengeResponse {
    /// Parses an AUTHCHALLENGE response from a control message.
    ///
    /// Extracts the server hash and server nonce from the response, converting
    /// them from hexadecimal strings to raw bytes.
    ///
    /// # Arguments
    ///
    /// * `message` - The control message to parse
    ///
    /// # Errors
    ///
    /// Returns [`Error::Protocol`](crate::Error::Protocol) if:
    /// - The response status is not OK (2xx)
    /// - The response contains multiple lines (should be single-line)
    /// - The response is empty
    /// - The first word is not "AUTHCHALLENGE"
    /// - The SERVERHASH mapping is missing or invalid
    /// - The SERVERNONCE mapping is missing or invalid
    /// - Either value is not exactly 64 hexadecimal characters
    ///
    /// # Example
    ///
    /// ```rust
    /// use stem_rs::response::{ControlMessage, AuthChallengeResponse};
    ///
    /// // Valid response
    /// let msg = ControlMessage::from_str(
    ///     "250 AUTHCHALLENGE \
    ///      SERVERHASH=680A73C9836C4F557314EA1C4EDE54C285DB9DC89C83627401AEF9D7D27A95D5 \
    ///      SERVERNONCE=F8EA4B1F2C8B40EF1AF68860171605B910E3BBCABADF6FC3DB1FA064F4690E85\r\n",
    ///     None,
    ///     false
    /// ).unwrap();
    ///
    /// let response = AuthChallengeResponse::from_message(&msg).unwrap();
    /// assert_eq!(response.server_hash.len(), 32);
    ///
    /// // Invalid: missing SERVERNONCE
    /// let bad_msg = ControlMessage::from_str(
    ///     "250 AUTHCHALLENGE \
    ///      SERVERHASH=680A73C9836C4F557314EA1C4EDE54C285DB9DC89C83627401AEF9D7D27A95D5\r\n",
    ///     None,
    ///     false
    /// ).unwrap();
    ///
    /// assert!(AuthChallengeResponse::from_message(&bad_msg).is_err());
    /// ```
    ///
    /// # Security
    ///
    /// After parsing, the caller should:
    /// 1. Verify the server_hash matches the expected HMAC
    /// 2. Use the server_nonce to compute the client's authentication response
    /// 3. Clear sensitive data from memory after use
    pub fn from_message(message: &ControlMessage) -> Result<Self, Error> {
        if !message.is_ok() {
            return Err(Error::Protocol(format!(
                "AUTHCHALLENGE response didn't have an OK status:\n{}",
                message
            )));
        }

        if message.len() > 1 {
            return Err(Error::Protocol(format!(
                "Received multiline AUTHCHALLENGE response:\n{}",
                message
            )));
        }

        let mut line = message
            .get(0)
            .ok_or_else(|| Error::Protocol("Empty AUTHCHALLENGE response".to_string()))?;

        let first_word = line.pop(false, false)?;
        if first_word != "AUTHCHALLENGE" {
            return Err(Error::Protocol(format!(
                "Message is not an AUTHCHALLENGE response ({})",
                message
            )));
        }

        let server_hash = if line.is_next_mapping(Some("SERVERHASH"), false, false) {
            let (_, value) = line.pop_mapping(false, false)?;
            if !is_hex_digits(&value, 64) {
                return Err(Error::Protocol(format!(
                    "SERVERHASH has an invalid value: {}",
                    value
                )));
            }
            hex_decode(&value)?
        } else {
            return Err(Error::Protocol(format!(
                "Missing SERVERHASH mapping: {}",
                line
            )));
        };

        let server_nonce = if line.is_next_mapping(Some("SERVERNONCE"), false, false) {
            let (_, value) = line.pop_mapping(false, false)?;
            if !is_hex_digits(&value, 64) {
                return Err(Error::Protocol(format!(
                    "SERVERNONCE has an invalid value: {}",
                    value
                )));
            }
            hex_decode(&value)?
        } else {
            return Err(Error::Protocol(format!(
                "Missing SERVERNONCE mapping: {}",
                line
            )));
        };

        Ok(Self {
            server_hash,
            server_nonce,
        })
    }
}

/// Checks if a string contains exactly the expected number of hexadecimal digits.
///
/// # Arguments
///
/// * `s` - The string to check
/// * `expected_len` - The expected length in characters
///
/// # Returns
///
/// `true` if the string has exactly `expected_len` characters and all are
/// valid hexadecimal digits (0-9, a-f, A-F).
fn is_hex_digits(s: &str, expected_len: usize) -> bool {
    s.len() == expected_len && s.chars().all(|c| c.is_ascii_hexdigit())
}

/// Decodes a hexadecimal string into bytes.
///
/// # Arguments
///
/// * `s` - The hexadecimal string to decode (must have even length)
///
/// # Errors
///
/// Returns [`Error::Protocol`](crate::Error::Protocol) if:
/// - The string has odd length
/// - Any character is not a valid hexadecimal digit
fn hex_decode(s: &str) -> Result<Vec<u8>, Error> {
    if !s.len().is_multiple_of(2) {
        return Err(Error::Protocol("invalid hex string length".to_string()));
    }

    (0..s.len())
        .step_by(2)
        .map(|i| {
            u8::from_str_radix(&s[i..i + 2], 16)
                .map_err(|_| Error::Protocol(format!("invalid hex character at position {}", i)))
        })
        .collect()
}

#[cfg(test)]
mod tests {
    use super::*;

    fn create_message(lines: Vec<&str>) -> ControlMessage {
        let parsed: Vec<(String, char, Vec<u8>)> = lines
            .iter()
            .enumerate()
            .map(|(i, line)| {
                let divider = if i == lines.len() - 1 { ' ' } else { '-' };
                ("250".to_string(), divider, line.as_bytes().to_vec())
            })
            .collect();
        let raw = lines.join("\r\n");
        ControlMessage::new(parsed, raw.into_bytes(), None).unwrap()
    }

    #[test]
    fn test_authchallenge_basic() {
        let msg = create_message(vec![
            "AUTHCHALLENGE SERVERHASH=680A73C9836C4F557314EA1C4EDE54C285DB9DC89C83627401AEF9D7D27A95D5 SERVERNONCE=F8EA4B1F2C8B40EF1AF68860171605B910E3BBCABADF6FC3DB1FA064F4690E85",
        ]);
        let response = AuthChallengeResponse::from_message(&msg).unwrap();
        assert_eq!(response.server_hash.len(), 32);
        assert_eq!(response.server_nonce.len(), 32);
    }

    #[test]
    fn test_authchallenge_missing_serverhash() {
        let msg = create_message(vec![
            "AUTHCHALLENGE SERVERNONCE=F8EA4B1F2C8B40EF1AF68860171605B910E3BBCABADF6FC3DB1FA064F4690E85",
        ]);
        assert!(AuthChallengeResponse::from_message(&msg).is_err());
    }

    #[test]
    fn test_authchallenge_missing_servernonce() {
        let msg = create_message(vec![
            "AUTHCHALLENGE SERVERHASH=680A73C9836C4F557314EA1C4EDE54C285DB9DC89C83627401AEF9D7D27A95D5",
        ]);
        assert!(AuthChallengeResponse::from_message(&msg).is_err());
    }

    #[test]
    fn test_authchallenge_invalid_hex() {
        let msg = create_message(vec![
            "AUTHCHALLENGE SERVERHASH=GHIJ73C9836C4F557314EA1C4EDE54C285DB9DC89C83627401AEF9D7D27A95D5 SERVERNONCE=F8EA4B1F2C8B40EF1AF68860171605B910E3BBCABADF6FC3DB1FA064F4690E85",
        ]);
        assert!(AuthChallengeResponse::from_message(&msg).is_err());
    }

    #[test]
    fn test_authchallenge_wrong_length() {
        let msg = create_message(vec![
            "AUTHCHALLENGE SERVERHASH=680A73C9 SERVERNONCE=F8EA4B1F",
        ]);
        assert!(AuthChallengeResponse::from_message(&msg).is_err());
    }

    #[test]
    fn test_authchallenge_not_authchallenge() {
        let msg = create_message(vec![
            "SOMETHING_ELSE SERVERHASH=680A73C9836C4F557314EA1C4EDE54C285DB9DC89C83627401AEF9D7D27A95D5 SERVERNONCE=F8EA4B1F2C8B40EF1AF68860171605B910E3BBCABADF6FC3DB1FA064F4690E85",
        ]);
        assert!(AuthChallengeResponse::from_message(&msg).is_err());
    }

    #[test]
    fn test_hex_decode() {
        assert_eq!(hex_decode("00FFAB").unwrap(), vec![0x00, 0xFF, 0xAB]);
        assert_eq!(hex_decode("").unwrap(), vec![]);
        assert_eq!(hex_decode("abcd").unwrap(), vec![0xAB, 0xCD]);
    }

    #[test]
    fn test_is_hex_digits() {
        assert!(is_hex_digits("0123456789ABCDEF", 16));
        assert!(is_hex_digits("abcdef", 6));
        assert!(!is_hex_digits("ghij", 4));
        assert!(!is_hex_digits("abc", 4));
    }

    #[test]
    fn test_authchallenge_valid_bytes_conversion() {
        let msg = create_message(vec![
            "AUTHCHALLENGE SERVERHASH=B16F72DACD4B5ED1531F3FCC04B593D46A1E30267E636EA7C7F8DD7A2B7BAA05 SERVERNONCE=653574272ABBB49395BD1060D642D653CFB7A2FCE6A4955BCFED819703A9998C",
        ]);
        let response = AuthChallengeResponse::from_message(&msg).unwrap();

        assert_eq!(response.server_hash[0], 0xB1);
        assert_eq!(response.server_hash[1], 0x6F);
        assert_eq!(response.server_hash[2], 0x72);

        assert_eq!(response.server_nonce[0], 0x65);
        assert_eq!(response.server_nonce[1], 0x35);
        assert_eq!(response.server_nonce[2], 0x74);
    }

    #[test]
    fn test_authchallenge_multiline_error() {
        let parsed = vec![
            ("250".to_string(), '-', "AUTHCHALLENGE SERVERHASH=680A73C9836C4F557314EA1C4EDE54C285DB9DC89C83627401AEF9D7D27A95D5".as_bytes().to_vec()),
            ("250".to_string(), ' ', "SERVERNONCE=F8EA4B1F2C8B40EF1AF68860171605B910E3BBCABADF6FC3DB1FA064F4690E85".as_bytes().to_vec()),
        ];
        let msg = ControlMessage::new(parsed, "multiline".into(), None).unwrap();
        assert!(AuthChallengeResponse::from_message(&msg).is_err());
    }

    #[test]
    fn test_authchallenge_lowercase_hex() {
        let msg = create_message(vec![
            "AUTHCHALLENGE SERVERHASH=b16f72dacd4b5ed1531f3fcc04b593d46a1e30267e636ea7c7f8dd7a2b7baa05 SERVERNONCE=653574272abbb49395bd1060d642d653cfb7a2fce6a4955bcfed819703a9998c",
        ]);
        let response = AuthChallengeResponse::from_message(&msg).unwrap();
        assert_eq!(response.server_hash.len(), 32);
        assert_eq!(response.server_nonce.len(), 32);
    }

    #[test]
    fn test_authchallenge_not_ok_status() {
        let parsed = vec![(
            "515".to_string(),
            ' ',
            "Authentication required".as_bytes().to_vec(),
        )];
        let msg = ControlMessage::new(parsed, "515 Authentication required".into(), None).unwrap();
        assert!(AuthChallengeResponse::from_message(&msg).is_err());
    }
}