improved challenge sms verification in SmsListener

some carriers prepend or append arbitrary text to sms messages
enroute, SmsListener failed to handle the append case.

Fixes #2919
Closes #3032
// FREEBIE
This commit is contained in:
Rhodey Orbits 2015-04-21 17:36:00 -07:00 committed by Moxie Marlinspike
parent 27a5b7dd5c
commit 790c6980fe
2 changed files with 125 additions and 7 deletions

View File

@ -0,0 +1,113 @@
/**
* Copyright (C) 2015 Open Whisper Systems
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package org.thoughtcrime.securesms.service;
import android.annotation.SuppressLint;
import android.content.Context;
import android.content.Intent;
import android.content.SharedPreferences;
import android.os.Bundle;
import android.provider.Telephony;
import android.util.Log;
import org.mockito.ArgumentCaptor;
import org.spongycastle.util.encoders.Hex;
import org.thoughtcrime.securesms.TextSecureTestCase;
import static org.mockito.Matchers.anyBoolean;
import static org.mockito.Matchers.anyInt;
import static org.mockito.Matchers.anyString;
import static org.mockito.Matchers.contains;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
public class SmsListenerTest extends TextSecureTestCase {
/*
http://rednaxela.net/pdu.php
'Your TextSecure verification code: 337-337'
'Your TextSecure verification code: 337-1337'
'Your TextSecure verification code: 1337-337'
'Your TextSecure verification code: 1337-1337'
'XXXYour TextSecure verification code: 1337-1337'
'Your TextSecure verification code: 1337-1337XXX'
*/
private static final String CHALLENGE_SMS_3_3 = "07914400000000F001000B811000000000F000002AD9775D0EA296F1F469795C979741F6B23C6D4E8FC3F4F4DB0D1ABFC9651D6836BBB566B31B";
private static final String CHALLENGE_SMS_3_4 = "07914400000000F001000B811000000000F000002BD9775D0EA296F1F469795C979741F6B23C6D4E8FC3F4F4DB0D1ABFC9651D6836BBB562B3D90D";
private static final String CHALLENGE_SMS_4_3 = "07914400000000F001000B811000000000F000002BD9775D0EA296F1F469795C979741F6B23C6D4E8FC3F4F4DB0D1ABFC9651D28369BDD5AB3D90D";
private static final String CHALLENGE_SMS_4_4 = "07914400000000F001000B811000000000F000002CD9775D0EA296F1F469795C979741F6B23C6D4E8FC3F4F4DB0D1ABFC9651D28369BDD5AB1D9EC06";
private static final String CHALLENGE_SMS_4_4_PREPEND = "07914400000000F001000B811000000000F000002F582C36FBAECB41D4329E3E2D8FEBF232C85E96A7CDE971989E7EBB41E337B9AC03C566B35B2B369BDD00";
private static final String CHALLENGE_SMS_4_4_APPEND = "07914400000000F001000B811000000000F000002FD9775D0EA296F1F469795C979741F6B23C6D4E8FC3F4F4DB0D1ABFC9651D28369BDD5AB1D9EC86C56201";
private static final String[] CHALLENGE_SMS = {
CHALLENGE_SMS_3_3, CHALLENGE_SMS_3_4, CHALLENGE_SMS_4_3,
CHALLENGE_SMS_4_4, CHALLENGE_SMS_4_4_PREPEND, CHALLENGE_SMS_4_4_APPEND
};
private static final String CHALLENGE_3_3 = "337337";
private static final String CHALLENGE_3_4 = "3371337";
private static final String CHALLENGE_4_3 = "1337337";
private static final String CHALLENGE_4_4 = "13371337";
private static final String[] CHALLENGES = {
CHALLENGE_3_3, CHALLENGE_3_4, CHALLENGE_4_3,
CHALLENGE_4_4, CHALLENGE_4_4, CHALLENGE_4_4,
};
@SuppressLint("NewApi")
private Intent buildSmsReceivedIntent(String encodedPdu) throws Exception {
final Intent smsIntent = mock(Intent.class);
final Bundle smsExtras = new Bundle();
smsExtras.putSerializable("pdus", new Object[]{Hex.decode(encodedPdu)});
when(smsIntent.getAction()).thenReturn(Telephony.Sms.Intents.SMS_RECEIVED_ACTION);
when(smsIntent.getExtras()).thenReturn(smsExtras);
return smsIntent;
}
public void testReceiveChallenges() throws Exception {
final SmsListener smsListener = new SmsListener();
for (int i = 0; i < CHALLENGES.length; i++) {
final String CHALLENGE = CHALLENGES[i];
final String CHALLENGE_SMS = SmsListenerTest.CHALLENGE_SMS[i];
final Context mockContext = mock(Context.class);
final SharedPreferences mockPreferences = mock(SharedPreferences.class);
final ArgumentCaptor<Intent> intentCaptor = ArgumentCaptor.forClass(Intent.class);
when(mockContext.getPackageName()).thenReturn(getContext().getPackageName());
when(mockContext.getSharedPreferences(anyString(), anyInt())).thenReturn(mockPreferences);
when(mockPreferences.getBoolean(contains("pref_verifying"), anyBoolean())).thenReturn(true);
try {
smsListener.onReceive(mockContext, buildSmsReceivedIntent(CHALLENGE_SMS));
} catch (IllegalStateException e) {
Log.d(getClass().getName(), "some api levels are picky with abortBroadcast()");
}
verify(mockContext, times(1)).sendBroadcast(intentCaptor.capture());
final Intent sendIntent = intentCaptor.getValue();
assertTrue(sendIntent.getAction().equals(RegistrationService.CHALLENGE_EVENT));
assertTrue(sendIntent.getStringExtra(RegistrationService.CHALLENGE_EXTRA).equals(CHALLENGE));
}
}
}

View File

@ -28,17 +28,19 @@ import android.util.Log;
import org.thoughtcrime.securesms.ApplicationContext; import org.thoughtcrime.securesms.ApplicationContext;
import org.thoughtcrime.securesms.jobs.SmsReceiveJob; import org.thoughtcrime.securesms.jobs.SmsReceiveJob;
import org.thoughtcrime.securesms.protocol.WirePrefix; import org.thoughtcrime.securesms.protocol.WirePrefix;
import org.thoughtcrime.securesms.sms.IncomingTextMessage;
import org.thoughtcrime.securesms.util.TextSecurePreferences; import org.thoughtcrime.securesms.util.TextSecurePreferences;
import org.thoughtcrime.securesms.util.Util; import org.thoughtcrime.securesms.util.Util;
import java.util.ArrayList; import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class SmsListener extends BroadcastReceiver { public class SmsListener extends BroadcastReceiver {
private static final String SMS_RECEIVED_ACTION = Telephony.Sms.Intents.SMS_RECEIVED_ACTION; private static final String SMS_RECEIVED_ACTION = Telephony.Sms.Intents.SMS_RECEIVED_ACTION;
private static final String SMS_DELIVERED_ACTION = Telephony.Sms.Intents.SMS_DELIVER_ACTION; private static final String SMS_DELIVERED_ACTION = Telephony.Sms.Intents.SMS_DELIVER_ACTION;
private static final Pattern CHALLENGE_PATTERN = Pattern.compile(".*Your TextSecure verification code: ([0-9]{3,4})-([0-9]{3,4}).*");
private boolean isExemption(SmsMessage message, String messageBody) { private boolean isExemption(SmsMessage message, String messageBody) {
// ignore CLASS0 ("flash") messages // ignore CLASS0 ("flash") messages
@ -128,7 +130,7 @@ public class SmsListener extends BroadcastReceiver {
if (messageBody == null) if (messageBody == null)
return false; return false;
if (messageBody.matches(".*Your TextSecure verification code: [0-9]{3,4}-[0-9]{3,4}") && if (CHALLENGE_PATTERN.matcher(messageBody).matches() &&
TextSecurePreferences.isVerifying(context)) TextSecurePreferences.isVerifying(context))
{ {
return true; return true;
@ -139,10 +141,13 @@ public class SmsListener extends BroadcastReceiver {
private String parseChallenge(Context context, Intent intent) { private String parseChallenge(Context context, Intent intent) {
String messageBody = getSmsMessageBodyFromIntent(intent); String messageBody = getSmsMessageBodyFromIntent(intent);
String[] messageParts = messageBody.split(":"); Matcher challengeMatcher = CHALLENGE_PATTERN.matcher(messageBody);
String[] codeParts = messageParts[1].trim().split("-");
return codeParts[0] + codeParts[1]; if (!challengeMatcher.matches()) {
throw new AssertionError("Expression should match.");
}
return challengeMatcher.group(1) + challengeMatcher.group(2);
} }
@Override @Override