util/sasl/scram.lua

   1 -- sasl.lua v0.4
   2 -- Copyright (C) 2008-2009 Tobias Markmann
   3 --
   4 --    All rights reserved.
   5 --
   6 --    Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
   7 --
   8 --        * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
   9 --        * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  10 --        * Neither the name of Tobias Markmann nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
  11 --
  12 --    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  13
  14 local s_match = string.match;
  15 local type = type
  16 local string = string
  17 local base64 = require "util.encodings".base64;
  18 local hmac_sha1 = require "util.hmac".sha1;
  19 local sha1 = require "util.hashes".sha1;
  20 local generate_uuid = require "util.uuid".generate;
  21 local saslprep = require "util.encodings".stringprep.saslprep;
  22 local log = require "util.logger".init("sasl");
  23 local t_concat = table.concat;
  24 local char = string.char;
  25 local byte = string.byte;
  26
  27 module "scram"
  28
  29 --=========================
  30 --SASL SCRAM-SHA-1 according to draft-ietf-sasl-scram-10
  31
  32 --[[
  33 Supported Authentication Backends
  34
  35 scram-{MECH}:
  36         function(username, realm)
  37                 return salted_password, iteration_count, salt, state;
  38         end
  39 ]]
  40
  41 local default_i = 4096
  42
  43 local function bp( b )
  44         local result = ""
  45         for i=1, b:len() do
  46                 result = result.."\\"..b:byte(i)
  47         end
  48         return result
  49 end
  50
  51 local xor_map = {0;1;2;3;4;5;6;7;8;9;10;11;12;13;14;15;1;0;3;2;5;4;7;6;9;8;11;10;13;12;15;14;2;3;0;1;6;7;4;5;10;11;8;9;14;15;12;13;3;2;1;0;7;6;5;4;11;10;9;8;15;14;13;12;4;5;6;7;0;1;2;3;12;13;14;15;8;9;10;11;5;4;7;6;1;0;3;2;13;12;15;14;9;8;11;10;6;7;4;5;2;3;0;1;14;15;12;13;10;11;8;9;7;6;5;4;3;2;1;0;15;14;13;12;11;10;9;8;8;9;10;11;12;13;14;15;0;1;2;3;4;5;6;7;9;8;11;10;13;12;15;14;1;0;3;2;5;4;7;6;10;11;8;9;14;15;12;13;2;3;0;1;6;7;4;5;11;10;9;8;15;14;13;12;3;2;1;0;7;6;5;4;12;13;14;15;8;9;10;11;4;5;6;7;0;1;2;3;13;12;15;14;9;8;11;10;5;4;7;6;1;0;3;2;14;15;12;13;10;11;8;9;6;7;4;5;2;3;0;1;15;14;13;12;11;10;9;8;7;6;5;4;3;2;1;0;};
  52
  53 local result = {};
  54 local function binaryXOR( a, b )
  55         for i=1, #a do
  56                 local x, y = byte(a, i), byte(b, i);
  57                 local lowx, lowy = x % 16, y % 16;
  58                 local hix, hiy = (x - lowx) / 16, (y - lowy) / 16;
  59                 local lowr, hir = xor_map[lowx * 16 + lowy + 1], xor_map[hix * 16 + hiy + 1];
  60                 local r = hir * 16 + lowr;
  61                 result[i] = char(r)
  62         end
  63         return t_concat(result);
  64 end
  65
  66 -- hash algorithm independent Hi(PBKDF2) implementation
  67 local function Hi(hmac, str, salt, i)
  68         local Ust = hmac(str, salt.."\0\0\0\1");
  69         local res = Ust;
  70         for n=1,i-1 do
  71                 local Und = hmac(str, Ust)
  72                 res = binaryXOR(res, Und)
  73                 Ust = Und
  74         end
  75         return res
  76 end
  77
  78 local function validate_username(username)
  79         -- check for forbidden char sequences
  80         for eq in username:gmatch("=(.?.?)") do
  81                 if eq ~= "2D" and eq ~= "3D" then
  82                         return false
  83                 end
  84         end
  85
  86         -- replace =2D with , and =3D with =
  87         username = username:gsub("=2D", ",");
  88         username = username:gsub("=3D", "=");
  89
  90         -- apply SASLprep
  91         username = saslprep(username);
  92         return username;
  93 end
  94
  95 local function scram_gen(hash_name, H_f, HMAC_f)
  96         local function scram_hash(self, message)
  97                 if not self.state then self["state"] = {} end
  98
  99                 if not self.state.name then
 100                         -- we are processing client_first_message
 101                         local client_first_message = message;
 102                         self.state["client_first_message"] = client_first_message;
 103                         self.state["name"] = client_first_message:match("n=(.+),r=")
 104                         self.state["clientnonce"] = client_first_message:match("r=([^,]+)")
 105
 106                         if not self.state.name or not self.state.clientnonce then
 107                                 return "failure", "malformed-request";
 108                         end
 109
 110                         self.state.name = validate_username(self.state.name);
 111                         if not self.state.name then
 112                                 log("debug", "Username violates either SASLprep or contains forbidden character sequences.")
 113                                 return "failure", "malformed-request", "Invalid username.";
 114                         end
 115
 116                         self.state["servernonce"] = generate_uuid();
 117
 118                         -- retreive credentials
 119                         if self.profile.plain then
 120                                 password, state = self.profile.plain(self.state.name, self.realm)
 121                                 if state == nil then return "failure", "not-authorized"
 122                                 elseif state == false then return "failure", "account-disabled" end
 123
 124                                 password = saslprep(password);
 125                                 if not password then
 126                                         log("debug", "Password violates SASLprep.");
 127                                         return "failure", "not-authorized", "Invalid password."
 128                                 end
 129                                 self.state.salt = generate_uuid();
 130                                 self.state.iteration_count = default_i;
 131                                 self.state.salted_password = Hi(HMAC_f, password, self.state.salt, default_i);
 132                         elseif self.profile["scram_"..hash_name] then
 133                                 salted_password, iteration_count, salt, state = self.profile["scram-"..hash_name](self.state.name, self.realm);
 134                                 if state == nil then return "failure", "not-authorized"
 135                                 elseif state == false then return "failure", "account-disabled" end
 136
 137                                 self.state.salted_password = salted_password;
 138                                 self.state.iteration_count = iteration_count;
 139                                 self.state.salt = salt
 140                         end
 141
 142                         local server_first_message = "r="..self.state.clientnonce..self.state.servernonce..",s="..base64.encode(self.state.salt)..",i="..self.state.iteration_count;
 143                         self.state["server_first_message"] = server_first_message;
 144                         return "challenge", server_first_message
 145                 else
 146                         if type(message) ~= "string" then return "failure", "malformed-request" end
 147                         -- we are processing client_final_message
 148                         local client_final_message = message;
 149
 150                         self.state["proof"] = client_final_message:match("p=(.+)");
 151                         self.state["nonce"] = client_final_message:match("r=(.+),p=");
 152                         self.state["channelbinding"] = client_final_message:match("c=(.+),r=");
 153                         if not self.state.proof or not self.state.nonce or not self.state.channelbinding then
 154                                 return "failure", "malformed-request", "Missing an attribute(p, r or c) in SASL message.";
 155                         end
 156
 157                         local SaltedPassword = self.state.salted_password;
 158                         local ClientKey = HMAC_f(SaltedPassword, "Client Key")
 159                         local ServerKey = HMAC_f(SaltedPassword, "Server Key")
 160                         local StoredKey = H_f(ClientKey)
 161                         local AuthMessage = "n=" .. s_match(self.state.client_first_message,"n=(.+)") .. "," .. self.state.server_first_message .. "," .. s_match(client_final_message, "(.+),p=.+")
 162                         local ClientSignature = HMAC_f(StoredKey, AuthMessage)
 163                         local ClientProof     = binaryXOR(ClientKey, ClientSignature)
 164                         local ServerSignature = HMAC_f(ServerKey, AuthMessage)
 165
 166                         if base64.encode(ClientProof) == self.state.proof then
 167                                 local server_final_message = "v="..base64.encode(ServerSignature);
 168                                 self["username"] = self.state.name;
 169                                 return "success", server_final_message;
 170                         else
 171                                 return "failure", "not-authorized", "The response provided by the client doesn't match the one we calculated.";
 172                         end
 173                 end
 174         end
 175         return scram_hash;
 176 end
 177
 178 function init(registerMechanism)
 179         local function registerSCRAMMechanism(hash_name, hash, hmac_hash)
 180                 registerMechanism("SCRAM-"..hash_name, {"plain", "scram_"..(hash_name:lower())}, scram_gen(hash_name:lower(), hash, hmac_hash));
 181         end
 182
 183         registerSCRAMMechanism("SHA-1", sha1, hmac_sha1);
 184 end
 185
 186 return _M;