util/sasl/scram.lua

   1 -- sasl.lua v0.4
   2 -- Copyright (C) 2008-2009 Tobias Markmann
   3 --
   4 --    All rights reserved.
   5 --
   6 --    Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
   7 --
   8 --        * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
   9 --        * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  10 --        * Neither the name of Tobias Markmann nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
  11 --
  12 --    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  13
  14 local s_match = string.match;
  15 local type = type
  16 local string = string
  17 local base64 = require "util.encodings".base64;
  18 local xor = require "bit".bxor
  19 local hmac_sha1 = require "util.hmac".sha1;
  20 local sha1 = require "util.hashes".sha1;
  21 local generate_uuid = require "util.uuid".generate;
  22 local saslprep = require "util.encodings".stringprep.saslprep;
  23 local log = require "util.logger".init("sasl");
  24
  25 module "plain"
  26
  27 --=========================
  28 --SASL SCRAM-SHA-1 according to draft-ietf-sasl-scram-10
  29 local default_i = 4096
  30
  31 local function bp( b )
  32         local result = ""
  33         for i=1, b:len() do
  34                 result = result.."\\"..b:byte(i)
  35         end
  36         return result
  37 end
  38
  39 local function binaryXOR( a, b )
  40         if a:len() > b:len() then
  41                 b = string.rep("\0", a:len() - b:len())..b
  42         elseif string.len(a) < string.len(b) then
  43                 a = string.rep("\0", b:len() - a:len())..a
  44         end
  45         local result = ""
  46         for i=1, a:len() do
  47                 result = result..string.char(xor(a:byte(i), b:byte(i)))
  48         end
  49         return result
  50 end
  51
  52 -- hash algorithm independent Hi(PBKDF2) implementation
  53 local function Hi(hmac, str, salt, i)
  54         local Ust = hmac(str, salt.."\0\0\0\1");
  55         local res = Ust;
  56         for n=1,i-1 do
  57                 Und = hmac(str, Ust)
  58                 res = binaryXOR(res, Und)
  59                 Ust = Und
  60         end
  61         return res
  62 end
  63
  64 local function validate_username(username)
  65         -- check for forbidden char sequences
  66         for eq in username:gmatch("=(.?.?)") do
  67                 if eq ~= "2D" and eq ~= "3D" then
  68                         return false
  69                 end
  70         end
  71
  72         -- replace =2D with , and =3D with =
  73
  74         -- apply SASLprep
  75         username = saslprep(username);
  76         return username;
  77 end
  78
  79 local function scram_sha_1(self, message)
  80         if not self.state then self["state"] = {} end
  81
  82         if not self.state.name then
  83                 -- we are processing client_first_message
  84                 local client_first_message = message;
  85                 self.state["client_first_message"] = client_first_message;
  86                 self.state["name"] = client_first_message:match("n=(.+),r=")
  87                 self.state["clientnonce"] = client_first_message:match("r=([^,]+)")
  88
  89                 if not self.state.name or not self.state.clientnonce then
  90                         return "failure", "malformed-request";
  91                 end
  92
  93                 self.state.name = validate_username(self.state.name);
  94                 if not self.state.name then
  95                         log("debug", "Username violates either SASLprep or contains forbidden character sequences.")
  96                         return "failure", "malformed-request";
  97                 end
  98
  99                 self.state["servernonce"] = generate_uuid();
 100                 self.state["salt"] = generate_uuid();
 101
 102                 local server_first_message = "r="..self.state.clientnonce..self.state.servernonce..",s="..base64.encode(self.state.salt)..",i="..default_i;
 103                 self.state["server_first_message"] = server_first_message;
 104                 return "challenge", server_first_message
 105         else
 106                 if type(message) ~= "string" then return "failure", "malformed-request" end
 107                 -- we are processing client_final_message
 108                 local client_final_message = message;
 109
 110                 self.state["proof"] = client_final_message:match("p=(.+)");
 111                 self.state["nonce"] = client_final_message:match("r=(.+),p=");
 112                 self.state["channelbinding"] = client_final_message:match("c=(.+),r=");
 113                 if not self.state.proof or not self.state.nonce or not self.state.channelbinding then
 114                         return "failure", "malformed-request";
 115                 end
 116
 117                 local password;
 118                 if self.profile.plain then
 119                         password, state = self.profile.plain(self.state.name, self.realm)
 120                         if state == nil then return "failure", "not-authorized"
 121                         elseif state == false then return "failure", "account-disabled" end
 122                         password = saslprep(password);
 123                         if not password then
 124                                 log("debug", "Password violates SASLprep.");
 125                                 return "failure", "not-authorized"
 126                         end
 127                 end
 128
 129                 local SaltedPassword = Hi(hmac_sha1, password, self.state.salt, default_i)
 130                 local ClientKey = hmac_sha1(SaltedPassword, "Client Key")
 131                 local ServerKey = hmac_sha1(SaltedPassword, "Server Key")
 132                 local StoredKey = sha1(ClientKey)
 133                 local AuthMessage = "n=" .. s_match(self.state.client_first_message,"n=(.+)") .. "," .. self.state.server_first_message .. "," .. s_match(client_final_message, "(.+),p=.+")
 134                 local ClientSignature = hmac_sha1(StoredKey, AuthMessage)
 135                 local ClientProof     = binaryXOR(ClientKey, ClientSignature)
 136                 local ServerSignature = hmac_sha1(ServerKey, AuthMessage)
 137
 138                 if base64.encode(ClientProof) == self.state.proof then
 139                         local server_final_message = "v="..base64.encode(ServerSignature);
 140                         self["username"] = self.state.name;
 141                         return "success", server_final_message;
 142                 else
 143                         return "failure", "not-authorized", "The response provided by the client doesn't match the one we calculated.";
 144                 end
 145         end
 146 end
 147
 148 function init(registerMechanism)
 149         registerMechanism("SCRAM-SHA-1", {"plain"}, scram_sha_1);
 150 end
 151
 152 return _M;