util/sasl/scram.lua

   1 -- sasl.lua v0.4
   2 -- Copyright (C) 2008-2010 Tobias Markmann
   3 --
   4 --        All rights reserved.
   5 --
   6 --        Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
   7 --
   8 --                * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
   9 --                * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  10 --                * Neither the name of Tobias Markmann nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
  11 --
  12 --        THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  13
  14 local s_match = string.match;
  15 local type = type
  16 local string = string
  17 local base64 = require "util.encodings".base64;
  18 local hmac_sha1 = require "util.hmac".sha1;
  19 local sha1 = require "util.hashes".sha1;
  20 local generate_uuid = require "util.uuid".generate;
  21 local saslprep = require "util.encodings".stringprep.saslprep;
  22 local log = require "util.logger".init("sasl");
  23 local t_concat = table.concat;
  24 local char = string.char;
  25 local byte = string.byte;
  26
  27 module "scram"
  28
  29 --=========================
  30 --SASL SCRAM-SHA-1 according to draft-ietf-sasl-scram-10
  31
  32 --[[
  33 Supported Authentication Backends
  34
  35 scram-{MECH}:
  36         function(username, realm)
  37                 return salted_password, iteration_count, salt, state;
  38         end
  39 ]]
  40
  41 local default_i = 4096
  42
  43 local function bp( b )
  44         local result = ""
  45         for i=1, b:len() do
  46                 result = result.."\\"..b:byte(i)
  47         end
  48         return result
  49 end
  50
  51 local xor_map = {0;1;2;3;4;5;6;7;8;9;10;11;12;13;14;15;1;0;3;2;5;4;7;6;9;8;11;10;13;12;15;14;2;3;0;1;6;7;4;5;10;11;8;9;14;15;12;13;3;2;1;0;7;6;5;4;11;10;9;8;15;14;13;12;4;5;6;7;0;1;2;3;12;13;14;15;8;9;10;11;5;4;7;6;1;0;3;2;13;12;15;14;9;8;11;10;6;7;4;5;2;3;0;1;14;15;12;13;10;11;8;9;7;6;5;4;3;2;1;0;15;14;13;12;11;10;9;8;8;9;10;11;12;13;14;15;0;1;2;3;4;5;6;7;9;8;11;10;13;12;15;14;1;0;3;2;5;4;7;6;10;11;8;9;14;15;12;13;2;3;0;1;6;7;4;5;11;10;9;8;15;14;13;12;3;2;1;0;7;6;5;4;12;13;14;15;8;9;10;11;4;5;6;7;0;1;2;3;13;12;15;14;9;8;11;10;5;4;7;6;1;0;3;2;14;15;12;13;10;11;8;9;6;7;4;5;2;3;0;1;15;14;13;12;11;10;9;8;7;6;5;4;3;2;1;0;};
  52
  53 local result = {};
  54 local function binaryXOR( a, b )
  55         for i=1, #a do
  56                 local x, y = byte(a, i), byte(b, i);
  57                 local lowx, lowy = x % 16, y % 16;
  58                 local hix, hiy = (x - lowx) / 16, (y - lowy) / 16;
  59                 local lowr, hir = xor_map[lowx * 16 + lowy + 1], xor_map[hix * 16 + hiy + 1];
  60                 local r = hir * 16 + lowr;
  61                 result[i] = char(r)
  62         end
  63         return t_concat(result);
  64 end
  65
  66 -- hash algorithm independent Hi(PBKDF2) implementation
  67 local function Hi(hmac, str, salt, i)
  68         local Ust = hmac(str, salt.."\0\0\0\1");
  69         local res = Ust;
  70         for n=1,i-1 do
  71                 local Und = hmac(str, Ust)
  72                 res = binaryXOR(res, Und)
  73                 Ust = Und
  74         end
  75         return res
  76 end
  77
  78 local function validate_username(username)
  79         -- check for forbidden char sequences
  80         for eq in username:gmatch("=(.?.?)") do
  81                 if eq ~= "2D" and eq ~= "3D" then
  82                         return false
  83                 end
  84         end
  85
  86         -- replace =2D with , and =3D with =
  87         username = username:gsub("=2D", ",");
  88         username = username:gsub("=3D", "=");
  89
  90         -- apply SASLprep
  91         username = saslprep(username);
  92         return username;
  93 end
  94
  95 local function scram_gen(hash_name, H_f, HMAC_f)
  96         local function scram_hash(self, message)
  97                 if not self.state then self["state"] = {} end
  98
  99                 if not self.state.name then
 100                         -- we are processing client_first_message
 101                         local client_first_message = message;
 102
 103                         -- TODO: fail if authzid is provided, since we don't support them yet
 104                         self.state["client_first_message"] = client_first_message;
 105                         self.state["gs2_cbind_flag"], self.state["authzid"], self.state["name"], self.state["clientnonce"] = client_first_message:match("^(%a),(.*),n=(.*),r=([^,]*).*");
 106
 107                         -- we don't do any channel binding yet
 108                         if self.state.gs2_cbind_flag ~= "n" and self.state.gs2_cbind_flag ~= "y" then
 109                                 return "failure", "malformed-request";
 110                         end
 111
 112                         if not self.state.name or not self.state.clientnonce then
 113                                 return "failure", "malformed-request", "Channel binding isn't support at this time.";
 114                         end
 115
 116                         self.state.name = validate_username(self.state.name);
 117                         if not self.state.name then
 118                                 log("debug", "Username violates either SASLprep or contains forbidden character sequences.")
 119                                 return "failure", "malformed-request", "Invalid username.";
 120                         end
 121
 122                         self.state["servernonce"] = generate_uuid();
 123
 124                         -- retreive credentials
 125                         if self.profile.plain then
 126                                 local password, state = self.profile.plain(self.state.name, self.realm)
 127                                 if state == nil then return "failure", "not-authorized"
 128                                 elseif state == false then return "failure", "account-disabled" end
 129
 130                                 password = saslprep(password);
 131                                 if not password then
 132                                         log("debug", "Password violates SASLprep.");
 133                                         return "failure", "not-authorized", "Invalid password."
 134                                 end
 135                                 self.state.salt = generate_uuid();
 136                                 self.state.iteration_count = default_i;
 137                                 self.state.salted_password = Hi(HMAC_f, password, self.state.salt, default_i);
 138                         elseif self.profile["scram_"..hash_name] then
 139                                 local salted_password, iteration_count, salt, state = self.profile["scram-"..hash_name](self.state.name, self.realm);
 140                                 if state == nil then return "failure", "not-authorized"
 141                                 elseif state == false then return "failure", "account-disabled" end
 142
 143                                 self.state.salted_password = salted_password;
 144                                 self.state.iteration_count = iteration_count;
 145                                 self.state.salt = salt
 146                         end
 147
 148                         local server_first_message = "r="..self.state.clientnonce..self.state.servernonce..",s="..base64.encode(self.state.salt)..",i="..self.state.iteration_count;
 149                         self.state["server_first_message"] = server_first_message;
 150                         return "challenge", server_first_message
 151                 else
 152                         if type(message) ~= "string" then return "failure", "malformed-request" end
 153                         -- we are processing client_final_message
 154                         local client_final_message = message;
 155
 156                         -- TODO: more strict parsing of client_final_message
 157                         self.state["proof"] = client_final_message:match("p=(.+)");
 158                         self.state["nonce"] = client_final_message:match("r=(.+),p=");
 159                         self.state["channelbinding"] = client_final_message:match("c=(.+),r=");
 160
 161                         if not self.state.proof or not self.state.nonce or not self.state.channelbinding then
 162                                 return "failure", "malformed-request", "Missing an attribute(p, r or c) in SASL message.";
 163                         end
 164
 165                         if self.state.nonce ~= self.state.clientnonce..self.state.servernonce then
 166                                 return "failure", "malformed-request", "Wrong nonce in client-final-message.";
 167                         end
 168
 169                         local SaltedPassword = self.state.salted_password;
 170                         local ClientKey = HMAC_f(SaltedPassword, "Client Key")
 171                         local ServerKey = HMAC_f(SaltedPassword, "Server Key")
 172                         local StoredKey = H_f(ClientKey)
 173                         local AuthMessage = "n=" .. s_match(self.state.client_first_message,"n=(.+)") .. "," .. self.state.server_first_message .. "," .. s_match(client_final_message, "(.+),p=.+")
 174                         local ClientSignature = HMAC_f(StoredKey, AuthMessage)
 175                         local ClientProof     = binaryXOR(ClientKey, ClientSignature)
 176                         local ServerSignature = HMAC_f(ServerKey, AuthMessage)
 177
 178                         if base64.encode(ClientProof) == self.state.proof then
 179                                 local server_final_message = "v="..base64.encode(ServerSignature);
 180                                 self["username"] = self.state.name;
 181                                 return "success", server_final_message;
 182                         else
 183                                 return "failure", "not-authorized", "The response provided by the client doesn't match the one we calculated.";
 184                         end
 185                 end
 186         end
 187         return scram_hash;
 188 end
 189
 190 function init(registerMechanism)
 191         local function registerSCRAMMechanism(hash_name, hash, hmac_hash)
 192                 registerMechanism("SCRAM-"..hash_name, {"plain", "scram_"..(hash_name:lower())}, scram_gen(hash_name:lower(), hash, hmac_hash));
 193         end
 194
 195         registerSCRAMMechanism("SHA-1", sha1, hmac_sha1);
 196 end
 197
 198 return _M;