diff options
Diffstat (limited to '')
-rw-r--r-- | src/auth/mech-scram.c | 550 |
1 files changed, 550 insertions, 0 deletions
diff --git a/src/auth/mech-scram.c b/src/auth/mech-scram.c new file mode 100644 index 0000000..a90d0d1 --- /dev/null +++ b/src/auth/mech-scram.c @@ -0,0 +1,550 @@ +/* + * SCRAM-SHA-1 SASL authentication, see RFC-5802 + * + * Copyright (c) 2011-2016 Florian Zeitz <florob@babelmonkeys.de> + * + * This software is released under the MIT license. + */ + +#include <limits.h> + +#include "auth-common.h" +#include "base64.h" +#include "buffer.h" +#include "hmac.h" +#include "sha1.h" +#include "sha2.h" +#include "randgen.h" +#include "safe-memset.h" +#include "str.h" +#include "strfuncs.h" +#include "strnum.h" +#include "password-scheme.h" +#include "mech.h" +#include "mech-scram.h" + +/* s-nonce length */ +#define SCRAM_SERVER_NONCE_LEN 64 + +struct scram_auth_request { + struct auth_request auth_request; + + pool_t pool; + + const struct hash_method *hash_method; + const char *password_scheme; + + /* sent: */ + const char *server_first_message; + const char *snonce; + + /* received: */ + const char *gs2_header; + const char *cnonce; + const char *client_first_message_bare; + const char *client_final_message_without_proof; + buffer_t *proof; + + /* stored */ + unsigned char *stored_key; + unsigned char *server_key; +}; + +static const char * +get_scram_server_first(struct scram_auth_request *request, + int iter, const char *salt) +{ + unsigned char snonce[SCRAM_SERVER_NONCE_LEN+1]; + string_t *str; + size_t i; + + /* RFC 5802, Section 7: + + server-first-message = + [reserved-mext ","] nonce "," salt "," + iteration-count ["," extensions] + + nonce = "r=" c-nonce [s-nonce] + + salt = "s=" base64 + + iteration-count = "i=" posit-number + ;; A positive number. + */ + + random_fill(snonce, sizeof(snonce)-1); + + /* make sure snonce is printable and does not contain ',' */ + for (i = 0; i < sizeof(snonce)-1; i++) { + snonce[i] = (snonce[i] % ('~' - '!')) + '!'; + if (snonce[i] == ',') + snonce[i] = '~'; + } + snonce[sizeof(snonce)-1] = '\0'; + request->snonce = p_strndup(request->pool, snonce, sizeof(snonce)); + + str = t_str_new(32 + strlen(request->cnonce) + sizeof(snonce) + + strlen(salt)); + str_printfa(str, "r=%s%s,s=%s,i=%d", request->cnonce, request->snonce, + salt, iter); + return str_c(str); +} + +static const char *get_scram_server_final(struct scram_auth_request *request) +{ + const struct hash_method *hmethod = request->hash_method; + struct hmac_context ctx; + const char *auth_message; + unsigned char server_signature[hmethod->digest_size]; + string_t *str; + + /* RFC 5802, Section 3: + + AuthMessage := client-first-message-bare + "," + + server-first-message + "," + + client-final-message-without-proof + ServerSignature := HMAC(ServerKey, AuthMessage) + */ + auth_message = t_strconcat(request->client_first_message_bare, ",", + request->server_first_message, ",", + request->client_final_message_without_proof, NULL); + + hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod); + hmac_update(&ctx, auth_message, strlen(auth_message)); + hmac_final(&ctx, server_signature); + + /* RFC 5802, Section 7: + + server-final-message = (server-error / verifier) + ["," extensions] + + verifier = "v=" base64 + ;; base-64 encoded ServerSignature. + + */ + str = t_str_new(2 + MAX_BASE64_ENCODED_SIZE(sizeof(server_signature))); + str_append(str, "v="); + base64_encode(server_signature, sizeof(server_signature), str); + + return str_c(str); +} + +static const char *scram_unescape_username(const char *in) +{ + string_t *out; + + /* RFC 5802, Section 5.1: + + The characters ',' or '=' in usernames are sent as '=2C' and '=3D' + respectively. If the server receives a username that contains '=' + not followed by either '2C' or '3D', then the server MUST fail the + authentication. + */ + + out = t_str_new(64); + for (; *in != '\0'; in++) { + i_assert(in[0] != ','); /* strsplit should have caught this */ + + if (in[0] == '=') { + if (in[1] == '2' && in[2] == 'C') + str_append_c(out, ','); + else if (in[1] == '3' && in[2] == 'D') + str_append_c(out, '='); + else + return NULL; + in += 2; + } else { + str_append_c(out, *in); + } + } + return str_c(out); +} + +static bool +parse_scram_client_first(struct scram_auth_request *request, + const unsigned char *data, size_t size, + const char **error_r) +{ + const char *login_username = NULL; + const char *data_cstr, *p; + const char *gs2_header, *gs2_cbind_flag, *authzid; + const char *cfm_bare, *username, *nonce; + const char *const *fields; + + data_cstr = gs2_header = t_strndup(data, size); + + /* RFC 5802, Section 7: + + client-first-message = gs2-header client-first-message-bare + gs2-header = gs2-cbind-flag "," [ authzid ] "," + + client-first-message-bare = [reserved-mext ","] + username "," nonce ["," extensions] + + extensions = attr-val *("," attr-val) + ;; All extensions are optional, + ;; i.e., unrecognized attributes + ;; not defined in this document + ;; MUST be ignored. + attr-val = ALPHA "=" value + */ + p = strchr(data_cstr, ','); + if (p == NULL) { + *error_r = "Invalid initial client message: " + "Missing first ',' in GS2 header"; + return FALSE; + } + gs2_cbind_flag = t_strdup_until(data_cstr, p); + data_cstr = p + 1; + + p = strchr(data_cstr, ','); + if (p == NULL) { + *error_r = "Invalid initial client message: " + "Missing second ',' in GS2 header"; + return FALSE; + } + authzid = t_strdup_until(data_cstr, p); + gs2_header = t_strdup_until(gs2_header, p + 1); + cfm_bare = p + 1; + + fields = t_strsplit(cfm_bare, ","); + if (str_array_length(fields) < 2) { + *error_r = "Invalid initial client message: " + "Missing nonce field"; + return FALSE; + } + username = fields[0]; + nonce = fields[1]; + + /* gs2-cbind-flag = ("p=" cb-name) / "n" / "y" + */ + switch (gs2_cbind_flag[0]) { + case 'p': + *error_r = "Channel binding not supported"; + return FALSE; + case 'y': + case 'n': + break; + default: + *error_r = "Invalid GS2 header"; + return FALSE; + } + + /* authzid = "a=" saslname + ;; Protocol specific. + */ + if (authzid[0] == '\0') + ; + else if (authzid[0] == 'a' && authzid[1] == '=') { + /* Unescape authzid */ + login_username = scram_unescape_username(authzid + 2); + + if (login_username == NULL) { + *error_r = "authzid escaping is invalid"; + return FALSE; + } + } else { + *error_r = "Invalid authzid field"; + return FALSE; + } + + /* reserved-mext = "m=" 1*(value-char) + */ + if (username[0] == 'm') { + *error_r = "Mandatory extension(s) not supported"; + return FALSE; + } + /* username = "n=" saslname + */ + if (username[0] == 'n' && username[1] == '=') { + /* Unescape username */ + username = scram_unescape_username(username + 2); + if (username == NULL) { + *error_r = "Username escaping is invalid"; + return FALSE; + } + if (!auth_request_set_username(&request->auth_request, + username, error_r)) + return FALSE; + } else { + *error_r = "Invalid username field"; + return FALSE; + } + if (login_username != NULL) { + if (!auth_request_set_login_username(&request->auth_request, + login_username, error_r)) + return FALSE; + } + + /* nonce = "r=" c-nonce [s-nonce] */ + if (nonce[0] == 'r' && nonce[1] == '=') + request->cnonce = p_strdup(request->pool, nonce+2); + else { + *error_r = "Invalid client nonce"; + return FALSE; + } + + request->gs2_header = p_strdup(request->pool, gs2_header); + request->client_first_message_bare = p_strdup(request->pool, cfm_bare); + return TRUE; +} + +static bool verify_credentials(struct scram_auth_request *request) +{ + const struct hash_method *hmethod = request->hash_method; + struct hmac_context ctx; + const char *auth_message; + unsigned char client_key[hmethod->digest_size]; + unsigned char client_signature[hmethod->digest_size]; + unsigned char stored_key[hmethod->digest_size]; + size_t i; + + /* RFC 5802, Section 3: + + AuthMessage := client-first-message-bare + "," + + server-first-message + "," + + client-final-message-without-proof + ClientSignature := HMAC(StoredKey, AuthMessage) + */ + auth_message = t_strconcat(request->client_first_message_bare, ",", + request->server_first_message, ",", + request->client_final_message_without_proof, NULL); + + hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod); + hmac_update(&ctx, auth_message, strlen(auth_message)); + hmac_final(&ctx, client_signature); + + /* ClientProof := ClientKey XOR ClientSignature */ + const unsigned char *proof_data = request->proof->data; + for (i = 0; i < sizeof(client_signature); i++) + client_key[i] = proof_data[i] ^ client_signature[i]; + + /* StoredKey := H(ClientKey) */ + hash_method_get_digest(hmethod, client_key, sizeof(client_key), + stored_key); + + safe_memset(client_key, 0, sizeof(client_key)); + safe_memset(client_signature, 0, sizeof(client_signature)); + + return mem_equals_timing_safe(stored_key, request->stored_key, + sizeof(stored_key)); +} + +static void +credentials_callback(enum passdb_result result, + const unsigned char *credentials, size_t size, + struct auth_request *auth_request) +{ + struct scram_auth_request *request = + (struct scram_auth_request *)auth_request; + const char *salt, *error; + unsigned int iter_count; + + switch (result) { + case PASSDB_RESULT_OK: + if (scram_scheme_parse(request->hash_method, + request->password_scheme, + credentials, size, &iter_count, &salt, + request->stored_key, request->server_key, + &error) < 0) { + e_info(auth_request->mech_event, + "%s", error); + auth_request_fail(auth_request); + break; + } + + request->server_first_message = p_strdup(request->pool, + get_scram_server_first(request, iter_count, salt)); + + auth_request_handler_reply_continue(auth_request, + request->server_first_message, + strlen(request->server_first_message)); + break; + case PASSDB_RESULT_INTERNAL_FAILURE: + auth_request_internal_failure(auth_request); + break; + default: + auth_request_fail(auth_request); + break; + } +} + +static bool +parse_scram_client_final(struct scram_auth_request *request, + const unsigned char *data, size_t size, + const char **error_r) +{ + const struct hash_method *hmethod = request->hash_method; + const char **fields, *cbind_input, *nonce_str; + unsigned int field_count; + string_t *str; + + /* RFC 5802, Section 7: + + client-final-message-without-proof = + channel-binding "," nonce ["," + extensions] + client-final-message = + client-final-message-without-proof "," proof + */ + fields = t_strsplit(t_strndup(data, size), ","); + field_count = str_array_length(fields); + if (field_count < 3) { + *error_r = "Invalid final client message"; + return FALSE; + } + + /* channel-binding = "c=" base64 + ;; base64 encoding of cbind-input. + + cbind-data = 1*OCTET + cbind-input = gs2-header [ cbind-data ] + ;; cbind-data MUST be present for + ;; gs2-cbind-flag of "p" and MUST be absent + ;; for "y" or "n". + */ + cbind_input = request->gs2_header; + str = t_str_new(2 + MAX_BASE64_ENCODED_SIZE(strlen(cbind_input))); + str_append(str, "c="); + base64_encode(cbind_input, strlen(cbind_input), str); + + if (strcmp(fields[0], str_c(str)) != 0) { + *error_r = "Invalid channel binding data"; + return FALSE; + } + + /* nonce = "r=" c-nonce [s-nonce] + ;; Second part provided by server. + c-nonce = printable + s-nonce = printable + */ + nonce_str = t_strconcat("r=", request->cnonce, request->snonce, NULL); + if (strcmp(fields[1], nonce_str) != 0) { + *error_r = "Wrong nonce"; + return FALSE; + } + + /* proof = "p=" base64 + */ + if (fields[field_count-1][0] == 'p') { + size_t len = strlen(&fields[field_count-1][2]); + + request->proof = buffer_create_dynamic(request->pool, + MAX_BASE64_DECODED_SIZE(len)); + if (base64_decode(&fields[field_count-1][2], len, NULL, + request->proof) < 0) { + *error_r = "Invalid base64 encoding"; + return FALSE; + } + if (request->proof->used != hmethod->digest_size) { + *error_r = "Invalid ClientProof length"; + return FALSE; + } + } else { + *error_r = "Invalid ClientProof"; + return FALSE; + } + + (void)str_array_remove(fields, fields[field_count-1]); + request->client_final_message_without_proof = + p_strdup(request->pool, t_strarray_join(fields, ",")); + + return TRUE; +} + +void mech_scram_auth_continue(struct auth_request *auth_request, + const unsigned char *data, size_t data_size) +{ + struct scram_auth_request *request = + (struct scram_auth_request *)auth_request; + const char *error = NULL; + const char *server_final_message; + size_t len; + + if (request->client_first_message_bare == NULL) { + /* Received client-first-message */ + if (parse_scram_client_first(request, data, + data_size, &error)) { + auth_request_lookup_credentials( + &request->auth_request, + request->password_scheme, + credentials_callback); + return; + } + } else { + /* Received client-final-message */ + if (parse_scram_client_final(request, data, data_size, + &error)) { + if (!verify_credentials(request)) { + e_info(auth_request->mech_event, + AUTH_LOG_MSG_PASSWORD_MISMATCH); + } else { + server_final_message = + get_scram_server_final(request); + len = strlen(server_final_message); + auth_request_success(auth_request, + server_final_message, len); + return; + } + } + } + + if (error != NULL) + e_info(auth_request->mech_event, "%s", error); + auth_request_fail(auth_request); +} + +struct auth_request * +mech_scram_auth_new(const struct hash_method *hash_method, + const char *password_scheme) +{ + struct scram_auth_request *request; + pool_t pool; + + pool = pool_alloconly_create(MEMPOOL_GROWING"scram_auth_request", 2048); + request = p_new(pool, struct scram_auth_request, 1); + request->pool = pool; + + request->hash_method = hash_method; + request->password_scheme = password_scheme; + + request->stored_key = p_malloc(pool, hash_method->digest_size); + request->server_key = p_malloc(pool, hash_method->digest_size); + + request->auth_request.pool = pool; + return &request->auth_request; +} + +static struct auth_request *mech_scram_sha1_auth_new(void) +{ + return mech_scram_auth_new(&hash_method_sha1, "SCRAM-SHA-1"); +} + +static struct auth_request *mech_scram_sha256_auth_new(void) +{ + return mech_scram_auth_new(&hash_method_sha256, "SCRAM-SHA-256"); +} + +const struct mech_module mech_scram_sha1 = { + "SCRAM-SHA-1", + + .flags = MECH_SEC_MUTUAL_AUTH, + .passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS, + + mech_scram_sha1_auth_new, + mech_generic_auth_initial, + mech_scram_auth_continue, + mech_generic_auth_free +}; + +const struct mech_module mech_scram_sha256 = { + "SCRAM-SHA-256", + + .flags = MECH_SEC_MUTUAL_AUTH, + .passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS, + + mech_scram_sha256_auth_new, + mech_generic_auth_initial, + mech_scram_auth_continue, + mech_generic_auth_free +}; |