/
scram.go
157 lines (125 loc) · 3.41 KB
/
scram.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
// Implementation of SCRAM (RFC 5802)
package scram
import (
"crypto/hmac"
"crypto/rand"
"database/sql"
"encoding/base64"
"errors"
"fmt"
"hash"
"math/big"
"strings"
)
type Scram struct {
db *sql.DB
step int
// gs2Header string
nonce string
proof []byte // sent from client
// used for computing serverSignature
clientFirstBare, serverFirst, clientFinalWithoutProof string
// the cred associated with the requesting client
cred *Credential
// hash function (`H()` in RFC 5802)
hash func() hash.Hash
}
func (s *Scram) Authn() string { return s.cred.Username }
func (s *Scram) Next(clientResponse []byte) (challenge []byte, err error) {
// always increment step
defer func() {
s.step++
}()
switch s.step {
case 0:
err := s.ParseClientFirst(string(clientResponse))
if err != nil {
return nil, err
}
return s.GenServerFirst(), nil
case 1:
err := s.ParseClientFinal(string(clientResponse))
if err != nil {
return nil, err
}
return s.GenServerFinal()
}
return nil, nil
}
func New(db *sql.DB, h func() hash.Hash) *Scram { return &Scram{db: db, hash: h} }
func (s *Scram) ParseClientFirst(m string) error {
attrs := strings.Split(m, ",")
if len(attrs) < 4 {
return errors.New("e=other-error")
}
// attrs[1] is unused as we do not take advantage of authzid
// grab username from db
cred, err := s.lookup(attrs[2][2:])
if err != nil {
return errors.New("e=unknown-user")
}
s.cred = cred
// add arbitrary length nonce with size in [24, 32)
nonceLength, _ := rand.Int(rand.Reader, big.NewInt(32-24))
nonce := make([]byte, nonceLength.Int64()+24)
rand.Read(nonce)
s.nonce = attrs[3][2:] + base64.StdEncoding.EncodeToString(nonce)
s.clientFirstBare = strings.Join(attrs[2:], ",")
return nil
}
func (s *Scram) GenServerFirst() []byte {
s.serverFirst = fmt.Sprintf("r=%s,s=%s,i=%d",
s.nonce,
base64.StdEncoding.EncodeToString(s.cred.Salt),
s.cred.Iteration,
)
return []byte(s.serverFirst)
}
func (s *Scram) ParseClientFinal(m string) error {
attrs := strings.Split(m, ",")
if len(attrs) < 3 {
return errors.New("e=other-error")
}
// attrs[0] is unused since we don't use channel binding
nonce := attrs[1][2:]
if nonce != s.nonce {
return errors.New("e=other-error")
}
s.proof = make([]byte, base64.StdEncoding.DecodedLen(len(attrs[2][2:])))
n, err := base64.StdEncoding.Decode(s.proof, []byte(attrs[2][2:]))
if err != nil {
return errors.New("e=invalid-encoding")
}
s.proof = s.proof[:n]
s.clientFinalWithoutProof = strings.Join(attrs[:2], ",")
return nil
}
func (s *Scram) GenServerFinal() ([]byte, error) {
authMsg := []byte(fmt.Sprintf("%s,%s,%s", s.clientFirstBare, s.serverFirst, s.clientFinalWithoutProof))
mac := hmac.New(s.hash, s.cred.StoredKey)
mac.Write(authMsg)
clientSignature := mac.Sum(nil)
clientKey := bytewiseXOR(clientSignature, s.proof)
hash := s.hash()
hash.Write(clientKey)
storedKey := hash.Sum(nil)
if !hmac.Equal(storedKey, s.cred.StoredKey) {
return nil, errors.New("e=invalid-proof")
}
mac = hmac.New(s.hash, s.cred.ServerKey)
mac.Write(authMsg)
serverSignature := mac.Sum(nil)
verifier := make([]byte, base64.StdEncoding.EncodedLen(len(serverSignature)))
base64.StdEncoding.Encode(verifier, serverSignature)
return append([]byte("v="), verifier...), nil
}
func bytewiseXOR(b1, b2 []byte) []byte {
if len(b1) != len(b2) {
return nil
}
x := make([]byte, len(b1))
for i := range x {
x[i] = b1[i] ^ b2[i]
}
return x
}