SCRAM-SHA-1/256 support

Closes #9

CHANGELOG

@@ -1,5 +1,6 @@
 vNEXT (in development)
 
+ * Added support for SCRAM-SHA-1 and SCRAM-SHA-256 SASL mechanisms
 
 v0.7.0
 

src/main/kotlin/com/dmdirc/ktirc/Dsl.kt

@@ -113,7 +113,7 @@ class ProfileConfig {
 /**
  * Dsl for configuring SASL authentication.
  *
- * By default the `PLAIN` method will be enabled if SASL is configured.
+ * By default the `PLAIN`, `SCRAM-SHA-1`, and `SCRAM-SHA-256` methods will be enabled if SASL is configured.
  *
  * You can modify the mechanisms either by editing the [mechanisms] collection:
  *
@@ -135,7 +135,7 @@ class ProfileConfig {
 @IrcClientDsl
 class SaslConfig {
     /** The SASL mechanisms to enable. */
-    val mechanisms: MutableCollection<String> = mutableSetOf("PLAIN")
+    val mechanisms: MutableCollection<String> = mutableSetOf("PLAIN", "SCRAM-SHA-1", "SCRAM-SHA-256")
     /** The username to provide when authenticating using SASL. */
     var username: String = ""
     /** The username to provide when authenticating using SASL. */

src/main/kotlin/com/dmdirc/ktirc/sasl/PlainMechanism.kt

@@ -2,7 +2,6 @@ package com.dmdirc.ktirc.sasl
 
 import com.dmdirc.ktirc.IrcClient
 import com.dmdirc.ktirc.SaslConfig
-import com.dmdirc.ktirc.messages.sendAuthenticationMessage
 
 internal class PlainMechanism(private val saslConfig: SaslConfig) : SaslMechanism {
 
@@ -11,7 +10,7 @@ internal class PlainMechanism(private val saslConfig: SaslConfig) : SaslMechanis
 
     override fun handleAuthenticationEvent(client: IrcClient, data: ByteArray?) {
         with (saslConfig) {
-            client.sendAuthenticationMessage("$username\u0000$username\u0000$password".toByteArray().toBase64())
+            client.sendAuthenticationData("$username\u0000$username\u0000$password")
         }
     }
 

src/main/kotlin/com/dmdirc/ktirc/sasl/SaslMechanism.kt

@@ -2,6 +2,7 @@ package com.dmdirc.ktirc.sasl
 
 import com.dmdirc.ktirc.IrcClient
 import com.dmdirc.ktirc.SaslConfig
+import com.dmdirc.ktirc.messages.sendAuthenticationMessage
 
 internal interface SaslMechanism {
 
@@ -14,8 +15,18 @@ internal interface SaslMechanism {
 
 internal fun SaslConfig.createSaslMechanism(): List<SaslMechanism> = mechanisms.mapNotNull {
     when (it.toUpperCase()) {
+        "SCRAM-SHA-1" -> ScramMechanism("SHA-1", 10, this)
+        "SCRAM-SHA-256" -> ScramMechanism("SHA-256", 20, this)
         "EXTERNAL" -> ExternalMechanism()
         "PLAIN" -> PlainMechanism(this)
         else -> null
     }
 }
+
+internal fun IrcClient.sendAuthenticationData(data: String) {
+    val lines = data.toByteArray().toBase64().chunked(400)
+    lines.forEach(this::sendAuthenticationMessage)
+    if (lines.last().length == 400) {
+        sendAuthenticationMessage("+")
+    }
+}

src/main/kotlin/com/dmdirc/ktirc/sasl/ScramMechanism.kt

@@ -0,0 +1,183 @@
+package com.dmdirc.ktirc.sasl
+
+import com.dmdirc.ktirc.IrcClient
+import com.dmdirc.ktirc.SaslConfig
+import com.dmdirc.ktirc.messages.sendAuthenticationMessage
+import com.dmdirc.ktirc.util.logger
+import java.security.MessageDigest
+import java.security.SecureRandom
+import javax.crypto.Mac
+import javax.crypto.spec.SecretKeySpec
+import kotlin.experimental.xor
+import kotlin.random.asKotlinRandom
+
+internal class ScramMechanism(private val algorithm: String, override val priority: Int, private val saslConfig: SaslConfig) : SaslMechanism {
+
+    private val log by logger()
+
+    override val ircName = "SCRAM-${algorithm.toUpperCase()}"
+
+    override fun handleAuthenticationEvent(client: IrcClient, data: ByteArray?) {
+        val state = client.scramState
+        try {
+            when (state.scramStage) {
+                ScramStage.SendingFirstMessage -> client.sendFirstMessage(state)
+                ScramStage.SendingSecondMessage -> client.sendSecondMessage(state, data.parse())
+                ScramStage.Finishing -> client.validateAndFinish(state, data.parse())
+            }
+        } catch (ex: ScramException) {
+            client.abortScram(ex.localizedMessage)
+        }
+    }
+
+    private fun IrcClient.sendFirstMessage(state: ScramState) {
+        state.scramStage = ScramStage.SendingSecondMessage
+        sendScramMessage(
+                "n,,", // No channel binding, no impersonation
+                ScramMessageType.AuthName to saslConfig.username.escape(),
+                ScramMessageType.Nonce to state.clientNonce)
+    }
+
+    private fun IrcClient.sendSecondMessage(state: ScramState, data: Map<ScramMessageType, String>) {
+        if (ScramMessageType.FutureExtensions in data)
+            throw ScramException("Unsupported extension received: ${data[ScramMessageType.FutureExtensions]}")
+        if (ScramMessageType.Error in data)
+            throw ScramException("Error received from server: ${data[ScramMessageType.Error]}")
+
+        state.iterCount = data[ScramMessageType.IterationCount]?.toIntOrNull()
+                ?: throw ScramException("No iteration count provided")
+        state.salt = data[ScramMessageType.Salt]?.fromBase64() ?: throw ScramException("No salt provided")
+        state.serverNonce = data[ScramMessageType.Nonce] ?: throw ScramException("No server salt provided")
+
+        state.saltedPassword = pbkdf2(saslConfig.password.toByteArray(), state.salt, state.iterCount)
+        val clientKey = hmac(state.saltedPassword, "Client Key".toByteArray())
+        val storedKey = hash(clientKey)
+        state.authMessage = buildScramMessage(
+                ScramMessageType.AuthName to saslConfig.username.escape(),
+                ScramMessageType.Nonce to state.clientNonce,
+                ScramMessageType.Nonce to state.serverNonce,
+                ScramMessageType.Salt to state.salt.toBase64(),
+                ScramMessageType.IterationCount to state.iterCount.toString(),
+                ScramMessageType.ChannelBinding to "n,,".toByteArray().toBase64(),
+                ScramMessageType.Nonce to state.serverNonce).toByteArray()
+        val clientSignature = hmac(storedKey, state.authMessage)
+        val clientProof = clientKey.xor(clientSignature)
+
+        state.scramStage = ScramStage.Finishing
+        sendScramMessage(
+                "",
+                ScramMessageType.ChannelBinding to "n,,".toByteArray().toBase64(),
+                ScramMessageType.Nonce to state.serverNonce,
+                ScramMessageType.ClientProof to clientProof.toBase64()
+        )
+    }
+
+    private fun IrcClient.validateAndFinish(state: ScramState, data: Map<ScramMessageType, String>) {
+        if (ScramMessageType.FutureExtensions in data)
+            throw ScramException("Unsupported extension received: ${data[ScramMessageType.FutureExtensions]}")
+        if (ScramMessageType.Error in data)
+            throw ScramException("Error received from server: ${data[ScramMessageType.Error]}")
+
+        val serverKey = hmac(state.saltedPassword, "Server Key".toByteArray())
+        val expectedServerSignature = hmac(serverKey, state.authMessage).toBase64()
+        val receivedServerSignature = data[ScramMessageType.ServerVerifier]
+                ?: throw ScramException("No server verifier received")
+
+        if (expectedServerSignature != receivedServerSignature) {
+            throw ScramException("Server signature does not match")
+        }
+        sendAuthenticationMessage("+")
+    }
+
+    private fun IrcClient.abortScram(reason: String) {
+        log.warning { "Aborting SCRAM authentication: $reason" }
+        sendAuthenticationMessage("*")
+    }
+
+    private fun IrcClient.sendScramMessage(prefix: String = "", vararg entries: Pair<ScramMessageType, String>) =
+            sendAuthenticationData("$prefix${buildScramMessage(*entries)}")
+
+    private fun buildScramMessage(vararg entries: Pair<ScramMessageType, String>) = entries.joinToString(",") { (k, v) -> "${k.prefix}=$v" }
+
+    private fun ByteArray?.parse(): Map<ScramMessageType, String> {
+        return if (this == null || this.isEmpty())
+            emptyMap()
+        else
+            String(this).split(',').map {
+                getMessageType(it[0]) to it.substring(2).unescape()
+            }.toMap()
+    }
+
+    private fun String.escape() = replace("=", "=3D").replace(",", "=2C")
+    private fun String.unescape() = replace("=2C", ",").replace("=3D", "=")
+
+    private fun hmac(keyMaterial: ByteArray, input: ByteArray): ByteArray {
+        return with(Mac.getInstance("hmac${algorithm.replace("-", "")}")) {
+            init(SecretKeySpec(keyMaterial, algorithm))
+            doFinal(input)
+        }
+    }
+
+    private fun hash(input: ByteArray): ByteArray {
+        return with(MessageDigest.getInstance(algorithm.replace("-", ""))) {
+            digest(input)
+        }
+    }
+
+    private fun pbkdf2(keyMaterial: ByteArray, initialSalt: ByteArray, iterations: Int): ByteArray {
+        var salt = initialSalt + 0x00 + 0x00 + 0x00 + 0x01
+        var result: ByteArray? = null
+        for (i in 1..iterations) {
+            salt = hmac(keyMaterial, salt)
+            result = result?.xor(salt) ?: salt
+        }
+        return result ?: ByteArray(0)
+    }
+
+    private val IrcClient.scramState: ScramState
+        get() = with(serverState.sasl) {
+            mechanismState = mechanismState as? ScramState ?: com.dmdirc.ktirc.sasl.ScramState()
+            mechanismState as ScramState
+        }
+
+    private fun ByteArray.xor(other: ByteArray): ByteArray = zip(other) { a, b -> a.xor(b) }.toByteArray()
+
+}
+
+private class ScramException(message: String) : RuntimeException(message)
+
+private fun newNonce(): String {
+    val charPool: List<Char> = (' '..'~') - ',' - '='
+    val random = SecureRandom.getInstanceStrong().asKotlinRandom()
+    return (0..31).map { charPool.random(random) }.joinToString("")
+}
+
+internal class ScramState(
+        var scramStage: ScramStage = ScramStage.SendingFirstMessage,
+        val clientNonce: String = newNonce(),
+        var serverNonce: String = "",
+        var iterCount: Int = 1,
+        var salt: ByteArray = ByteArray(0),
+        var saltedPassword: ByteArray = ByteArray(0),
+        var authMessage: ByteArray = ByteArray(0))
+
+internal enum class ScramStage {
+    SendingFirstMessage,
+    SendingSecondMessage,
+    Finishing
+}
+
+internal enum class ScramMessageType(val prefix: Char) {
+    AuthName('n'),
+    FutureExtensions('m'),
+    Nonce('r'),
+    ChannelBinding('c'),
+    Salt('s'),
+    IterationCount('i'),
+    ClientProof('p'),
+    ServerVerifier('v'),
+    Error('e'),
+}
+
+private fun getMessageType(prefix: Char) =
+        ScramMessageType.values().firstOrNull { it.prefix == prefix } ?: ScramMessageType.Error

src/test/kotlin/com/dmdirc/ktirc/DslTest.kt

@@ -137,9 +137,9 @@ internal class SaslConfigTest {
     }
 
     @Test
-    fun `defaults to plain mechanism`() {
+    fun `defaults to plain and scram mechanisms`() {
         val config = SaslConfig()
-        assertEquals(setOf("PLAIN"), config.mechanisms)
+        assertEquals(setOf("PLAIN", "SCRAM-SHA-1", "SCRAM-SHA-256"), config.mechanisms)
     }
 
 }

src/test/kotlin/com/dmdirc/ktirc/sasl/SaslMechanismTest.kt

@@ -1,6 +1,11 @@
 package com.dmdirc.ktirc.sasl
 
+import com.dmdirc.ktirc.IrcClient
 import com.dmdirc.ktirc.SaslConfig
+import com.nhaarman.mockitokotlin2.inOrder
+import com.nhaarman.mockitokotlin2.mock
+import com.nhaarman.mockitokotlin2.times
+import com.nhaarman.mockitokotlin2.verify
 import org.junit.jupiter.api.Assertions.assertEquals
 import org.junit.jupiter.api.Assertions.assertTrue
 import org.junit.jupiter.api.Test
@@ -22,4 +27,31 @@ internal class SaslMechanismTest {
         assertTrue(mechanisms[0] is PlainMechanism)
     }
 
-}
+    @Test
+    fun `base64 encodes authentication data`() {
+        val client = mock<IrcClient>()
+        client.sendAuthenticationData("abcdef")
+        verify(client).send("AUTHENTICATE YWJjZGVm")
+    }
+
+    @Test
+    fun `chunks authentication data into 400 byte lines`() {
+        val client = mock<IrcClient>()
+        client.sendAuthenticationData("abcdef".repeat(120))
+        with (inOrder(client)) {
+            verify(client, times(2)).send("AUTHENTICATE ${"YWJjZGVm".repeat(50)}")
+            verify(client).send("AUTHENTICATE ${"YWJjZGVm".repeat(20)}")
+        }
+    }
+
+    @Test
+    fun `sends blank line if data is exactly 400 bytes`() {
+        val client = mock<IrcClient>()
+        client.sendAuthenticationData("abcdef".repeat(50))
+        with (inOrder(client)) {
+            verify(client).send("AUTHENTICATE ${"YWJjZGVm".repeat(50)}")
+            verify(client).send("AUTHENTICATE +")
+        }
+    }
+
+}

src/test/kotlin/com/dmdirc/ktirc/sasl/ScramMechanismTest.kt

@@ -0,0 +1,230 @@
+package com.dmdirc.ktirc.sasl
+
+import com.dmdirc.ktirc.IrcClient
+import com.dmdirc.ktirc.SaslConfig
+import com.dmdirc.ktirc.model.ServerState
+import com.nhaarman.mockitokotlin2.doReturn
+import com.nhaarman.mockitokotlin2.mock
+import com.nhaarman.mockitokotlin2.verify
+import org.junit.jupiter.api.Assertions.assertEquals
+import org.junit.jupiter.api.Test
+
+internal class ScramMechanismTest {
+
+    private val serverState = ServerState("", "")
+    private val ircClient = mock<IrcClient> {
+        on { serverState } doReturn serverState
+    }
+
+    @Test
+    fun `sends first message when no state is present`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        mechanism.handleAuthenticationEvent(ircClient, "+".toByteArray())
+
+        val nonce = (serverState.sasl.mechanismState as ScramState).clientNonce
+        verify(ircClient).send("AUTHENTICATE ${"n,,n=user,r=$nonce".toByteArray().toBase64()}")
+    }
+
+    @Test
+    fun `aborts if the server's first message contains extensions`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        serverState.sasl.mechanismState = ScramState(scramStage = ScramStage.SendingSecondMessage)
+
+        mechanism.handleAuthenticationEvent(ircClient, "m=future".toByteArray())
+
+        verify(ircClient).send("AUTHENTICATE *")
+    }
+
+    @Test
+    fun `aborts if the server's first message contains an error`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        serverState.sasl.mechanismState = ScramState(scramStage = ScramStage.SendingSecondMessage)
+
+        mechanism.handleAuthenticationEvent(ircClient, "e=whoops".toByteArray())
+
+        verify(ircClient).send("AUTHENTICATE *")
+    }
+
+    @Test
+    fun `aborts if the server's first message lacks an iteration count`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        serverState.sasl.mechanismState = ScramState(scramStage = ScramStage.SendingSecondMessage)
+
+        mechanism.handleAuthenticationEvent(ircClient, "r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92".toByteArray())
+
+        verify(ircClient).send("AUTHENTICATE *")
+    }
+
+    @Test
+    fun `aborts if the server's first message has an invalid iteration count`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        serverState.sasl.mechanismState = ScramState(scramStage = ScramStage.SendingSecondMessage)
+
+        mechanism.handleAuthenticationEvent(ircClient, "r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=leet".toByteArray())
+
+        verify(ircClient).send("AUTHENTICATE *")
+    }
+
+    @Test
+    fun `aborts if the server's first message lacks a nonce`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        serverState.sasl.mechanismState = ScramState(scramStage = ScramStage.SendingSecondMessage)
+
+        mechanism.handleAuthenticationEvent(ircClient, "rs=QSXCR+Q6sek8bf92,i=4096".toByteArray())
+
+        verify(ircClient).send("AUTHENTICATE *")
+    }
+
+    @Test
+    fun `aborts if the server's first message lacks a salt`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        serverState.sasl.mechanismState = ScramState(scramStage = ScramStage.SendingSecondMessage)
+
+        mechanism.handleAuthenticationEvent(ircClient, "r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,i=4096".toByteArray())
+
+        verify(ircClient).send("AUTHENTICATE *")
+    }
+
+    @Test
+    fun `updates state after receiving server's first message`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        serverState.sasl.mechanismState = ScramState(scramStage = ScramStage.SendingSecondMessage, clientNonce = "fyko+d2lbbFgONRv9qkxdawL")
+
+        mechanism.handleAuthenticationEvent(ircClient, "r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096".toByteArray())
+
+        (serverState.sasl.mechanismState as ScramState).let {
+            assertEquals(ScramStage.Finishing, it.scramStage)
+            assertEquals("fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j", it.serverNonce)
+            assertEquals(4096, it.iterCount)
+            assertEquals("QSXCR+Q6sek8bf92", it.salt.toBase64())
+            assertEquals("HZbuOlKbWl+eR8AfIposuKbhX30=", it.saltedPassword.toBase64())
+            assertEquals("n=user,r=fyko+d2lbbFgONRv9qkxdawL,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096,c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j", String(it.authMessage))
+        }
+    }
+
+    @Test
+    fun `responds to server's first message`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        serverState.sasl.mechanismState = ScramState(scramStage = ScramStage.SendingSecondMessage, clientNonce = "fyko+d2lbbFgONRv9qkxdawL")
+
+        mechanism.handleAuthenticationEvent(ircClient, "r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096".toByteArray())
+
+        verify(ircClient).send("AUTHENTICATE ${"c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=".toByteArray().toBase64()}")
+    }
+
+    @Test
+    fun `aborts if the server's final message contains extensions`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        serverState.sasl.mechanismState = ScramState(scramStage = ScramStage.Finishing)
+
+        mechanism.handleAuthenticationEvent(ircClient, "m=future".toByteArray())
+
+        verify(ircClient).send("AUTHENTICATE *")
+    }
+
+    @Test
+    fun `aborts if the server's final message contains an error`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        serverState.sasl.mechanismState = ScramState(scramStage = ScramStage.Finishing)
+
+        mechanism.handleAuthenticationEvent(ircClient, "e=whoops".toByteArray())
+
+        verify(ircClient).send("AUTHENTICATE *")
+    }
+
+    @Test
+    fun `aborts if the server's final message doesn't contain a verifier`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        serverState.sasl.mechanismState = ScramState(
+                scramStage = ScramStage.Finishing,
+                saltedPassword = "HZbuOlKbWl+eR8AfIposuKbhX30=".fromBase64(),
+                authMessage = "n=user,r=fyko+d2lbbFgONRv9qkxdawL,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096,c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j".toByteArray())
+
+        mechanism.handleAuthenticationEvent(ircClient, "".toByteArray())
+
+        verify(ircClient).send("AUTHENTICATE *")
+    }
+
+    @Test
+    fun `aborts if the server's verifier doesn't match`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        serverState.sasl.mechanismState = ScramState(
+                scramStage = ScramStage.Finishing,
+                saltedPassword = "HZbuOlKbWl+eR8AfIposuKbhX30=".fromBase64(),
+                authMessage = "n=user,r=fyko+d2lbbFgONRv9qkxdawL,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096,c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j".toByteArray())
+
+        mechanism.handleAuthenticationEvent(ircClient, "v=rmF9pqV8S7suAoZWja4dJRkF=".toByteArray())
+
+        verify(ircClient).send("AUTHENTICATE *")
+    }
+
+    @Test
+    fun `sends final message if server's verifier matches`() {
+        val mechanism = ScramMechanism("SHA-1", 1, SaslConfig().apply {
+            username = "user"
+            password = "pencil"
+        })
+
+        serverState.sasl.mechanismState = ScramState(
+                scramStage = ScramStage.Finishing,
+                saltedPassword = "HZbuOlKbWl+eR8AfIposuKbhX30=".fromBase64(),
+                authMessage = "n=user,r=fyko+d2lbbFgONRv9qkxdawL,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096,c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j".toByteArray())
+
+        mechanism.handleAuthenticationEvent(ircClient, "v=rmF9pqV8S7suAoZWja4dJRkFsKQ=".toByteArray())
+
+        verify(ircClient).send("AUTHENTICATE +")
+    }
+
+}