/* SCRAM-SHA-1/SHA-2 SASL plugin * Alexey Melnikov */ /* * Copyright (c) 2009-2016 Carnegie Mellon University. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The name "Carnegie Mellon University" must not be used to * endorse or promote products derived from this software without * prior written permission. For permission or any other legal * details, please contact * Carnegie Mellon University * Center for Technology Transfer and Enterprise Creation * 4615 Forbes Avenue * Suite 302 * Pittsburgh, PA 15213 * (412) 268-7393, fax: (412) 268-7395 * innovation@andrew.cmu.edu * * 4. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by Computing Services * at Carnegie Mellon University (http://www.cmu.edu/computing/)." * * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include #include #include #include #ifndef macintosh #include #endif #include #include #include #include #include #include "plugin_common.h" #ifdef macintosh #error #include #endif #include #include #include /***************************** Common Section *****************************/ #define NONCE_SIZE (32) /* arbitrary */ #define SALT_SIZE (16) /* arbitrary */ /* TODO: make this a configurable option? */ #define DEFAULT_ITERATION_COUNTER 4096 #define MIN_ITERATION_COUNTER 4096 #define MAX_ITERATION_COUNTER 0x10000 /* maximum length of the iteration_counter (as a string). Assume it is 32bits */ #define ITERATION_COUNTER_BUF_LEN 20 #define BASE64_LEN(size) (((size) / 3 * 4) + (((size) % 3) ? 4 : 0)) #define MAX_CLIENTIN_LEN 2048 #define MAX_SERVERIN_LEN 2048 #define STRINGIZE(x) #x #define MAX_CLIENTIN_LEN_STR STRINGIZE((MAX_CLIENTIN_LEN)) #define MAX_SERVERIN_LEN_STR STRINGIZE((MAX_SERVERIN_LEN)) #define CLIENT_KEY_CONSTANT "Client Key" #define SERVER_KEY_CONSTANT "Server Key" #define CLIENT_KEY_CONSTANT_LEN sizeof(CLIENT_KEY_CONSTANT)-1 #define SERVER_KEY_CONSTANT_LEN sizeof(SERVER_KEY_CONSTANT)-1 #define SCRAM_CB_FLAG_MASK 0x0F #define SCRAM_CB_FLAG_N 0x00 #define SCRAM_CB_FLAG_P 0x01 #define SCRAM_CB_FLAG_Y 0x02 #ifdef SCRAM_DEBUG #define PRINT_HASH(func,hash,size) print_hash(func,hash,size) #else #define PRINT_HASH(func,hash,size) #endif /* NB: A temporary mapping for "internal errors". It would be better to add a new SASL error code for that */ #define SASL_SCRAM_INTERNAL SASL_NOMEM /* Holds the core salt to avoid regenerating salt each auth. */ static unsigned char g_salt_key[SALT_SIZE]; /* Note that currently only SHA-* variants are supported! */ static const char * scram_sasl_mech_name(size_t hash_size) { switch (hash_size) { case 64: return "SCRAM-SHA-512"; case 48: return "SCRAM-SHA-384"; case 32: return "SCRAM-SHA-256"; case 28: return "SCRAM-SHA-224"; case 20: return "SCRAM-SHA-1"; } return NULL; } /* Convert saslname = 1*(value-safe-char / "=2C" / "=3D") in place. Returns SASL_FAIL if the encoding is invalid, otherwise SASL_OK */ static int decode_saslname (char *buf) { char * inp; char * outp; inp = outp = buf; while (*inp) { if (*inp == '=') { inp++; if (*inp == '\0') { return SASL_FAIL; } if (inp[0] == '2' && inp[1] == 'C') { *outp = ','; inp += 2; } else if (inp[0] == '3' && inp[1] == 'D') { *outp = '='; inp += 2; } else { return SASL_FAIL; } } else { *outp = *inp; inp++; } outp++; } *outp = '\0'; return SASL_OK; } /* Convert a username to saslname = 1*(value-safe-char / "=2C" / "=3D") and return an allocated copy. "freeme" contains pointer to the allocated output, or NULL, if encoded_saslname just points to saslname. Returns SASL_NOMEM if can't allocate memory for the output, otherwise SASL_OK */ static int encode_saslname (const char *saslname, const char **encoded_saslname, char **freeme) { const char * inp; char * outp; int special_chars = 0; /* Found out if anything needs encoding */ for (inp = saslname; *inp; inp++) { if (*inp == ',' || *inp == '=') { special_chars++; } } if (special_chars == 0) { *encoded_saslname = saslname; *freeme = NULL; return SASL_OK; } outp = malloc(strlen(saslname) + special_chars * 2 + 1); *encoded_saslname = outp; *freeme = outp; if (outp == NULL) { return SASL_NOMEM; } for (inp = saslname; *inp; inp++) { switch (*inp) { case ',': *outp++ = '='; *outp++ = '2'; *outp++ = 'C'; break; case '=': *outp++ = '='; *outp++ = '3'; *outp++ = 'D'; break; default: *outp++ = *inp; } } *outp = '\0'; return SASL_OK; } static char * create_nonce(const sasl_utils_t * utils, char *buffer, size_t buflen) /* Including the terminating NUL */ { char *intbuf; unsigned int estimated; if ((buflen - 1) % 4 != 0) { /* NB: the algorithm below doesn't work for such length. It needs to be adjusted to allocate + 4 bytes, encode the last 4 bytes to a separate buffer and then copy the necessary number of bytes to the end of the output */ return NULL; } estimated = (unsigned int)((buflen - 1) / 4 * 3); intbuf = (char *) utils->malloc(estimated + 1); if (intbuf == NULL) { return NULL; } utils->rand(utils->rpool, intbuf, estimated); /* base 64 encode it so it has valid chars */ if (utils->encode64(intbuf, estimated, buffer, (unsigned int)buflen, NULL) != SASL_OK) { utils->free(intbuf); return NULL; } utils->free(intbuf); buffer[buflen-1] = '\0'; return buffer; } #ifdef SCRAM_DEBUG /* Useful for debugging interop issues */ static void print_hash (const char * func, const char * hash, size_t hash_size) { int i; printf (" HASH in %s:", func); for (i = 0; i < hash_size; i++) { printf (" %.2X", (unsigned char)hash[i]); } printf ("\n"); } #endif /* The result variable need to point to a buffer big enough for the [SHA-*] hash */ static void Hi (const sasl_utils_t * utils, const EVP_MD *md, const char * str, size_t str_len, const char * salt, size_t salt_len, unsigned int iteration_count, char * result) { char * initial_key = NULL; unsigned int i; char * temp_result; unsigned int hash_len = 0; size_t k, hash_size = EVP_MD_size(md); initial_key = utils->malloc(salt_len + 4); memcpy (initial_key, salt, salt_len); initial_key[salt_len] = 0; initial_key[salt_len+1] = 0; initial_key[salt_len+2] = 0; initial_key[salt_len+3] = 1; temp_result = utils->malloc(hash_size); /* U1 := HMAC(str, salt || INT(1)) */ if (HMAC(md, (const unsigned char *) str, (int)str_len, (const unsigned char *) initial_key, (int)salt_len + 4, (unsigned char *)result, &hash_len) == NULL) { } memcpy(temp_result, result, hash_size); PRINT_HASH ("first HMAC in Hi()", temp_result, hash_size); /* On each loop iteration j "temp_result" contains Uj, while "result" contains "U1 XOR ... XOR Uj" */ for (i = 2; i <= iteration_count; i++) { if (HMAC(md, (const unsigned char *) str, (int)str_len, (const unsigned char *) temp_result, hash_size, (unsigned char *)temp_result, &hash_len) == NULL) { } PRINT_HASH ("Hi() HMAC inside loop", temp_result, hash_size); for (k = 0; k < hash_size; k++) { result[k] ^= temp_result[k]; } PRINT_HASH ("Hi() - accumulated result inside loop", result, hash_size); } utils->free(initial_key); utils->free(temp_result); } /** * User salt is Hi(username,salt_key); * This is fixed per reboot, to allow caching of SCRAM * SaltedPassword. */ static unsigned char * scram_server_user_salt(const sasl_utils_t * utils, const EVP_MD *md, const char * username, size_t * p_salt_len) { size_t hash_size = EVP_MD_size(md); char * result = utils->malloc(hash_size); Hi(utils, md, username, strlen(username), (const char *) g_salt_key, SALT_SIZE, 20 /* iterations */, result); *p_salt_len = hash_size; return (unsigned char *) result; } static int GenerateScramSecrets (const sasl_utils_t * utils, const EVP_MD *md, const char * password, size_t password_len, char * salt, size_t salt_len, unsigned int iteration_count, char * StoredKey, char * ServerKey, char ** error_text) { char SaltedPassword[EVP_MAX_MD_SIZE]; char ClientKey[EVP_MAX_MD_SIZE]; sasl_secret_t *sec = NULL; unsigned int hash_len = 0; int result; size_t hash_size = EVP_MD_size(md); *error_text = NULL; if (password_len == 0) { *error_text = "empty secret"; result = SASL_FAIL; goto cleanup; } sec = utils->malloc(sizeof(sasl_secret_t) + password_len); if (sec == NULL) { result = SASL_NOMEM; goto cleanup; } sec->len = (unsigned) password_len; strncpy((char *)sec->data, password, password_len + 1); /* SaltedPassword := Hi(password, salt) */ Hi (utils, md, (const char *) sec->data, sec->len, salt, salt_len, iteration_count, SaltedPassword); /* ClientKey := HMAC(SaltedPassword, "Client Key") */ if (HMAC(md, (const unsigned char *) SaltedPassword, hash_size, (const unsigned char *) CLIENT_KEY_CONSTANT, CLIENT_KEY_CONSTANT_LEN, (unsigned char *)ClientKey, &hash_len) == NULL) { *error_text = "HMAC call failed"; result = SASL_SCRAM_INTERNAL; goto cleanup; } /* StoredKey := H(ClientKey) */ if (EVP_Digest((const unsigned char *) ClientKey, hash_size, (unsigned char *) StoredKey, NULL, md, NULL) == 0) { *error_text = "Digest call failed"; result = SASL_SCRAM_INTERNAL; goto cleanup; } /* ServerKey := HMAC(SaltedPassword, "Server Key") */ if (HMAC(md, (const unsigned char *) SaltedPassword, hash_size, (const unsigned char *) SERVER_KEY_CONSTANT, SERVER_KEY_CONSTANT_LEN, (unsigned char *)ServerKey, &hash_len) == NULL) { *error_text = "HMAC call failed"; result = SASL_SCRAM_INTERNAL; goto cleanup; } result = SASL_OK; cleanup: if (sec) { _plug_free_secret(utils, &sec); } return result; } /***************************** Server Section *****************************/ typedef struct server_context { int state; const EVP_MD *md; /* underlying MDA */ char * authentication_id; char * authorization_id; char * out_buf; unsigned out_buf_len; char * auth_message; size_t auth_message_len; char * nonce; /* in binary form */ char * salt; size_t salt_len; unsigned int iteration_count; char StoredKey[EVP_MAX_MD_SIZE + 1]; char ServerKey[EVP_MAX_MD_SIZE + 1]; int cb_flags; char *cbindingname; char *gs2_header; size_t gs2_header_length; } server_context_t; static int scram_server_mech_new(void *glob_context, sasl_server_params_t *sparams, const char *challenge __attribute__((unused)), unsigned challen __attribute__((unused)), void **conn_context) { server_context_t *text; /* holds state are in */ text = sparams->utils->malloc(sizeof(server_context_t)); if (text == NULL) { MEMERROR( sparams->utils ); return SASL_NOMEM; } memset(text, 0, sizeof(server_context_t)); /* text->state = 0; */ text->md = EVP_get_digestbyname((const char *) glob_context); *conn_context = text; return SASL_OK; } static int scram_server_mech_step1(server_context_t *text, sasl_server_params_t *sparams, const char *clientin, unsigned clientinlen, const char **serverout, unsigned *serveroutlen, sasl_out_params_t *oparams __attribute__((unused))) { char * authorization_id; char * authentication_id; char * p; char * nonce; size_t client_nonce_len; char * base64_salt = NULL; size_t base64len; size_t estimated_challenge_len; size_t pure_scram_length; char * inbuf = NULL; const char *password_request[] = { SASL_AUX_PASSWORD, "*authPassword", NULL }; int canon_flags; struct propval auxprop_values[3]; int result; size_t hash_size = EVP_MD_size(text->md); const char *scram_sasl_mech = scram_sasl_mech_name(hash_size); if (clientinlen == 0) { sparams->utils->seterror(sparams->utils->conn, 0, "%s input expected", scram_sasl_mech); return SASL_BADPROT; } /* Expecting: 'gs2-cbind-flag "," [ authzid ] "," [reserved-mext ","] username "," nonce ["," extensions]' */ if (clientinlen < 10) { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid %s input", scram_sasl_mech); return SASL_BADPROT; } inbuf = sparams->utils->malloc (clientinlen + 1); if (inbuf == NULL) { MEMERROR( sparams->utils ); return SASL_NOMEM; } memcpy(inbuf, clientin, clientinlen); inbuf[clientinlen] = 0; if (strlen(inbuf) != clientinlen) { sparams->utils->seterror(sparams->utils->conn, 0, "NULs found in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } p = inbuf; /* gs2-cbind-flag = "p=" cb-name / "n" / "y" ;; "n" -> client doesn't support channel binding ;; "y" -> client does support channel binding ;; but thinks the server does not. ;; "p" -> client requires channel binding. ;; The selected channel binding follows "p=". */ switch (p[0]) { case 'p': if (p[1] != '=') { sparams->utils->seterror(sparams->utils->conn, 0, "The initial 'p' needs to be followed by '=' in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } p++; text->cbindingname = p + 1; p = strchr (p, ','); if (p == NULL) { text->cbindingname = NULL; sparams->utils->seterror(sparams->utils->conn, 0, "Channel binding name must be terminated by a comma in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } *p = '\0'; _plug_strdup(sparams->utils, text->cbindingname, &text->cbindingname, NULL); *p = ','; text->cb_flags = SCRAM_CB_FLAG_P; break; case 'n': text->cb_flags = SCRAM_CB_FLAG_N; /* We always have at least 10 bytes, so this is safe */ p++; break; case 'y': text->cb_flags = SCRAM_CB_FLAG_Y; /* We always have at least 10 bytes, so this is safe */ p++; break; default: sparams->utils->seterror(sparams->utils->conn, 0, "The initial %s client response needs to start with 'y', 'n' or 'p'", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } if (p[0] != ',') { sparams->utils->seterror(sparams->utils->conn, 0, "',' expected in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } p++; if (p[0] == 'a' && p[1] == '=') { authorization_id = p + 2; p = strchr (authorization_id, ','); if (p == NULL) { sparams->utils->seterror(sparams->utils->conn, 0, "At least nonce is expected in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } /* End of the GS2 header */ p[0] = '\0'; /* The GS2 header length DOES include the terminating comma */ text->gs2_header_length = p - inbuf + 1; p++; /* Make a read-write copy we can modify */ _plug_strdup(sparams->utils, authorization_id, &text->authorization_id, NULL); if (decode_saslname(text->authorization_id) != SASL_OK) { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid authorization identity encoding in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } } else if (p[0] != ',') { sparams->utils->seterror(sparams->utils->conn, 0, "',' expected in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } else { /* End of the GS2 header */ p[0] = '\0'; /* The GS2 header length DOES include the terminating comma */ text->gs2_header_length = p - inbuf + 1; p++; } text->gs2_header = sparams->utils->malloc (text->gs2_header_length + 1); if (text->gs2_header == NULL) { MEMERROR( sparams->utils ); result = SASL_NOMEM; goto cleanup; } memcpy(text->gs2_header, inbuf, text->gs2_header_length - 1); /* Remember the comma */ text->gs2_header[text->gs2_header_length - 1] = ','; text->gs2_header[text->gs2_header_length] = 0; if (p[1] != '=') { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } if (p[0] == 'm') { sparams->utils->seterror(sparams->utils->conn, 0, "Unsupported mandatory extension to %s", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } if (p[0] != 'n') { sparams->utils->seterror(sparams->utils->conn, 0, "Username (n=) expected in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } authentication_id = p + 2; p = strchr (authentication_id, ','); /* MUST be followed by a nonce */ if (p == NULL) { sparams->utils->seterror(sparams->utils->conn, 0, "Nonce expected after the username in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } *p = '\0'; p++; if (decode_saslname(authentication_id) != SASL_OK) { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid username encoding in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } _plug_strdup(sparams->utils, authentication_id, &text->authentication_id, NULL); if (strncmp(p, "r=", 2) != 0) { sparams->utils->seterror(sparams->utils->conn, 0, "Nonce expected after the username in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } p += 2; nonce = p; p = strchr (nonce, ','); if (p == NULL) { p = nonce + strlen(nonce); } else { *p = '\0'; } /* Generate server nonce, by appending some random stuff to the client nonce */ client_nonce_len = strlen(nonce); text->nonce = sparams->utils->malloc (client_nonce_len + NONCE_SIZE + 1); if (text->nonce == NULL) { MEMERROR( sparams->utils ); result = SASL_NOMEM; goto cleanup; } strcpy (text->nonce, nonce); if (create_nonce(sparams->utils, text->nonce + client_nonce_len, NONCE_SIZE + 1) == NULL) { MEMERROR( sparams->utils ); result = SASL_NOMEM; goto cleanup; } /* Now we fetch user's password and calculate our secret */ result = sparams->utils->prop_request(sparams->propctx, password_request); if (result != SASL_OK) { goto cleanup; } /* this will trigger the getting of the aux properties */ canon_flags = SASL_CU_AUTHID; if (text->authorization_id == NULL || *text->authorization_id == '\0') { canon_flags |= SASL_CU_AUTHZID; } result = sparams->canon_user(sparams->utils->conn, text->authentication_id, 0, canon_flags, oparams); if (result != SASL_OK) { SETERROR(sparams->utils, "unable to canonify user and get auxprops"); goto cleanup; } if (text->authorization_id != NULL && *text->authorization_id != '\0') { result = sparams->canon_user(sparams->utils->conn, text->authorization_id, 0, SASL_CU_AUTHZID, oparams); } if (result != SASL_OK) { SETERROR(sparams->utils, "unable to canonify authorization ID"); goto cleanup; } result = sparams->utils->prop_getnames(sparams->propctx, password_request, auxprop_values); if (result < 0 || ((!auxprop_values[0].name || !auxprop_values[0].values) && (!auxprop_values[1].name || !auxprop_values[1].values))) { /* We didn't find this username */ sparams->utils->seterror(sparams->utils->conn,0, "no secret in database"); result = sparams->transition ? SASL_TRANS : SASL_NOUSER; goto cleanup; } if (auxprop_values[0].name && auxprop_values[0].values) { char * error_text = NULL; char * s_iteration_count; char * end; text->salt = (char *) scram_server_user_salt(sparams->utils, text->md, text->authentication_id, &text->salt_len); sparams->utils->getopt(sparams->utils->getopt_context, /* Different SCRAM hashes can have different strengh */ scram_sasl_mech, "scram_iteration_counter", (const char **) &s_iteration_count, NULL); if (s_iteration_count != NULL) { errno = 0; text->iteration_count = strtoul(s_iteration_count, &end, 10); if (s_iteration_count == end || *end != '\0' || errno != 0) { sparams->utils->log(NULL, SASL_LOG_DEBUG, "Invalid iteration-count in scram_iteration_count SASL option: not a number. Using the default instead."); s_iteration_count = NULL; } } if (s_iteration_count == NULL) { text->iteration_count = DEFAULT_ITERATION_COUNTER; } result = GenerateScramSecrets (sparams->utils, text->md, auxprop_values[0].values[0], strlen(auxprop_values[0].values[0]), text->salt, text->salt_len, text->iteration_count, text->StoredKey, text->ServerKey, &error_text); if (result != SASL_OK) { if (error_text != NULL) { sparams->utils->seterror(sparams->utils->conn, 0, "%s", error_text); } goto cleanup; } } else if (auxprop_values[1].name && auxprop_values[1].values) { char s_iteration_count[ITERATION_COUNTER_BUF_LEN+1]; size_t base64_salt_len; unsigned int exact_key_len; const char * scram_hash; const char * p_field; char * end; int i; size_t scram_sasl_mech_len = strlen(scram_sasl_mech); result = SASL_SCRAM_INTERNAL; for (i = 0; auxprop_values[1].values[i] != NULL; i++) { scram_hash = auxprop_values[1].values[i]; /* Skip the leading spaces */ while (*scram_hash == ' ') { scram_hash++; } if (strncmp(scram_hash, scram_sasl_mech, scram_sasl_mech_len) != 0) { continue; } scram_hash += scram_sasl_mech_len; /* Skip spaces */ while (*scram_hash == ' ') { scram_hash++; } if (*scram_hash != '$') { /* syntax error, ignore the value */ continue; } scram_hash++; /* Skip spaces */ while (*scram_hash == ' ') { scram_hash++; } p_field = strchr(scram_hash, ':'); if (p_field == NULL || p_field == scram_hash) { /* syntax error, ignore the value */ continue; } if ((p_field - scram_hash) > ITERATION_COUNTER_BUF_LEN) { /* The iteration counter is too big for us */ sparams->utils->seterror(sparams->utils->conn, 0, "Invalid iteration-count in %s input: the value is too big", scram_sasl_mech); continue; } memcpy(s_iteration_count, scram_hash, p_field - scram_hash); s_iteration_count[p_field - scram_hash] = '\0'; errno = 0; text->iteration_count = strtoul(s_iteration_count, &end, 10); if (s_iteration_count == end || *end != '\0' || errno != 0) { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid iteration-count in %s input: not a number", scram_sasl_mech); continue; } scram_hash = p_field + 1; p_field = scram_hash + strcspn(scram_hash, "$ "); if (p_field == scram_hash || *p_field == '\0') { /* syntax error, ignore the value */ continue; } base64_salt_len = p_field - scram_hash; text->salt = (char *) sparams->utils->malloc(base64_salt_len); if (sparams->utils->decode64(scram_hash, (unsigned int)base64_salt_len, text->salt, (unsigned int)base64_salt_len, (unsigned int *) &text->salt_len) != SASL_OK) { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid base64 encoding of the salt in %s stored value", scram_sasl_mech); continue; } scram_hash = p_field; /* Skip spaces */ while (*scram_hash == ' ') { scram_hash++; } if (*scram_hash != '$') { /* syntax error, ignore the value */ sparams->utils->free(text->salt); text->salt = NULL; continue; } scram_hash++; /* Skip spaces */ while (*scram_hash == ' ') { scram_hash++; } p_field = strchr(scram_hash, ':'); if (p_field == NULL || p_field == scram_hash) { /* syntax error, ignore the value */ sparams->utils->free(text->salt); text->salt = NULL; continue; } if (sparams->utils->decode64(scram_hash, (unsigned int)(p_field - scram_hash), text->StoredKey, hash_size + 1, &exact_key_len) != SASL_OK) { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid base64 encoding of StoredKey in %s per-user storage", scram_sasl_mech); sparams->utils->free(text->salt); text->salt = NULL; continue; } if (exact_key_len != hash_size) { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid StoredKey in %s per-user storage", scram_sasl_mech); sparams->utils->free(text->salt); text->salt = NULL; continue; } scram_hash = p_field + 1; p_field = strchr(scram_hash, ' '); if (p_field == NULL) { p_field = scram_hash + strlen(scram_hash); } if (sparams->utils->decode64(scram_hash, (unsigned int)(p_field - scram_hash), text->ServerKey, hash_size + 1, &exact_key_len) != SASL_OK) { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid base64 encoding of ServerKey in %s per-user storage", scram_sasl_mech); sparams->utils->free(text->salt); text->salt = NULL; continue; } if (exact_key_len != hash_size) { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid ServerKey in %s per-user storage", scram_sasl_mech); sparams->utils->free(text->salt); text->salt = NULL; continue; } result = SASL_OK; break; } if (result != SASL_OK) { sparams->utils->seterror(sparams->utils->conn, 0, "No valid %s secret found", scram_sasl_mech); goto cleanup; } } else { sparams->utils->seterror(sparams->utils->conn, 0, "Have neither type of secret"); return SASL_FAIL; } /* erase the plaintext password */ sparams->utils->prop_erase(sparams->propctx, password_request[0]); /* base 64 encode it so it has valid chars */ base64len = (text->salt_len / 3 * 4) + ((text->salt_len % 3) ? 4 : 0); base64_salt = (char *) sparams->utils->malloc(base64len + 1); if (base64_salt == NULL) { MEMERROR( sparams->utils ); result = SASL_NOMEM; goto cleanup; } /* * Returns SASL_OK on success, SASL_BUFOVER if result won't fit */ if (sparams->utils->encode64(text->salt, (unsigned int)text->salt_len, base64_salt, (unsigned int)base64len + 1, NULL) != SASL_OK) { MEMERROR( sparams->utils ); result = SASL_NOMEM; goto cleanup; } base64_salt[base64len] = '\0'; /* Now we generate server challenge */ estimated_challenge_len = client_nonce_len + NONCE_SIZE + base64len + ITERATION_COUNTER_BUF_LEN + strlen("r=,s=,i="); result = _plug_buf_alloc(sparams->utils, &(text->out_buf), &(text->out_buf_len), (unsigned) estimated_challenge_len + 1); if (result != SASL_OK) { MEMERROR( sparams->utils ); result = SASL_NOMEM; goto cleanup; } sprintf(text->out_buf, "r=%s,s=%s,i=%u", text->nonce, base64_salt, text->iteration_count); /* Save the (client response, ",", server challenge, ","). Note, we skip the GS2 prefix here */ pure_scram_length = clientinlen - text->gs2_header_length; text->auth_message_len = pure_scram_length + 1 + estimated_challenge_len + 1; text->auth_message = sparams->utils->malloc (text->auth_message_len + 1); if (text->auth_message == NULL) { MEMERROR( sparams->utils ); result = SASL_NOMEM; goto cleanup; } memcpy(text->auth_message, clientin + text->gs2_header_length, pure_scram_length); text->auth_message[pure_scram_length] = ','; strcpy (text->auth_message + pure_scram_length + 1, text->out_buf); strcat (text->auth_message + pure_scram_length + 1, ","); /* Now remember the exact length, not the estimated one */ text->auth_message_len = strlen(text->auth_message); *serverout = text->out_buf; *serveroutlen = (unsigned) strlen(text->out_buf); result = SASL_CONTINUE; text->state = 2; cleanup: if (inbuf != NULL) { sparams->utils->free(inbuf); } if (base64_salt != NULL) { sparams->utils->free(base64_salt); } return result; } static int scram_server_mech_step2(server_context_t *text, sasl_server_params_t *sparams, const char *clientin, unsigned clientinlen, const char **serverout, unsigned *serveroutlen, sasl_out_params_t *oparams) { char *channel_binding = NULL; size_t channel_binding_len = 0; char *binary_channel_binding = NULL; unsigned binary_channel_binding_len = 0; char *client_proof = NULL; char *inbuf = NULL; char *p; int result = SASL_FAIL; size_t proof_offset; char * full_auth_message; char ReceivedClientKey[EVP_MAX_MD_SIZE]; char DecodedClientProof[EVP_MAX_MD_SIZE + 1]; char CalculatedStoredKey[EVP_MAX_MD_SIZE]; char ClientSignature[EVP_MAX_MD_SIZE]; char ServerSignature[EVP_MAX_MD_SIZE]; char * nonce; size_t client_proof_len; size_t server_proof_len; unsigned exact_client_proof_len; unsigned int hash_len = 0; size_t k, hash_size = EVP_MD_size(text->md); const char *scram_sasl_mech = scram_sasl_mech_name(hash_size); if (clientinlen == 0) { sparams->utils->seterror(sparams->utils->conn, 0, "%s input expected", scram_sasl_mech); return SASL_BADPROT; } if (clientinlen < 3 || clientin[1] != '=') { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid %s input", scram_sasl_mech); return SASL_BADPROT; } inbuf = sparams->utils->malloc (clientinlen + 1); if (inbuf == NULL) { MEMERROR( sparams->utils ); return SASL_NOMEM; } memcpy(inbuf, clientin, clientinlen); inbuf[clientinlen] = 0; if (strlen(inbuf) != clientinlen) { sparams->utils->seterror(sparams->utils->conn, 0, "NULs found in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } /* Expecting: channel-binding "," nonce ["," extensions] "," proof */ p = inbuf; if (strncmp(p, "c=", 2) != 0) { sparams->utils->seterror(sparams->utils->conn, 0, "Channel binding expected in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } channel_binding = p + 2; p = strchr (channel_binding, ','); if (p == NULL) { sparams->utils->seterror(sparams->utils->conn, 0, "At least nonce is expected in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } *p = '\0'; p++; channel_binding_len = strlen(channel_binding); /* We can calculate the exact length, but the decoded (binary) data is always shorter than its base64 version. */ binary_channel_binding = (char *) sparams->utils->malloc(channel_binding_len + 1); if (sparams->utils->decode64(channel_binding, (unsigned int)channel_binding_len, binary_channel_binding, (unsigned int)channel_binding_len, &binary_channel_binding_len) != SASL_OK) { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid base64 encoding of the channel bindings in %s", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } if (binary_channel_binding_len < text->gs2_header_length || strncmp(binary_channel_binding, text->gs2_header, text->gs2_header_length) != 0) { sparams->utils->seterror (sparams->utils->conn, 0, "Channel bindings prefix doesn't match the one received in the GS2 header of %s. Expected \"%s\"", scram_sasl_mech, text->gs2_header); result = SASL_BADPROT; goto cleanup; } switch (text->cb_flags & SCRAM_CB_FLAG_MASK) { case SCRAM_CB_FLAG_P: binary_channel_binding_len -= (unsigned)text->gs2_header_length; if (binary_channel_binding_len == 0) { sparams->utils->seterror(sparams->utils->conn, 0, "Channel bindings data expected in %s", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } if (sparams->cbinding == NULL) { sparams->utils->seterror (sparams->utils->conn, 0, "Server does not support channel binding type received in %s. Received: %s", scram_sasl_mech, text->cbindingname); result = SASL_BADPROT; goto cleanup; } if (strcmp(sparams->cbinding->name, text->cbindingname) != 0) { sparams->utils->seterror (sparams->utils->conn, 0, "Unsupported channel bindings type received in %s. Expected: %s, received: %s", scram_sasl_mech, sparams->cbinding->name, text->cbindingname); result = SASL_BADPROT; goto cleanup; } if (binary_channel_binding_len != sparams->cbinding->len) { sparams->utils->seterror (sparams->utils->conn, 0, "Unsupported channel bindings length received in %s. Expected length: %lu, received: %d", scram_sasl_mech, sparams->cbinding->len, binary_channel_binding_len); result = SASL_BADPROT; goto cleanup; } if (memcmp(binary_channel_binding + text->gs2_header_length, sparams->cbinding->data, binary_channel_binding_len) != 0) { sparams->utils->seterror(sparams->utils->conn, 0, "Channel bindings mismatch in %s", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } break; } if (strncmp(p, "r=", 2) != 0) { sparams->utils->seterror(sparams->utils->conn, 0, "Nonce expected in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } nonce = p + 2; p = strchr (nonce, ','); if (p == NULL) { sparams->utils->seterror(sparams->utils->conn, 0, "At least proof is expected in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } *p = '\0'; p++; if (strcmp(nonce, text->nonce) != 0) { sparams->utils->seterror(sparams->utils->conn, 0, "Nonce mismatch %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } while (p[0] != '\0') { if (strncmp(p, "p=", 2) == 0) { client_proof = p + 2; proof_offset = p - inbuf - 1; break; } p = strchr (p, ','); if (p == NULL) { break; } p++; } if (client_proof == NULL) { sparams->utils->seterror(sparams->utils->conn, 0, "Client proof is expected in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } /* Check that no extension data exists after the proof */ p = strchr (client_proof, ','); if (p != NULL) { sparams->utils->seterror(sparams->utils->conn, 0, "No extension data is allowed after the client proof in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } if (strlen(client_proof) != (hash_size / 3 * 4 + (hash_size % 3 ? 4 : 0))) { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid client proof length in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } /* Construct the full AuthMessage */ full_auth_message = sparams->utils->realloc(text->auth_message, text->auth_message_len + proof_offset + 1); if (full_auth_message == NULL) { MEMERROR( sparams->utils ); result = SASL_NOMEM; goto cleanup; } text->auth_message = full_auth_message; memcpy(text->auth_message + text->auth_message_len, clientin, proof_offset); text->auth_message_len += proof_offset; text->auth_message[text->auth_message_len] = '\0'; /* ClientSignature := HMAC(StoredKey, AuthMessage) */ if (HMAC(text->md, (const unsigned char *) text->StoredKey, hash_size, (const unsigned char *)text->auth_message, (int)text->auth_message_len, (unsigned char *)ClientSignature, &hash_len) == NULL) { sparams->utils->seterror(sparams->utils->conn, 0, "HMAC-%s call failed", scram_sasl_mech+6); result = SASL_SCRAM_INTERNAL; goto cleanup; } client_proof_len = strlen(client_proof); if (sparams->utils->decode64(client_proof, (unsigned int)client_proof_len, DecodedClientProof, hash_size + 1, &exact_client_proof_len) != SASL_OK) { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid base64 encoding of the client proof in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } if (exact_client_proof_len != hash_size) { sparams->utils->seterror(sparams->utils->conn, 0, "Invalid client proof (truncated) in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } for (k = 0; k < hash_size; k++) { ReceivedClientKey[k] = DecodedClientProof[k] ^ ClientSignature[k]; } /* StoredKey := H(ClientKey) */ if (EVP_Digest((const unsigned char *) ReceivedClientKey, hash_size, (unsigned char *) CalculatedStoredKey, NULL, text->md, NULL) == 0) { sparams->utils->seterror(sparams->utils->conn,0, "%s call failed", scram_sasl_mech+6); result = SASL_SCRAM_INTERNAL; goto cleanup; } for (k = 0; k < hash_size; k++) { if (CalculatedStoredKey[k] != text->StoredKey[k]) { SETERROR(sparams->utils, "StoredKey mismatch"); result = SASL_BADAUTH; goto cleanup; } } /* ServerSignature := HMAC(ServerKey, AuthMessage) */ if (HMAC(text->md, (const unsigned char *) text->ServerKey, hash_size, (unsigned char *) text->auth_message, (int)text->auth_message_len, (unsigned char *)ServerSignature, &hash_len) == NULL) { sparams->utils->seterror(sparams->utils->conn,0, "HMAC-%s call failed", scram_sasl_mech+6); result = SASL_SCRAM_INTERNAL; goto cleanup; } server_proof_len = (hash_size / 3 * 4 + (hash_size % 3 ? 4 : 0)); result = _plug_buf_alloc(sparams->utils, &(text->out_buf), &(text->out_buf_len), (unsigned) server_proof_len + strlen("v=") + 1); if (result != SASL_OK) { MEMERROR( sparams->utils ); result = SASL_NOMEM; goto cleanup; } text->out_buf[0] = 'v'; text->out_buf[1] = '='; if (sparams->utils->encode64(ServerSignature, hash_size, text->out_buf+2, (unsigned int)server_proof_len + 1, NULL) != SASL_OK) { SETERROR(sparams->utils, "Internal error"); /* This is not quite right, but better than alternatives */ result = SASL_NOMEM; goto cleanup; } text->out_buf[server_proof_len + 2] = '\0'; *serverout = text->out_buf; *serveroutlen = (unsigned) strlen(text->out_buf); /* set oparams */ switch (text->cb_flags & SCRAM_CB_FLAG_MASK) { case SCRAM_CB_FLAG_N: oparams->cbindingdisp = SASL_CB_DISP_NONE; break; case SCRAM_CB_FLAG_P: oparams->cbindingdisp = SASL_CB_DISP_USED; oparams->cbindingname = text->cbindingname; break; case SCRAM_CB_FLAG_Y: oparams->cbindingdisp = SASL_CB_DISP_WANT; break; } oparams->doneflag = 1; oparams->mech_ssf = 0; oparams->maxoutbuf = 0; oparams->encode_context = NULL; oparams->encode = NULL; oparams->decode_context = NULL; oparams->decode = NULL; oparams->param_version = 0; result = SASL_OK; cleanup: if (inbuf != NULL) { sparams->utils->free(inbuf); } if (binary_channel_binding != NULL) { sparams->utils->free(binary_channel_binding); } return result; } static int scram_server_mech_step(void *conn_context, sasl_server_params_t *sparams, const char *clientin, unsigned clientinlen, const char **serverout, unsigned *serveroutlen, sasl_out_params_t *oparams) { server_context_t *text = (server_context_t *) conn_context; const char *scram_sasl_mech = NULL; *serverout = NULL; *serveroutlen = 0; if (text == NULL) { return SASL_BADPROT; } scram_sasl_mech = scram_sasl_mech_name(EVP_MD_size(text->md)); /* this should be well more than is ever needed */ if (clientinlen > MAX_CLIENTIN_LEN) { sparams->utils->seterror(sparams->utils->conn, 0, "%s input longer than " STRINGIZE((MAX_CLIENTIN_LEN)) " bytes", scram_sasl_mech); return SASL_BADPROT; } switch (text->state) { case 0: text->state++; /* Assume the protocol doesn't support initial client response */ if (clientinlen == 0) { return SASL_CONTINUE; } /* fall through */ case 1: return scram_server_mech_step1(text, sparams, clientin, clientinlen, serverout, serveroutlen, oparams); case 2: text->state++; return scram_server_mech_step2(text, sparams, clientin, clientinlen, serverout, serveroutlen, oparams); default: /* should never get here */ sparams->utils->log(NULL, SASL_LOG_ERR, "Invalid %s server step %d\n", scram_sasl_mech, text->state); return SASL_FAIL; } return SASL_FAIL; /* should never get here */ } static int scram_setpass(void *glob_context, sasl_server_params_t *sparams, const char *userstr, const char *pass, unsigned passlen, const char *oldpass __attribute__((unused)), unsigned oldpasslen __attribute__((unused)), unsigned flags) { int r; char *user = NULL; char *user_only = NULL; char *realm = NULL; sasl_secret_t *sec = NULL; struct propctx *propctx = NULL; const char *store_request[] = { "authPassword", NULL }; const char *generate_scram_secret; const EVP_MD *md = EVP_get_digestbyname((const char *) glob_context); size_t hash_size = EVP_MD_size(md); const char *scram_sasl_mech = scram_sasl_mech_name(hash_size); /* Do we have a backend that can store properties? */ if (!sparams->utils->auxprop_store || sparams->utils->auxprop_store(NULL, NULL, NULL) != SASL_OK) { sparams->utils->seterror(sparams->utils->conn, 0, "%s: auxprop backend can't store properties", scram_sasl_mech); return SASL_NOMECH; } sparams->utils->getopt(sparams->utils->getopt_context, /* This affects all SCRAM plugins, not just SCRAM-SHA-1 */ "SCRAM", "scram_secret_generate", &generate_scram_secret, NULL); /* NOTE: The default (when this option is not set) is NOT to generate authPassword secret */ if (!(generate_scram_secret && (generate_scram_secret[0] == '1' || generate_scram_secret[0] == 'y' || (generate_scram_secret[0] == 'o' && generate_scram_secret[1] == 'n') || generate_scram_secret[0] == 't'))) { /* Pretend that everything is Ok, no need to generate noise in the logs */ return SASL_OK; } r = _plug_parseuser(sparams->utils, &user_only, &realm, sparams->user_realm, sparams->serverFQDN, userstr); if (r) { sparams->utils->seterror(sparams->utils->conn, 0, "%s: Error parsing user", scram_sasl_mech); return r; } r = _plug_make_fulluser(sparams->utils, &user, user_only, realm); if (r) { goto cleanup; } if ((flags & SASL_SET_DISABLE) || pass == NULL) { sec = NULL; } else { char * error_text = NULL; char salt[SALT_SIZE + 1]; char base64_salt[BASE64_LEN(SALT_SIZE) + 1]; /* size_t salt_len = SALT_SIZE; */ char StoredKey[EVP_MAX_MD_SIZE + 1]; char ServerKey[EVP_MAX_MD_SIZE + 1]; char base64_StoredKey[BASE64_LEN(EVP_MAX_MD_SIZE) + 1]; char base64_ServerKey[BASE64_LEN(EVP_MAX_MD_SIZE) + 1]; size_t secret_len; unsigned int iteration_count = DEFAULT_ITERATION_COUNTER; char * s_iteration_count; char * end; sparams->utils->getopt(sparams->utils->getopt_context, /* Different SCRAM hashes can have different strengh */ scram_sasl_mech, "scram_iteration_counter", (const char **) &s_iteration_count, NULL); if (s_iteration_count != NULL) { errno = 0; iteration_count = strtoul(s_iteration_count, &end, 10); if (s_iteration_count == end || *end != '\0' || errno != 0) { sparams->utils->log(NULL, SASL_LOG_DEBUG, "Invalid iteration-count in scram_iteration_count SASL option: not a number. Using the default instead."); s_iteration_count = NULL; } } if (s_iteration_count == NULL) { iteration_count = DEFAULT_ITERATION_COUNTER; } sparams->utils->rand(sparams->utils->rpool, salt, SALT_SIZE); r = GenerateScramSecrets (sparams->utils, md, pass, passlen, salt, SALT_SIZE, iteration_count, StoredKey, ServerKey, &error_text); if (r != SASL_OK) { if (error_text != NULL) { sparams->utils->seterror(sparams->utils->conn, 0, "%s", error_text); } goto cleanup; } /* Returns SASL_OK on success, SASL_BUFOVER if result won't fit */ if (sparams->utils->encode64(salt, SALT_SIZE, base64_salt, BASE64_LEN(SALT_SIZE) + 1, NULL) != SASL_OK) { MEMERROR( sparams->utils ); r = SASL_NOMEM; goto cleanup; } base64_salt[BASE64_LEN(SALT_SIZE)] = '\0'; /* Returns SASL_OK on success, SASL_BUFOVER if result won't fit */ if (sparams->utils->encode64(StoredKey, hash_size, base64_StoredKey, BASE64_LEN(hash_size) + 1, NULL) != SASL_OK) { MEMERROR( sparams->utils ); r = SASL_NOMEM; goto cleanup; } base64_StoredKey[BASE64_LEN(hash_size)] = '\0'; /* Returns SASL_OK on success, SASL_BUFOVER if result won't fit */ if (sparams->utils->encode64(ServerKey, hash_size, base64_ServerKey, BASE64_LEN(hash_size) + 1, NULL) != SASL_OK) { MEMERROR( sparams->utils ); r = SASL_NOMEM; goto cleanup; } base64_ServerKey[BASE64_LEN(hash_size)] = '\0'; secret_len = strlen(scram_sasl_mech) + strlen("$:$:") + ITERATION_COUNTER_BUF_LEN + sizeof(base64_salt) + sizeof(base64_StoredKey) + sizeof(base64_ServerKey); sec = sparams->utils->malloc(sizeof(sasl_secret_t) + secret_len); if (sec == NULL) { MEMERROR( sparams->utils ); r = SASL_NOMEM; goto cleanup; } sprintf((char *) sec->data, "%s$%u:%s$%s:%s", scram_sasl_mech, iteration_count, base64_salt, base64_StoredKey, base64_ServerKey); sec->len = (unsigned int) strlen((const char *) sec->data); } /* do the store */ propctx = sparams->utils->prop_new(0); if (!propctx) { r = SASL_FAIL; } if (!r) { r = sparams->utils->prop_request(propctx, store_request); } if (!r) { r = sparams->utils->prop_set(propctx, "authPassword", (const char *) (sec ? sec->data : NULL), (sec ? sec->len : 0)); } if (!r) { r = sparams->utils->auxprop_store(sparams->utils->conn, propctx, user); } if (propctx) { sparams->utils->prop_dispose(&propctx); } if (r) { sparams->utils->seterror(sparams->utils->conn, 0, "Error putting %s secret", scram_sasl_mech); goto cleanup; } sparams->utils->log(NULL, SASL_LOG_DEBUG, "Setpass for %s successful\n", scram_sasl_mech); cleanup: if (user) _plug_free_string(sparams->utils, &user); if (user_only) _plug_free_string(sparams->utils, &user_only); if (realm) _plug_free_string(sparams->utils, &realm); if (sec) _plug_free_secret(sparams->utils, &sec); return r; } static void scram_server_mech_dispose(void *conn_context, const sasl_utils_t *utils) { server_context_t *text = (server_context_t *) conn_context; if (!text) return; if (text->authentication_id) _plug_free_string(utils,&(text->authentication_id)); if (text->authorization_id) _plug_free_string(utils,&(text->authorization_id)); if (text->out_buf) _plug_free_string(utils,&(text->out_buf)); if (text->auth_message) _plug_free_string(utils,&(text->auth_message)); if (text->nonce) _plug_free_string(utils,&(text->nonce)); if (text->salt) utils->free(text->salt); if (text->cbindingname != NULL) { utils->free(text->cbindingname); text->cbindingname = NULL; } if (text->gs2_header != NULL) { utils->free(text->gs2_header); text->gs2_header = NULL; } utils->free(text); } static sasl_server_plug_t scram_server_plugins[] = { #ifdef HAVE_SHA512 { "SCRAM-SHA-512", /* mech_name */ 0, /* max_ssf */ SASL_SET_HASH_STRENGTH_BITS(512) | SASL_SEC_NOPLAINTEXT | SASL_SEC_NOACTIVE | SASL_SEC_NOANONYMOUS | SASL_SEC_MUTUAL_AUTH, /* security_flags */ SASL_FEAT_ALLOWS_PROXY | SASL_FEAT_SUPPORTS_HTTP | SASL_FEAT_CHANNEL_BINDING, /* features */ "SHA512", /* glob_context */ &scram_server_mech_new, /* mech_new */ &scram_server_mech_step, /* mech_step */ &scram_server_mech_dispose, /* mech_dispose */ NULL, /* mech_free */ &scram_setpass, /* setpass */ NULL, /* user_query */ NULL, /* idle */ NULL, /* mech avail */ NULL /* spare */ }, { "SCRAM-SHA-384", /* mech_name */ 0, /* max_ssf */ SASL_SET_HASH_STRENGTH_BITS(384) | SASL_SEC_NOPLAINTEXT | SASL_SEC_NOACTIVE | SASL_SEC_NOANONYMOUS | SASL_SEC_MUTUAL_AUTH, /* security_flags */ SASL_FEAT_ALLOWS_PROXY | SASL_FEAT_SUPPORTS_HTTP | SASL_FEAT_CHANNEL_BINDING, /* features */ "SHA384", /* glob_context */ &scram_server_mech_new, /* mech_new */ &scram_server_mech_step, /* mech_step */ &scram_server_mech_dispose, /* mech_dispose */ NULL, /* mech_free */ &scram_setpass, /* setpass */ NULL, /* user_query */ NULL, /* idle */ NULL, /* mech avail */ NULL /* spare */ }, { "SCRAM-SHA-256", /* mech_name */ 0, /* max_ssf */ SASL_SET_HASH_STRENGTH_BITS(256) | SASL_SEC_NOPLAINTEXT | SASL_SEC_NOACTIVE | SASL_SEC_NOANONYMOUS | SASL_SEC_MUTUAL_AUTH, /* security_flags */ SASL_FEAT_ALLOWS_PROXY | SASL_FEAT_SUPPORTS_HTTP | SASL_FEAT_CHANNEL_BINDING, /* features */ "SHA256", /* glob_context */ &scram_server_mech_new, /* mech_new */ &scram_server_mech_step, /* mech_step */ &scram_server_mech_dispose, /* mech_dispose */ NULL, /* mech_free */ &scram_setpass, /* setpass */ NULL, /* user_query */ NULL, /* idle */ NULL, /* mech avail */ NULL /* spare */ }, { "SCRAM-SHA-224", /* mech_name */ 0, /* max_ssf */ SASL_SET_HASH_STRENGTH_BITS(224) | SASL_SEC_NOPLAINTEXT | SASL_SEC_NOACTIVE | SASL_SEC_NOANONYMOUS | SASL_SEC_MUTUAL_AUTH, /* security_flags */ SASL_FEAT_ALLOWS_PROXY | SASL_FEAT_SUPPORTS_HTTP | SASL_FEAT_CHANNEL_BINDING, /* features */ "SHA224", /* glob_context */ &scram_server_mech_new, /* mech_new */ &scram_server_mech_step, /* mech_step */ &scram_server_mech_dispose, /* mech_dispose */ NULL, /* mech_free */ &scram_setpass, /* setpass */ NULL, /* user_query */ NULL, /* idle */ NULL, /* mech avail */ NULL /* spare */ }, #endif { "SCRAM-SHA-1", /* mech_name */ 0, /* max_ssf */ SASL_SET_HASH_STRENGTH_BITS(160) | SASL_SEC_NOPLAINTEXT | SASL_SEC_NOACTIVE | SASL_SEC_NOANONYMOUS | SASL_SEC_MUTUAL_AUTH, /* security_flags */ SASL_FEAT_ALLOWS_PROXY | SASL_FEAT_SUPPORTS_HTTP | SASL_FEAT_CHANNEL_BINDING, /* features */ "SHA1", /* glob_context */ &scram_server_mech_new, /* mech_new */ &scram_server_mech_step, /* mech_step */ &scram_server_mech_dispose, /* mech_dispose */ NULL, /* mech_free */ &scram_setpass, /* setpass */ NULL, /* user_query */ NULL, /* idle */ NULL, /* mech avail */ NULL /* spare */ } }; int scram_server_plug_init(const sasl_utils_t *utils, int maxversion, int *out_version, sasl_server_plug_t **pluglist, int *plugcount) { if (maxversion < SASL_SERVER_PLUG_VERSION) { SETERROR( utils, "SCRAM-SHA-* version mismatch"); return SASL_BADVERS; } *out_version = SASL_SERVER_PLUG_VERSION; *pluglist = scram_server_plugins; #ifdef HAVE_SHA512 *plugcount = 5; #else *plugcount = 1; #endif utils->rand(utils->rpool, (char *)g_salt_key, SALT_SIZE); return SASL_OK; } /***************************** Client Section *****************************/ typedef struct client_context { int state; const EVP_MD *md; /* underlying MDA */ sasl_secret_t *password; /* user password */ unsigned int free_password; /* set if we need to free the password */ char * gs2_header; size_t gs2_header_length; char * out_buf; unsigned out_buf_len; char * auth_message; size_t auth_message_len; char * nonce; /* in binary form */ char * salt; size_t salt_len; unsigned int iteration_count; char SaltedPassword[EVP_MAX_MD_SIZE]; int cb_flags; } client_context_t; static int scram_client_mech_new(void *glob_context, sasl_client_params_t *params, void **conn_context) { client_context_t *text; /* holds state are in */ text = params->utils->malloc(sizeof(client_context_t)); if (text == NULL) { MEMERROR(params->utils); return SASL_NOMEM; } memset(text, 0, sizeof(client_context_t)); text->md = EVP_get_digestbyname((const char *) glob_context); *conn_context = text; return SASL_OK; } static int scram_client_mech_step1(client_context_t *text, sasl_client_params_t *params, const char *serverin __attribute__((unused)), unsigned serverinlen __attribute__((unused)), sasl_interact_t **prompt_need, const char **clientout, unsigned *clientoutlen, sasl_out_params_t *oparams) { const char *authid = NULL; const char *userid = NULL; int user_result = SASL_OK; int auth_result = SASL_OK; int pass_result = SASL_OK; int result; size_t maxsize; char * encoded_authcid; char * freeme = NULL; char * freeme2 = NULL; char channel_binding_state = 'n'; const char * channel_binding_name = NULL; char * encoded_authorization_id = NULL; const char *scram_sasl_mech = scram_sasl_mech_name(EVP_MD_size(text->md)); /* check if sec layer strong enough */ if (params->props.min_ssf > params->external_ssf) { params->utils->seterror(params->utils->conn, 0, "SSF requested of %s plugin", scram_sasl_mech); return SASL_TOOWEAK; } /* try to get the userid */ if (oparams->authid == NULL) { auth_result=_plug_get_authid(params->utils, &authid, prompt_need); if ((auth_result != SASL_OK) && (auth_result != SASL_INTERACT)) return auth_result; } /* try to get the userid */ if (oparams->user == NULL) { user_result = _plug_get_userid(params->utils, &userid, prompt_need); if ((user_result != SASL_OK) && (user_result != SASL_INTERACT)) { return user_result; } } /* try to get the password */ if (text->password == NULL) { pass_result = _plug_get_password(params->utils, &text->password, &text->free_password, prompt_need); if ((pass_result != SASL_OK) && (pass_result != SASL_INTERACT)) { return pass_result; } } /* free prompts we got */ if (prompt_need && *prompt_need) { params->utils->free(*prompt_need); *prompt_need = NULL; } /* if there are prompts not filled in */ if ((auth_result == SASL_INTERACT) || (user_result == SASL_INTERACT) || (pass_result == SASL_INTERACT)) { /* make the prompt list */ result = _plug_make_prompts(params->utils, prompt_need, user_result == SASL_INTERACT ? "Please enter your authorization name" : NULL, NULL, auth_result == SASL_INTERACT ? "Please enter your authentication name" : NULL, NULL, pass_result == SASL_INTERACT ? "Please enter your password" : NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL); if (result != SASL_OK) { goto cleanup; } return SASL_INTERACT; } if (!text->password) { PARAMERROR(params->utils); return SASL_BADPARAM; } if (oparams->authid == NULL) { if (!userid || !*userid) { result = params->canon_user(params->utils->conn, authid, 0, SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams); } else { result = params->canon_user(params->utils->conn, authid, 0, SASL_CU_AUTHID, oparams); if (result != SASL_OK) { goto cleanup; } result = params->canon_user(params->utils->conn, userid, 0, SASL_CU_AUTHZID, oparams); } if (result != SASL_OK) { goto cleanup; } } switch (params->cbindingdisp) { case SASL_CB_DISP_NONE: text->cb_flags = SCRAM_CB_FLAG_N; channel_binding_state = 'n'; break; case SASL_CB_DISP_USED: if (!SASL_CB_PRESENT(params)) { result = SASL_BADPARAM; goto cleanup; } channel_binding_name = params->cbinding->name; text->cb_flags = SCRAM_CB_FLAG_P; channel_binding_state = 'p'; break; case SASL_CB_DISP_WANT: text->cb_flags = SCRAM_CB_FLAG_Y; channel_binding_state = 'y'; break; } text->nonce = params->utils->malloc (NONCE_SIZE + 1); if (text->nonce == NULL) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } if (create_nonce(params->utils, text->nonce, NONCE_SIZE + 1) == NULL) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } if (userid != NULL && *userid != '\0') { result = encode_saslname (oparams->user, (const char **) &encoded_authorization_id, &freeme2); if (result != SASL_OK) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } } result = encode_saslname (oparams->authid, (const char **) &encoded_authcid, &freeme); if (result != SASL_OK) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } maxsize = strlen("p=,a=,n=,r=") + ((channel_binding_name != NULL) ? strlen(channel_binding_name) : 0) + ((encoded_authorization_id != NULL) ? strlen(encoded_authorization_id) : 0) + strlen(encoded_authcid) + strlen(text->nonce); result = _plug_buf_alloc(params->utils, &(text->out_buf), &(text->out_buf_len), (unsigned) maxsize + 1); if (result != SASL_OK) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } snprintf(text->out_buf, maxsize + 1, "%c%s%s,%s%s,", channel_binding_state, (channel_binding_name != NULL) ? "=" : "", (channel_binding_name != NULL) ? channel_binding_name : "", (encoded_authorization_id != NULL) ? "a=" : "", (encoded_authorization_id != NULL) ? encoded_authorization_id : ""); text->gs2_header_length = strlen(text->out_buf); _plug_strdup(params->utils, text->out_buf, &text->gs2_header, NULL); sprintf(text->out_buf + text->gs2_header_length, "n=%s,r=%s", encoded_authcid, text->nonce); /* Save the copy of the client-first-message */ /* Need to skip the GS2 prefix here */ _plug_strdup(params->utils, text->out_buf + text->gs2_header_length, &text->auth_message, NULL); if (text->auth_message == NULL) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } text->auth_message_len = strlen(text->auth_message); *clientout = text->out_buf; *clientoutlen = (unsigned) strlen(*clientout); result = SASL_CONTINUE; cleanup: if (freeme != NULL) _plug_free_string(params->utils, &freeme); if (freeme2 != NULL) _plug_free_string(params->utils, &freeme2); return result; } static int scram_client_mech_step2(client_context_t *text, sasl_client_params_t *params, const char *serverin, unsigned serverinlen, sasl_interact_t **prompt_need __attribute__((unused)), const char **clientout, unsigned *clientoutlen, sasl_out_params_t *oparams __attribute__((unused))) { char * p; char * nonce; size_t server_nonce_len; char * base64_salt = NULL; size_t base64_salt_len; unsigned exact_salt_len; char * counter; char * end; char * inbuf = NULL; size_t estimated_response_len; size_t length_no_proof; char * full_auth_message; size_t cb_bin_length; size_t channel_binding_data_len = 0; size_t cb_encoded_length; const char * channel_binding_data = NULL; char * cb_encoded = NULL; char * cb_bin = NULL; int result; char ClientKey[EVP_MAX_MD_SIZE]; char StoredKey[EVP_MAX_MD_SIZE]; char ClientSignature[EVP_MAX_MD_SIZE]; char ClientProof[EVP_MAX_MD_SIZE]; char * client_proof = NULL; size_t client_proof_len; unsigned int hash_len = 0; size_t k, hash_size = EVP_MD_size(text->md); const char *scram_sasl_mech = scram_sasl_mech_name(hash_size); if (serverinlen == 0) { params->utils->seterror(params->utils->conn, 0, "%s input expected", scram_sasl_mech); return SASL_BADPROT; } /* [reserved-mext ","] nonce "," salt "," iteration-count ["," extensions] */ if (serverinlen < 3 || serverin[1] != '=') { params->utils->seterror(params->utils->conn, 0, "Invalid %s input", scram_sasl_mech); return SASL_BADPROT; } if (serverin[0] == 'm') { params->utils->seterror(params->utils->conn, 0, "Unsupported mandatory extension to %s", scram_sasl_mech); return SASL_BADPROT; } if (serverin[0] != 'r') { params->utils->seterror(params->utils->conn, 0, "Nonce (r=) expected in %s input", scram_sasl_mech); return SASL_BADPROT; } inbuf = params->utils->malloc (serverinlen + 1); if (inbuf == NULL) { MEMERROR( params->utils ); return SASL_NOMEM; } memcpy(inbuf, serverin, serverinlen); inbuf[serverinlen] = 0; if (strlen(inbuf) != serverinlen) { params->utils->seterror(params->utils->conn, 0, "NULs found in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } nonce = inbuf + 2; p = strchr (nonce, ','); /* MUST be followed by a salt */ if (p == NULL) { params->utils->seterror(params->utils->conn, 0, "Salt expected after the nonce in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } *p = '\0'; p++; if (strncmp(p, "s=", 2) != 0) { params->utils->seterror(params->utils->conn, 0, "Salt expected after the nonce in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } p += 2; base64_salt = p; p = strchr (base64_salt, ','); /* MUST be followed by an iteration-count */ if (p == NULL) { params->utils->seterror(params->utils->conn, 0, "iteration-count expected after the salt in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } *p = '\0'; p++; if (strncmp(p, "i=", 2) != 0) { params->utils->seterror(params->utils->conn, 0, "iteration-count expected after the salt in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } p += 2; counter = p; p = strchr (counter, ','); if (p == NULL) { p = counter + strlen(counter); } else { *p = '\0'; } errno = 0; text->iteration_count = strtoul(counter, &end, 10); if (counter == end || *end != '\0' || errno != 0) { params->utils->seterror(params->utils->conn, 0, "Invalid iteration-count in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } if (text->iteration_count < MIN_ITERATION_COUNTER) { } if (text->iteration_count > MAX_ITERATION_COUNTER) { SETERROR(params->utils, "iteration-count is too big, refusing to compute"); result = SASL_BADPROT; goto cleanup; } /* The client MUST verify that the initial part of the nonce used in subsequent messages is the same as the nonce it initially specified. */ server_nonce_len = strlen(nonce); if (server_nonce_len <= NONCE_SIZE || strncmp(nonce, text->nonce, NONCE_SIZE) != 0) { SETERROR(params->utils, "The nonce received from the server doesn't start from the nonce sent by the client"); result = SASL_BADPROT; goto cleanup; } /* Now we can forget about our nonce */ params->utils->free(text->nonce); _plug_strdup(params->utils, nonce, &text->nonce, NULL); if (text->nonce == NULL) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } /* base64 decode salt */ base64_salt_len = strlen(base64_salt); if (base64_salt_len == 0) { SETERROR(params->utils, "The salt can't be empty"); result = SASL_BADPROT; goto cleanup; } if (base64_salt_len % 4 != 0) { SETERROR(params->utils, "Invalid base64 encoding of the salt"); result = SASL_BADPROT; goto cleanup; } text->salt_len = base64_salt_len / 4 * 3; text->salt = (char *) params->utils->malloc(text->salt_len + 1); if (text->salt == NULL) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } if (params->utils->decode64(base64_salt, (unsigned int)base64_salt_len, text->salt, (unsigned int)text->salt_len + 1, &exact_salt_len) != SASL_OK) { params->utils->seterror(params->utils->conn, 0, "Invalid base64 encoding of the salt in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } text->salt_len = exact_salt_len; /* Now we generate client response */ if (text->gs2_header[0] == 'p') { if (params->cbinding == NULL) { result = SASL_FAIL; goto cleanup; } channel_binding_data = (const char *) params->cbinding->data; channel_binding_data_len = params->cbinding->len; } cb_bin_length = text->gs2_header_length + ((channel_binding_data != NULL) ? channel_binding_data_len : 0); cb_encoded_length = (cb_bin_length / 3 * 4) + ((cb_bin_length % 3) ? 4 : 0); if (channel_binding_data != NULL) { cb_bin = (char *) params->utils->malloc(cb_bin_length + 1); if (cb_bin == NULL) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } memcpy(cb_bin, text->gs2_header, text->gs2_header_length); memcpy(cb_bin + text->gs2_header_length, channel_binding_data, channel_binding_data_len); } cb_encoded = (char *) params->utils->malloc(cb_encoded_length + 1); if (cb_encoded == NULL) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } /* * Returns SASL_OK on success, SASL_BUFOVER if result won't fit */ if (params->utils->encode64((cb_bin != NULL) ? cb_bin : text->gs2_header, (unsigned int)cb_bin_length, cb_encoded, (unsigned int)cb_encoded_length + 1, NULL) != SASL_OK) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } cb_encoded[cb_encoded_length] = '\0'; client_proof_len = hash_size / 3 * 4 + ((hash_size % 3) ? 4 : 0); estimated_response_len = strlen(cb_encoded)+ strlen(text->nonce)+ client_proof_len + strlen("c=,r=,p="); result = _plug_buf_alloc(params->utils, &(text->out_buf), &(text->out_buf_len), (unsigned) estimated_response_len + 1); if (result != SASL_OK) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } /* channel-binding "," nonce ["," extensions] */ sprintf(text->out_buf, "c=%s,r=%s", cb_encoded, text->nonce); length_no_proof = strlen(text->out_buf); /* Build AuthMessage */ full_auth_message = params->utils->realloc(text->auth_message, text->auth_message_len + 1 + serverinlen + 1 + length_no_proof + 1); if (full_auth_message == NULL) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } text->auth_message = full_auth_message; text->auth_message[text->auth_message_len] = ','; memcpy(text->auth_message + text->auth_message_len + 1, serverin, serverinlen); text->auth_message[text->auth_message_len + 1 + serverinlen] = ','; memcpy(text->auth_message + text->auth_message_len + 1 + serverinlen + 1, text->out_buf, length_no_proof); text->auth_message_len += serverinlen + 2 + length_no_proof; text->auth_message[text->auth_message_len] = '\0'; /* Calculate ClientProof */ /* SaltedPassword := Hi(password, salt) */ Hi (params->utils, text->md, (const char *) text->password->data, text->password->len, text->salt, text->salt_len, text->iteration_count, text->SaltedPassword); PRINT_HASH ("SaltedPassword", text->SaltedPassword, hash_size); /* ClientKey := HMAC(SaltedPassword, "Client Key") */ if (HMAC(text->md, (const unsigned char *) text->SaltedPassword, hash_size, (const unsigned char *) CLIENT_KEY_CONSTANT, CLIENT_KEY_CONSTANT_LEN, (unsigned char *)ClientKey, &hash_len) == NULL) { params->utils->seterror(params->utils->conn,0, "HMAC-%s call failed", scram_sasl_mech+6); result = SASL_SCRAM_INTERNAL; goto cleanup; } PRINT_HASH ("ClientKey", ClientKey, hash_size); /* StoredKey := H(ClientKey) */ if (EVP_Digest((const unsigned char *) ClientKey, hash_size, (unsigned char *) StoredKey, NULL, text->md, NULL) == 0) { params->utils->seterror(params->utils->conn,0, "%s call failed", scram_sasl_mech+6); result = SASL_SCRAM_INTERNAL; goto cleanup; } PRINT_HASH ("StoredKey", StoredKey, hash_size); /* ClientSignature := HMAC(StoredKey, AuthMessage) */ if (HMAC(text->md, (const unsigned char *)StoredKey, hash_size, (const unsigned char *) text->auth_message, (int)text->auth_message_len, (unsigned char *)ClientSignature, &hash_len) == NULL) { params->utils->seterror(params->utils->conn,0, "HMAC-%s call failed", scram_sasl_mech+6); result = SASL_SCRAM_INTERNAL; goto cleanup; } PRINT_HASH ("ClientSignature", ClientSignature, hash_size); /* ClientProof := ClientKey XOR ClientSignature */ for (k = 0; k < hash_size; k++) { ClientProof[k] = ClientKey[k] ^ ClientSignature[k]; } PRINT_HASH ("ClientProof", ClientProof, hash_size); /* base64-encode ClientProof */ client_proof = (char *) params->utils->malloc(client_proof_len + 1); if (client_proof == NULL) { MEMERROR( params->utils ); result = SASL_NOMEM; goto cleanup; } result = params->utils->encode64(ClientProof, hash_size, client_proof, (unsigned int)client_proof_len + 1, NULL); if (result != SASL_OK) { goto cleanup; } client_proof[client_proof_len] = '\0'; sprintf(text->out_buf + length_no_proof, ",p=%s", client_proof); *clientout = text->out_buf; *clientoutlen = (unsigned) strlen(text->out_buf); result = SASL_CONTINUE; cleanup: if (inbuf != NULL) { params->utils->free(inbuf); } if (client_proof != NULL) { params->utils->free(client_proof); } if (cb_encoded != NULL) { params->utils->free(cb_encoded); } if (cb_bin != NULL) { params->utils->free(cb_bin); } return result; } static int scram_client_mech_step3(client_context_t *text, sasl_client_params_t *params, const char *serverin, unsigned serverinlen, sasl_interact_t **prompt_need __attribute__((unused)), const char **clientout __attribute__((unused)), unsigned *clientoutlen __attribute__((unused)), sasl_out_params_t *oparams) { char * p; int result; size_t server_proof_len; unsigned exact_server_proof_len; char DecodedServerProof[EVP_MAX_MD_SIZE + 1]; char ServerKey[EVP_MAX_MD_SIZE]; char ServerSignature[EVP_MAX_MD_SIZE]; unsigned int hash_len = 0; size_t k, hash_size = EVP_MD_size(text->md); const char *scram_sasl_mech = scram_sasl_mech_name(hash_size); if (serverinlen < 3) { params->utils->seterror(params->utils->conn, 0, "Invalid %s input expected", scram_sasl_mech); return SASL_BADPROT; } /* Expecting: 'verifier ["," extensions]' */ if (strncmp(serverin, "v=", 2) != 0) { params->utils->seterror(params->utils->conn, 0, "ServerSignature expected in %s input", scram_sasl_mech); return SASL_BADPROT; } /* Use memchr instead of the original strchr as there is no guarantee that the input data is NUL terminated */ p = memchr (serverin + 2, ',', serverinlen - 2); if (p != NULL) { server_proof_len = p - (serverin + 2) - 1; } else { server_proof_len = serverinlen - 2; } if (params->utils->decode64(serverin + 2, /* ServerProof */ (unsigned int)server_proof_len, DecodedServerProof, hash_size + 1, &exact_server_proof_len) != SASL_OK) { params->utils->seterror(params->utils->conn, 0, "Invalid base64 encoding of the server proof in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } if (exact_server_proof_len != hash_size) { params->utils->seterror(params->utils->conn, 0, "Invalid server proof (truncated) in %s input", scram_sasl_mech); result = SASL_BADPROT; goto cleanup; } /* ServerKey := HMAC(SaltedPassword, "Server Key") */ if (HMAC(text->md, (const unsigned char *)text->SaltedPassword, hash_size, (const unsigned char *) SERVER_KEY_CONSTANT, SERVER_KEY_CONSTANT_LEN, (unsigned char *)ServerKey, &hash_len) == NULL) { params->utils->seterror(params->utils->conn,0, "HMAC-%s call failed", scram_sasl_mech+6); result = SASL_SCRAM_INTERNAL; goto cleanup; } /* ServerSignature := HMAC(ServerKey, AuthMessage) */ if (HMAC(text->md, (const unsigned char *)ServerKey, hash_size, (const unsigned char *) text->auth_message, (int)text->auth_message_len, (unsigned char *)ServerSignature, &hash_len) == NULL) { params->utils->seterror(params->utils->conn,0, "HMAC-%s call failed", scram_sasl_mech+6); result = SASL_SCRAM_INTERNAL; goto cleanup; } for (k = 0; k < hash_size; k++) { if (DecodedServerProof[k] != ServerSignature[k]) { SETERROR(params->utils, "ServerSignature mismatch"); result = SASL_BADAUTH; goto cleanup; } } /* set oparams */ oparams->doneflag = 1; oparams->mech_ssf = 0; oparams->maxoutbuf = 0; oparams->encode_context = NULL; oparams->encode = NULL; oparams->decode_context = NULL; oparams->decode = NULL; oparams->param_version = 0; result = SASL_OK; cleanup: return result; } static int scram_client_mech_step(void *conn_context, sasl_client_params_t *params, const char *serverin, unsigned serverinlen, sasl_interact_t **prompt_need, const char **clientout, unsigned *clientoutlen, sasl_out_params_t *oparams) { int result = SASL_FAIL; client_context_t *text = (client_context_t *) conn_context; const char *scram_sasl_mech = scram_sasl_mech_name(EVP_MD_size(text->md)); *clientout = NULL; *clientoutlen = 0; /* this should be well more than is ever needed */ if (serverinlen > MAX_SERVERIN_LEN) { params->utils->seterror(params->utils->conn, 0, "%s input longer than " STRINGIZE((MAX_SERVERIN_LEN)) " bytes", scram_sasl_mech); return SASL_BADPROT; } switch (text->state) { case 0: result = scram_client_mech_step1(text, params, serverin, serverinlen, prompt_need, clientout, clientoutlen, oparams); break; case 1: result = scram_client_mech_step2(text, params, serverin, serverinlen, prompt_need, clientout, clientoutlen, oparams); break; case 2: result = scram_client_mech_step3(text, params, serverin, serverinlen, prompt_need, clientout, clientoutlen, oparams); break; default: /* should never get here */ params->utils->log(NULL, SASL_LOG_ERR, "Invalid %s client step %d\n", scram_sasl_mech, text->state); return SASL_FAIL; } if (result != SASL_INTERACT) { text->state++; } return result; } static void scram_client_mech_dispose(void *conn_context, const sasl_utils_t *utils) { client_context_t *text = (client_context_t *) conn_context; if (!text) return; /* get rid of all sensitive info */ if (text->free_password) { _plug_free_secret(utils, &text->password); text->free_password = 0; } if (text->gs2_header) { utils->free(text->gs2_header); text->gs2_header = NULL; } if (text->out_buf) { utils->free(text->out_buf); text->out_buf = NULL; } if (text->auth_message) _plug_free_string(utils,&(text->auth_message)); if (text->nonce) _plug_free_string(utils,&(text->nonce)); if (text->salt) utils->free(text->salt); utils->free(text); } static sasl_client_plug_t scram_client_plugins[] = { #ifdef HAVE_SHA512 { "SCRAM-SHA-512", /* mech_name */ 0, /* max_ssf */ SASL_SET_HASH_STRENGTH_BITS(512) | SASL_SEC_NOPLAINTEXT | SASL_SEC_NOANONYMOUS | SASL_SEC_NOACTIVE | SASL_SEC_MUTUAL_AUTH, /* security_flags */ SASL_FEAT_ALLOWS_PROXY | SASL_FEAT_SUPPORTS_HTTP | SASL_FEAT_CHANNEL_BINDING, /* features */ NULL, /* required_prompts */ "SHA512", /* glob_context */ &scram_client_mech_new, /* mech_new */ &scram_client_mech_step, /* mech_step */ &scram_client_mech_dispose, /* mech_dispose */ NULL, /* mech_free */ NULL, /* idle */ NULL, /* spare */ NULL /* spare */ }, { "SCRAM-SHA-384", /* mech_name */ 0, /* max_ssf */ SASL_SET_HASH_STRENGTH_BITS(384) | SASL_SEC_NOPLAINTEXT | SASL_SEC_NOANONYMOUS | SASL_SEC_NOACTIVE | SASL_SEC_MUTUAL_AUTH, /* security_flags */ SASL_FEAT_ALLOWS_PROXY | SASL_FEAT_SUPPORTS_HTTP | SASL_FEAT_CHANNEL_BINDING, /* features */ NULL, /* required_prompts */ "SHA384", /* glob_context */ &scram_client_mech_new, /* mech_new */ &scram_client_mech_step, /* mech_step */ &scram_client_mech_dispose, /* mech_dispose */ NULL, /* mech_free */ NULL, /* idle */ NULL, /* spare */ NULL /* spare */ }, { "SCRAM-SHA-256", /* mech_name */ 0, /* max_ssf */ SASL_SET_HASH_STRENGTH_BITS(256) | SASL_SEC_NOPLAINTEXT | SASL_SEC_NOANONYMOUS | SASL_SEC_NOACTIVE | SASL_SEC_MUTUAL_AUTH, /* security_flags */ SASL_FEAT_ALLOWS_PROXY | SASL_FEAT_SUPPORTS_HTTP | SASL_FEAT_CHANNEL_BINDING, /* features */ NULL, /* required_prompts */ "SHA256", /* glob_context */ &scram_client_mech_new, /* mech_new */ &scram_client_mech_step, /* mech_step */ &scram_client_mech_dispose, /* mech_dispose */ NULL, /* mech_free */ NULL, /* idle */ NULL, /* spare */ NULL /* spare */ }, { "SCRAM-SHA-224", /* mech_name */ 0, /* max_ssf */ SASL_SET_HASH_STRENGTH_BITS(224) | SASL_SEC_NOPLAINTEXT | SASL_SEC_NOANONYMOUS | SASL_SEC_NOACTIVE | SASL_SEC_MUTUAL_AUTH, /* security_flags */ SASL_FEAT_ALLOWS_PROXY | SASL_FEAT_SUPPORTS_HTTP | SASL_FEAT_CHANNEL_BINDING, /* features */ NULL, /* required_prompts */ "SHA224", /* glob_context */ &scram_client_mech_new, /* mech_new */ &scram_client_mech_step, /* mech_step */ &scram_client_mech_dispose, /* mech_dispose */ NULL, /* mech_free */ NULL, /* idle */ NULL, /* spare */ NULL /* spare */ }, #endif { "SCRAM-SHA-1", /* mech_name */ 0, /* max_ssf */ SASL_SET_HASH_STRENGTH_BITS(160) | SASL_SEC_NOPLAINTEXT | SASL_SEC_NOANONYMOUS | SASL_SEC_NOACTIVE | SASL_SEC_MUTUAL_AUTH, /* security_flags */ SASL_FEAT_ALLOWS_PROXY | SASL_FEAT_SUPPORTS_HTTP | SASL_FEAT_CHANNEL_BINDING, /* features */ NULL, /* required_prompts */ "SHA1", /* glob_context */ &scram_client_mech_new, /* mech_new */ &scram_client_mech_step, /* mech_step */ &scram_client_mech_dispose, /* mech_dispose */ NULL, /* mech_free */ NULL, /* idle */ NULL, /* spare */ NULL /* spare */ } }; int scram_client_plug_init(const sasl_utils_t *utils, int maxversion, int *out_version, sasl_client_plug_t **pluglist, int *plugcount) { if (maxversion < SASL_CLIENT_PLUG_VERSION) { SETERROR( utils, "SCRAM-SHA-* version mismatch"); return SASL_BADVERS; } *out_version = SASL_CLIENT_PLUG_VERSION; *pluglist = scram_client_plugins; #ifdef HAVE_SHA512 *plugcount = 5; #else *plugcount = 1; #endif return SASL_OK; }