forked from gitea/gitea
265 lines
7.5 KiB
Go
265 lines
7.5 KiB
Go
// Copyright (c) 2014 - Gustavo Niemeyer <gustavo@niemeyer.net>
|
|
//
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
|
// ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
// WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
|
|
// ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
// ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
// Package scram implements a SCRAM-{SHA-1,etc} client per RFC5802.
|
|
//
|
|
// http://tools.ietf.org/html/rfc5802
|
|
//
|
|
package scram
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/hmac"
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"hash"
|
|
"strconv"
|
|
"strings"
|
|
)
|
|
|
|
// Client implements a SCRAM-* client (SCRAM-SHA-1, SCRAM-SHA-256, etc).
|
|
//
|
|
// A Client may be used within a SASL conversation with logic resembling:
|
|
//
|
|
// var in []byte
|
|
// var client = scram.NewClient(sha1.New, user, pass)
|
|
// for client.Step(in) {
|
|
// out := client.Out()
|
|
// // send out to server
|
|
// in := serverOut
|
|
// }
|
|
// if client.Err() != nil {
|
|
// // auth failed
|
|
// }
|
|
//
|
|
type Client struct {
|
|
newHash func() hash.Hash
|
|
|
|
user string
|
|
pass string
|
|
step int
|
|
out bytes.Buffer
|
|
err error
|
|
|
|
clientNonce []byte
|
|
serverNonce []byte
|
|
saltedPass []byte
|
|
authMsg bytes.Buffer
|
|
}
|
|
|
|
// NewClient returns a new SCRAM-* client with the provided hash algorithm.
|
|
//
|
|
// For SCRAM-SHA-256, for example, use:
|
|
//
|
|
// client := scram.NewClient(sha256.New, user, pass)
|
|
//
|
|
func NewClient(newHash func() hash.Hash, user, pass string) *Client {
|
|
c := &Client{
|
|
newHash: newHash,
|
|
user: user,
|
|
pass: pass,
|
|
}
|
|
c.out.Grow(256)
|
|
c.authMsg.Grow(256)
|
|
return c
|
|
}
|
|
|
|
// Out returns the data to be sent to the server in the current step.
|
|
func (c *Client) Out() []byte {
|
|
if c.out.Len() == 0 {
|
|
return nil
|
|
}
|
|
return c.out.Bytes()
|
|
}
|
|
|
|
// Err returns the error that occurred, or nil if there were no errors.
|
|
func (c *Client) Err() error {
|
|
return c.err
|
|
}
|
|
|
|
// SetNonce sets the client nonce to the provided value.
|
|
// If not set, the nonce is generated automatically out of crypto/rand on the first step.
|
|
func (c *Client) SetNonce(nonce []byte) {
|
|
c.clientNonce = nonce
|
|
}
|
|
|
|
var escaper = strings.NewReplacer("=", "=3D", ",", "=2C")
|
|
|
|
// Step processes the incoming data from the server and makes the
|
|
// next round of data for the server available via Client.Out.
|
|
// Step returns false if there are no errors and more data is
|
|
// still expected.
|
|
func (c *Client) Step(in []byte) bool {
|
|
c.out.Reset()
|
|
if c.step > 2 || c.err != nil {
|
|
return false
|
|
}
|
|
c.step++
|
|
switch c.step {
|
|
case 1:
|
|
c.err = c.step1(in)
|
|
case 2:
|
|
c.err = c.step2(in)
|
|
case 3:
|
|
c.err = c.step3(in)
|
|
}
|
|
return c.step > 2 || c.err != nil
|
|
}
|
|
|
|
func (c *Client) step1(in []byte) error {
|
|
if len(c.clientNonce) == 0 {
|
|
const nonceLen = 16
|
|
buf := make([]byte, nonceLen+b64.EncodedLen(nonceLen))
|
|
if _, err := rand.Read(buf[:nonceLen]); err != nil {
|
|
return fmt.Errorf("cannot read random SCRAM-SHA-256 nonce from operating system: %v", err)
|
|
}
|
|
c.clientNonce = buf[nonceLen:]
|
|
b64.Encode(c.clientNonce, buf[:nonceLen])
|
|
}
|
|
c.authMsg.WriteString("n=")
|
|
escaper.WriteString(&c.authMsg, c.user)
|
|
c.authMsg.WriteString(",r=")
|
|
c.authMsg.Write(c.clientNonce)
|
|
|
|
c.out.WriteString("n,,")
|
|
c.out.Write(c.authMsg.Bytes())
|
|
return nil
|
|
}
|
|
|
|
var b64 = base64.StdEncoding
|
|
|
|
func (c *Client) step2(in []byte) error {
|
|
c.authMsg.WriteByte(',')
|
|
c.authMsg.Write(in)
|
|
|
|
fields := bytes.Split(in, []byte(","))
|
|
if len(fields) != 3 {
|
|
return fmt.Errorf("expected 3 fields in first SCRAM-SHA-256 server message, got %d: %q", len(fields), in)
|
|
}
|
|
if !bytes.HasPrefix(fields[0], []byte("r=")) || len(fields[0]) < 2 {
|
|
return fmt.Errorf("server sent an invalid SCRAM-SHA-256 nonce: %q", fields[0])
|
|
}
|
|
if !bytes.HasPrefix(fields[1], []byte("s=")) || len(fields[1]) < 6 {
|
|
return fmt.Errorf("server sent an invalid SCRAM-SHA-256 salt: %q", fields[1])
|
|
}
|
|
if !bytes.HasPrefix(fields[2], []byte("i=")) || len(fields[2]) < 6 {
|
|
return fmt.Errorf("server sent an invalid SCRAM-SHA-256 iteration count: %q", fields[2])
|
|
}
|
|
|
|
c.serverNonce = fields[0][2:]
|
|
if !bytes.HasPrefix(c.serverNonce, c.clientNonce) {
|
|
return fmt.Errorf("server SCRAM-SHA-256 nonce is not prefixed by client nonce: got %q, want %q+\"...\"", c.serverNonce, c.clientNonce)
|
|
}
|
|
|
|
salt := make([]byte, b64.DecodedLen(len(fields[1][2:])))
|
|
n, err := b64.Decode(salt, fields[1][2:])
|
|
if err != nil {
|
|
return fmt.Errorf("cannot decode SCRAM-SHA-256 salt sent by server: %q", fields[1])
|
|
}
|
|
salt = salt[:n]
|
|
iterCount, err := strconv.Atoi(string(fields[2][2:]))
|
|
if err != nil {
|
|
return fmt.Errorf("server sent an invalid SCRAM-SHA-256 iteration count: %q", fields[2])
|
|
}
|
|
c.saltPassword(salt, iterCount)
|
|
|
|
c.authMsg.WriteString(",c=biws,r=")
|
|
c.authMsg.Write(c.serverNonce)
|
|
|
|
c.out.WriteString("c=biws,r=")
|
|
c.out.Write(c.serverNonce)
|
|
c.out.WriteString(",p=")
|
|
c.out.Write(c.clientProof())
|
|
return nil
|
|
}
|
|
|
|
func (c *Client) step3(in []byte) error {
|
|
var isv, ise bool
|
|
var fields = bytes.Split(in, []byte(","))
|
|
if len(fields) == 1 {
|
|
isv = bytes.HasPrefix(fields[0], []byte("v="))
|
|
ise = bytes.HasPrefix(fields[0], []byte("e="))
|
|
}
|
|
if ise {
|
|
return fmt.Errorf("SCRAM-SHA-256 authentication error: %s", fields[0][2:])
|
|
} else if !isv {
|
|
return fmt.Errorf("unsupported SCRAM-SHA-256 final message from server: %q", in)
|
|
}
|
|
if !bytes.Equal(c.serverSignature(), fields[0][2:]) {
|
|
return fmt.Errorf("cannot authenticate SCRAM-SHA-256 server signature: %q", fields[0][2:])
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c *Client) saltPassword(salt []byte, iterCount int) {
|
|
mac := hmac.New(c.newHash, []byte(c.pass))
|
|
mac.Write(salt)
|
|
mac.Write([]byte{0, 0, 0, 1})
|
|
ui := mac.Sum(nil)
|
|
hi := make([]byte, len(ui))
|
|
copy(hi, ui)
|
|
for i := 1; i < iterCount; i++ {
|
|
mac.Reset()
|
|
mac.Write(ui)
|
|
mac.Sum(ui[:0])
|
|
for j, b := range ui {
|
|
hi[j] ^= b
|
|
}
|
|
}
|
|
c.saltedPass = hi
|
|
}
|
|
|
|
func (c *Client) clientProof() []byte {
|
|
mac := hmac.New(c.newHash, c.saltedPass)
|
|
mac.Write([]byte("Client Key"))
|
|
clientKey := mac.Sum(nil)
|
|
hash := c.newHash()
|
|
hash.Write(clientKey)
|
|
storedKey := hash.Sum(nil)
|
|
mac = hmac.New(c.newHash, storedKey)
|
|
mac.Write(c.authMsg.Bytes())
|
|
clientProof := mac.Sum(nil)
|
|
for i, b := range clientKey {
|
|
clientProof[i] ^= b
|
|
}
|
|
clientProof64 := make([]byte, b64.EncodedLen(len(clientProof)))
|
|
b64.Encode(clientProof64, clientProof)
|
|
return clientProof64
|
|
}
|
|
|
|
func (c *Client) serverSignature() []byte {
|
|
mac := hmac.New(c.newHash, c.saltedPass)
|
|
mac.Write([]byte("Server Key"))
|
|
serverKey := mac.Sum(nil)
|
|
|
|
mac = hmac.New(c.newHash, serverKey)
|
|
mac.Write(c.authMsg.Bytes())
|
|
serverSignature := mac.Sum(nil)
|
|
|
|
encoded := make([]byte, b64.EncodedLen(len(serverSignature)))
|
|
b64.Encode(encoded, serverSignature)
|
|
return encoded
|
|
}
|