Adding upstream version 1:2.3.21+dfsg1.upstream/1%2.3.21+dfsg1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 550 insertions, 0 deletions

diff --git a/src/auth/mech-scram.c b/src/auth/mech-scram.c
new file mode 100644
index 0000000..a90d0d1
--- /dev/null
+++ b/src/auth/mech-scram.c
@@ -0,0 +1,550 @@
+/*
+ * SCRAM-SHA-1 SASL authentication, see RFC-5802
+ *
+ * Copyright (c) 2011-2016 Florian Zeitz <florob@babelmonkeys.de>
+ *
+ * This software is released under the MIT license.
+ */
+
+#include <limits.h>
+
+#include "auth-common.h"
+#include "base64.h"
+#include "buffer.h"
+#include "hmac.h"
+#include "sha1.h"
+#include "sha2.h"
+#include "randgen.h"
+#include "safe-memset.h"
+#include "str.h"
+#include "strfuncs.h"
+#include "strnum.h"
+#include "password-scheme.h"
+#include "mech.h"
+#include "mech-scram.h"
+
+/* s-nonce length */
+#define SCRAM_SERVER_NONCE_LEN 64
+
+struct scram_auth_request {
+	struct auth_request auth_request;
+
+	pool_t pool;
+
+	const struct hash_method *hash_method;
+	const char *password_scheme;
+
+	/* sent: */
+	const char *server_first_message;
+	const char *snonce;
+
+	/* received: */
+	const char *gs2_header;
+	const char *cnonce;
+	const char *client_first_message_bare;
+	const char *client_final_message_without_proof;
+	buffer_t *proof;
+
+	/* stored */
+	unsigned char *stored_key;
+	unsigned char *server_key;
+};
+
+static const char *
+get_scram_server_first(struct scram_auth_request *request,
+		       int iter, const char *salt)
+{
+	unsigned char snonce[SCRAM_SERVER_NONCE_LEN+1];
+	string_t *str;
+	size_t i;
+
+	/* RFC 5802, Section 7:
+
+	   server-first-message =
+	                     [reserved-mext ","] nonce "," salt ","
+	                     iteration-count ["," extensions]
+
+	   nonce           = "r=" c-nonce [s-nonce]
+
+	   salt            = "s=" base64
+
+	   iteration-count = "i=" posit-number
+	                     ;; A positive number.
+	 */
+
+	random_fill(snonce, sizeof(snonce)-1);
+
+	/* make sure snonce is printable and does not contain ',' */
+	for (i = 0; i < sizeof(snonce)-1; i++) {
+		snonce[i] = (snonce[i] % ('~' - '!')) + '!';
+		if (snonce[i] == ',')
+			snonce[i] = '~';
+	}
+	snonce[sizeof(snonce)-1] = '\0';
+	request->snonce = p_strndup(request->pool, snonce, sizeof(snonce));
+
+	str = t_str_new(32 + strlen(request->cnonce) + sizeof(snonce) +
+			strlen(salt));
+	str_printfa(str, "r=%s%s,s=%s,i=%d", request->cnonce, request->snonce,
+		    salt, iter);
+	return str_c(str);
+}
+
+static const char *get_scram_server_final(struct scram_auth_request *request)
+{
+	const struct hash_method *hmethod = request->hash_method;
+	struct hmac_context ctx;
+	const char *auth_message;
+	unsigned char server_signature[hmethod->digest_size];
+	string_t *str;
+
+	/* RFC 5802, Section 3:
+
+	   AuthMessage     := client-first-message-bare + "," +
+	                      server-first-message + "," +
+	                      client-final-message-without-proof
+	   ServerSignature := HMAC(ServerKey, AuthMessage)
+	 */
+	auth_message = t_strconcat(request->client_first_message_bare, ",",
+			request->server_first_message, ",",
+			request->client_final_message_without_proof, NULL);
+
+	hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod);
+	hmac_update(&ctx, auth_message, strlen(auth_message));
+	hmac_final(&ctx, server_signature);
+
+	/* RFC 5802, Section 7:
+
+	   server-final-message = (server-error / verifier)
+	                     ["," extensions]
+
+	   verifier        = "v=" base64
+	                     ;; base-64 encoded ServerSignature.
+
+	 */
+	str = t_str_new(2 + MAX_BASE64_ENCODED_SIZE(sizeof(server_signature)));
+	str_append(str, "v=");
+	base64_encode(server_signature, sizeof(server_signature), str);
+
+	return str_c(str);
+}
+
+static const char *scram_unescape_username(const char *in)
+{
+	string_t *out;
+
+	/* RFC 5802, Section 5.1:
+
+	   The characters ',' or '=' in usernames are sent as '=2C' and '=3D'
+	   respectively.  If the server receives a username that contains '='
+	   not followed by either '2C' or '3D', then the server MUST fail the
+	   authentication.
+	 */
+
+	out = t_str_new(64);
+	for (; *in != '\0'; in++) {
+		i_assert(in[0] != ','); /* strsplit should have caught this */
+
+		if (in[0] == '=') {
+			if (in[1] == '2' && in[2] == 'C')
+				str_append_c(out, ',');
+			else if (in[1] == '3' && in[2] == 'D')
+				str_append_c(out, '=');
+			else
+				return NULL;
+			in += 2;
+		} else {
+			str_append_c(out, *in);
+		}
+	}
+	return str_c(out);
+}
+
+static bool
+parse_scram_client_first(struct scram_auth_request *request,
+			 const unsigned char *data, size_t size,
+			 const char **error_r)
+{
+	const char *login_username = NULL;
+	const char *data_cstr, *p;
+	const char *gs2_header, *gs2_cbind_flag, *authzid;
+	const char *cfm_bare, *username, *nonce;
+	const char *const *fields;
+
+	data_cstr = gs2_header = t_strndup(data, size);
+
+	/* RFC 5802, Section 7:
+
+	   client-first-message = gs2-header client-first-message-bare
+	   gs2-header      = gs2-cbind-flag "," [ authzid ] ","
+
+	   client-first-message-bare = [reserved-mext ","]
+	                     username "," nonce ["," extensions]
+
+	   extensions      = attr-val *("," attr-val)
+	                     ;; All extensions are optional,
+	                     ;; i.e., unrecognized attributes
+	                     ;; not defined in this document
+	                     ;; MUST be ignored.
+	   attr-val        = ALPHA "=" value
+	 */
+	p = strchr(data_cstr, ',');
+	if (p == NULL) {
+		*error_r = "Invalid initial client message: "
+			"Missing first ',' in GS2 header";
+		return FALSE;
+	}
+	gs2_cbind_flag = t_strdup_until(data_cstr, p);
+	data_cstr = p + 1;
+
+	p = strchr(data_cstr, ',');
+	if (p == NULL) {
+		*error_r = "Invalid initial client message: "
+			"Missing second ',' in GS2 header";
+		return FALSE;
+	}
+	authzid = t_strdup_until(data_cstr, p);
+	gs2_header = t_strdup_until(gs2_header, p + 1);
+	cfm_bare = p + 1;
+
+	fields = t_strsplit(cfm_bare, ",");
+	if (str_array_length(fields) < 2) {
+		*error_r = "Invalid initial client message: "
+			"Missing nonce field";
+		return FALSE;
+	}
+	username = fields[0];
+	nonce = fields[1];
+
+	/* gs2-cbind-flag  = ("p=" cb-name) / "n" / "y"
+	 */
+	switch (gs2_cbind_flag[0]) {
+	case 'p':
+		*error_r = "Channel binding not supported";
+		return FALSE;
+	case 'y':
+	case 'n':
+		break;
+	default:
+		*error_r = "Invalid GS2 header";
+		return FALSE;
+	}
+
+	/* authzid         = "a=" saslname
+	                     ;; Protocol specific.
+	 */
+	if (authzid[0] == '\0')
+		;
+	else if (authzid[0] == 'a' && authzid[1] == '=') {
+		/* Unescape authzid */
+		login_username = scram_unescape_username(authzid + 2);
+
+		if (login_username == NULL) {
+			*error_r = "authzid escaping is invalid";
+			return FALSE;
+		}
+	} else {
+		*error_r = "Invalid authzid field";
+		return FALSE;
+	}
+
+	/* reserved-mext   = "m=" 1*(value-char)
+	 */
+	if (username[0] == 'm') {
+		*error_r = "Mandatory extension(s) not supported";
+		return FALSE;
+	}
+	/* username        = "n=" saslname
+	 */
+	if (username[0] == 'n' && username[1] == '=') {
+		/* Unescape username */
+		username = scram_unescape_username(username + 2);
+		if (username == NULL) {
+			*error_r = "Username escaping is invalid";
+			return FALSE;
+		}
+		if (!auth_request_set_username(&request->auth_request,
+					       username, error_r))
+			return FALSE;
+	} else {
+		*error_r = "Invalid username field";
+		return FALSE;
+	}
+	if (login_username != NULL) {
+		if (!auth_request_set_login_username(&request->auth_request,
+						     login_username, error_r))
+			return FALSE;
+	}
+
+	/* nonce           = "r=" c-nonce [s-nonce] */
+	if (nonce[0] == 'r' && nonce[1] == '=')
+		request->cnonce = p_strdup(request->pool, nonce+2);
+	else {
+		*error_r = "Invalid client nonce";
+		return FALSE;
+	}
+
+	request->gs2_header = p_strdup(request->pool, gs2_header);
+	request->client_first_message_bare = p_strdup(request->pool, cfm_bare);
+	return TRUE;
+}
+
+static bool verify_credentials(struct scram_auth_request *request)
+{
+	const struct hash_method *hmethod = request->hash_method;
+	struct hmac_context ctx;
+	const char *auth_message;
+	unsigned char client_key[hmethod->digest_size];
+	unsigned char client_signature[hmethod->digest_size];
+	unsigned char stored_key[hmethod->digest_size];
+	size_t i;
+
+	/* RFC 5802, Section 3:
+
+	   AuthMessage     := client-first-message-bare + "," +
+	                      server-first-message + "," +
+	                      client-final-message-without-proof
+	   ClientSignature := HMAC(StoredKey, AuthMessage)
+	 */
+	auth_message = t_strconcat(request->client_first_message_bare, ",",
+			request->server_first_message, ",",
+			request->client_final_message_without_proof, NULL);
+
+	hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod);
+	hmac_update(&ctx, auth_message, strlen(auth_message));
+	hmac_final(&ctx, client_signature);
+
+	/* ClientProof     := ClientKey XOR ClientSignature */
+	const unsigned char *proof_data = request->proof->data;
+	for (i = 0; i < sizeof(client_signature); i++)
+		client_key[i] = proof_data[i] ^ client_signature[i];
+
+	/* StoredKey       := H(ClientKey) */
+	hash_method_get_digest(hmethod, client_key, sizeof(client_key),
+			       stored_key);
+
+	safe_memset(client_key, 0, sizeof(client_key));
+	safe_memset(client_signature, 0, sizeof(client_signature));
+
+	return mem_equals_timing_safe(stored_key, request->stored_key,
+				      sizeof(stored_key));
+}
+
+static void
+credentials_callback(enum passdb_result result,
+		     const unsigned char *credentials, size_t size,
+		     struct auth_request *auth_request)
+{
+	struct scram_auth_request *request =
+		(struct scram_auth_request *)auth_request;
+	const char *salt, *error;
+	unsigned int iter_count;
+
+	switch (result) {
+	case PASSDB_RESULT_OK:
+		if (scram_scheme_parse(request->hash_method,
+				       request->password_scheme,
+				       credentials, size, &iter_count, &salt,
+				       request->stored_key, request->server_key,
+				       &error) < 0) {
+			e_info(auth_request->mech_event,
+			       "%s", error);
+			auth_request_fail(auth_request);
+			break;
+		}
+
+		request->server_first_message = p_strdup(request->pool,
+			get_scram_server_first(request, iter_count, salt));
+
+		auth_request_handler_reply_continue(auth_request,
+					request->server_first_message,
+					strlen(request->server_first_message));
+		break;
+	case PASSDB_RESULT_INTERNAL_FAILURE:
+		auth_request_internal_failure(auth_request);
+		break;
+	default:
+		auth_request_fail(auth_request);
+		break;
+	}
+}
+
+static bool
+parse_scram_client_final(struct scram_auth_request *request,
+			 const unsigned char *data, size_t size,
+			 const char **error_r)
+{
+	const struct hash_method *hmethod = request->hash_method;
+	const char **fields, *cbind_input, *nonce_str;
+	unsigned int field_count;
+	string_t *str;
+
+	/* RFC 5802, Section 7:
+
+	   client-final-message-without-proof =
+	                     channel-binding "," nonce [","
+	                     extensions]
+	   client-final-message =
+	                     client-final-message-without-proof "," proof
+	 */
+	fields = t_strsplit(t_strndup(data, size), ",");
+	field_count = str_array_length(fields);
+	if (field_count < 3) {
+		*error_r = "Invalid final client message";
+		return FALSE;
+	}
+
+	/* channel-binding = "c=" base64
+	                     ;; base64 encoding of cbind-input.
+
+	   cbind-data      = 1*OCTET
+	   cbind-input     = gs2-header [ cbind-data ]
+	                     ;; cbind-data MUST be present for
+	                     ;; gs2-cbind-flag of "p" and MUST be absent
+	                     ;; for "y" or "n".
+	 */
+	cbind_input = request->gs2_header;
+	str = t_str_new(2 + MAX_BASE64_ENCODED_SIZE(strlen(cbind_input)));
+	str_append(str, "c=");
+	base64_encode(cbind_input, strlen(cbind_input), str);
+
+	if (strcmp(fields[0], str_c(str)) != 0) {
+		*error_r = "Invalid channel binding data";
+		return FALSE;
+	}
+
+	/* nonce           = "r=" c-nonce [s-nonce]
+	                     ;; Second part provided by server.
+	   c-nonce         = printable
+	   s-nonce         = printable
+	 */
+	nonce_str = t_strconcat("r=", request->cnonce, request->snonce, NULL);
+	if (strcmp(fields[1], nonce_str) != 0) {
+		*error_r = "Wrong nonce";
+		return FALSE;
+	}
+
+	/* proof           = "p=" base64
+	 */
+	if (fields[field_count-1][0] == 'p') {
+		size_t len = strlen(&fields[field_count-1][2]);
+
+		request->proof = buffer_create_dynamic(request->pool,
+					MAX_BASE64_DECODED_SIZE(len));
+		if (base64_decode(&fields[field_count-1][2], len, NULL,
+				  request->proof) < 0) {
+			*error_r = "Invalid base64 encoding";
+			return FALSE;
+		}
+		if (request->proof->used != hmethod->digest_size) {
+			*error_r = "Invalid ClientProof length";
+			return FALSE;
+		}
+	} else {
+		*error_r = "Invalid ClientProof";
+		return FALSE;
+	}
+
+	(void)str_array_remove(fields, fields[field_count-1]);
+	request->client_final_message_without_proof =
+		p_strdup(request->pool, t_strarray_join(fields, ","));
+
+	return TRUE;
+}
+
+void mech_scram_auth_continue(struct auth_request *auth_request,
+			      const unsigned char *data, size_t data_size)
+{
+	struct scram_auth_request *request =
+		(struct scram_auth_request *)auth_request;
+	const char *error = NULL;
+	const char *server_final_message;
+	size_t len;
+
+	if (request->client_first_message_bare == NULL) {
+		/* Received client-first-message */
+		if (parse_scram_client_first(request, data,
+					     data_size, &error)) {
+			auth_request_lookup_credentials(
+				&request->auth_request,
+				request->password_scheme,
+				credentials_callback);
+			return;
+		}
+	} else {
+		/* Received client-final-message */
+		if (parse_scram_client_final(request, data, data_size,
+					     &error)) {
+			if (!verify_credentials(request)) {
+				e_info(auth_request->mech_event,
+				       AUTH_LOG_MSG_PASSWORD_MISMATCH);
+			} else {
+				server_final_message =
+					get_scram_server_final(request);
+				len = strlen(server_final_message);
+				auth_request_success(auth_request,
+						     server_final_message, len);
+				return;
+			}
+		}
+	}
+
+	if (error != NULL)
+		e_info(auth_request->mech_event, "%s", error);
+	auth_request_fail(auth_request);
+}
+
+struct auth_request *
+mech_scram_auth_new(const struct hash_method *hash_method,
+		    const char *password_scheme)
+{
+	struct scram_auth_request *request;
+	pool_t pool;
+
+	pool = pool_alloconly_create(MEMPOOL_GROWING"scram_auth_request", 2048);
+	request = p_new(pool, struct scram_auth_request, 1);
+	request->pool = pool;
+
+	request->hash_method = hash_method;
+	request->password_scheme = password_scheme;
+
+	request->stored_key = p_malloc(pool, hash_method->digest_size);
+	request->server_key = p_malloc(pool, hash_method->digest_size);
+
+	request->auth_request.pool = pool;
+	return &request->auth_request;
+}
+
+static struct auth_request *mech_scram_sha1_auth_new(void)
+{
+	return mech_scram_auth_new(&hash_method_sha1, "SCRAM-SHA-1");
+}
+
+static struct auth_request *mech_scram_sha256_auth_new(void)
+{
+	return mech_scram_auth_new(&hash_method_sha256, "SCRAM-SHA-256");
+}
+
+const struct mech_module mech_scram_sha1 = {
+	"SCRAM-SHA-1",
+
+	.flags = MECH_SEC_MUTUAL_AUTH,
+	.passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS,
+
+	mech_scram_sha1_auth_new,
+	mech_generic_auth_initial,
+	mech_scram_auth_continue,
+	mech_generic_auth_free
+};
+
+const struct mech_module mech_scram_sha256 = {
+	"SCRAM-SHA-256",
+
+	.flags = MECH_SEC_MUTUAL_AUTH,
+	.passdb_need = MECH_PASSDB_NEED_LOOKUP_CREDENTIALS,
+
+	mech_scram_sha256_auth_new,
+	mech_generic_auth_initial,
+	mech_scram_auth_continue,
+	mech_generic_auth_free
+};