X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=util%2Fsasl%2Fscram.lua;h=530ef5a005614837b2edd440b9df120b8cc203a3;hb=a689938fa45323f67433bcd5554affd3f4b0fc52;hp=7b9123eebd4be2af85fe0f67b4a64590bc3999a1;hpb=0aa56b2958855a0c83dd711d880e404b1a02e2c7;p=prosody.git

diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua
index 7b9123ee..530ef5a0 100644
--- a/util/sasl/scram.lua
+++ b/util/sasl/scram.lua
@@ -27,14 +27,15 @@ local byte = string.byte;
 module "scram"
 
 --=========================
---SASL SCRAM-SHA-1 according to draft-ietf-sasl-scram-10
+--SASL SCRAM-SHA-1 according to RFC 5802
 
 --[[
 Supported Authentication Backends
 
-scram-{MECH}:
+scram_{MECH}:
+	-- MECH being a standard hash name (like those at IANA's hash registry) with '-' replaced with '_'
 	function(username, realm)
-		return salted_password, iteration_count, salt, state;
+		return stored_key, server_key, iteration_count, salt, state;
 	end
 ]]
 
@@ -64,9 +65,9 @@ local function binaryXOR( a, b )
 end
 
 -- hash algorithm independent Hi(PBKDF2) implementation
-local function Hi(hmac, str, salt, i)
+function Hi(hmac, str, salt, i)
 	local Ust = hmac(str, salt.."\0\0\0\1");
-	local res = Ust;	
+	local res = Ust;
 	for n=1,i-1 do
 		local Und = hmac(str, Ust)
 		res = binaryXOR(res, Und)
@@ -79,8 +80,8 @@ local function validate_username(username)
 	-- check for forbidden char sequences
 	for eq in username:gmatch("=(.?.?)") do
 		if eq ~= "2D" and eq ~= "3D" then
-			return false 
-		end 
+			return false
+		end
 	end
 	
 	-- replace =2D with , and =3D with =
@@ -92,17 +93,36 @@ local function validate_username(username)
 	return username;
 end
 
+local function hashprep(hashname)
+	return hashname:lower():gsub("-", "_");
+end
+
+function getAuthenticationDatabaseSHA1(password, salt, iteration_count)
+	if type(password) ~= "string" or type(salt) ~= "string" or type(iteration_count) ~= "number" then
+		return false, "inappropriate argument types"
+	end
+	if iteration_count < 4096 then
+		log("warn", "Iteration count < 4096 which is the suggested minimum according to RFC 5802.")
+	end
+	local salted_password = Hi(hmac_sha1, password, salt, iteration_count);
+	local stored_key = sha1(hmac_sha1(salted_password, "Client Key"))
+	local server_key = hmac_sha1(salted_password, "Server Key");
+	return true, stored_key, server_key
+end
+
 local function scram_gen(hash_name, H_f, HMAC_f)
 	local function scram_hash(self, message)
 		if not self.state then self["state"] = {} end
 	
+		if type(message) ~= "string" or #message == 0 then return "failure", "malformed-request" end
 		if not self.state.name then
 			-- we are processing client_first_message
 			local client_first_message = message;
 			
 			-- TODO: fail if authzid is provided, since we don't support them yet
 			self.state["client_first_message"] = client_first_message;
-			self.state["gs2_cbind_flag"], self.state["authzid"], self.state["name"], self.state["clientnonce"] = client_first_message:match("^(%a),(.*),n=(.*),r=([^,]*).*");
+			self.state["gs2_cbind_flag"], self.state["authzid"], self.state["name"], self.state["clientnonce"]
+				= client_first_message:match("^(%a),(.*),n=(.*),r=([^,]*).*");
 
 			-- we don't do any channel binding yet
 			if self.state.gs2_cbind_flag ~= "n" and self.state.gs2_cbind_flag ~= "y" then
@@ -123,7 +143,7 @@ local function scram_gen(hash_name, H_f, HMAC_f)
 			
 			-- retreive credentials
 			if self.profile.plain then
-				local password, state = self.profile.plain(self.state.name, self.realm)
+				local password, state = self.profile.plain(self, self.state.name, self.realm)
 				if state == nil then return "failure", "not-authorized"
 				elseif state == false then return "failure", "account-disabled" end
 				
@@ -132,15 +152,23 @@ local function scram_gen(hash_name, H_f, HMAC_f)
 					log("debug", "Password violates SASLprep.");
 					return "failure", "not-authorized", "Invalid password."
 				end
+
 				self.state.salt = generate_uuid();
 				self.state.iteration_count = default_i;
-				self.state.salted_password = Hi(HMAC_f, password, self.state.salt, default_i);
-			elseif self.profile["scram_"..hash_name] then
-				local salted_password, iteration_count, salt, state = self.profile["scram-"..hash_name](self.state.name, self.realm);
+
+				local succ = false;
+				succ, self.state.stored_key, self.state.server_key = getAuthenticationDatabaseSHA1(password, self.state.salt, default_i, self.state.iteration_count);
+				if not succ then
+					log("error", "Generating authentication database failed. Reason: %s", self.state.stored_key);
+					return "failure", "temporary-auth-failure";
+				end
+			elseif self.profile["scram_"..hashprep(hash_name)] then
+				local stored_key, server_key, iteration_count, salt, state = self.profile["scram_"..hashprep(hash_name)](self, self.state.name, self.realm);
 				if state == nil then return "failure", "not-authorized"
 				elseif state == false then return "failure", "account-disabled" end
 				
-				self.state.salted_password = salted_password;
+				self.state.stored_key = stored_key;
+				self.state.server_key = server_key;
 				self.state.iteration_count = iteration_count;
 				self.state.salt = salt
 			end
@@ -149,14 +177,10 @@ local function scram_gen(hash_name, H_f, HMAC_f)
 			self.state["server_first_message"] = server_first_message;
 			return "challenge", server_first_message
 		else
-			if type(message) ~= "string" then return "failure", "malformed-request" end
 			-- we are processing client_final_message
 			local client_final_message = message;
 			
-			-- TODO: more strict parsing of client_final_message
-			self.state["proof"] = client_final_message:match("p=(.+)");
-			self.state["nonce"] = client_final_message:match("r=(.+),p=");
-			self.state["channelbinding"] = client_final_message:match("c=(.+),r=");
+			self.state["channelbinding"], self.state["nonce"], self.state["proof"] = client_final_message:match("^c=(.*),r=(.*),.*p=(.*)");
 	
 			if not self.state.proof or not self.state.nonce or not self.state.channelbinding then
 				return "failure", "malformed-request", "Missing an attribute(p, r or c) in SASL message.";
@@ -166,16 +190,15 @@ local function scram_gen(hash_name, H_f, HMAC_f)
 				return "failure", "malformed-request", "Wrong nonce in client-final-message.";
 			end
 			
-			local SaltedPassword = self.state.salted_password;
-			local ClientKey = HMAC_f(SaltedPassword, "Client Key")
-			local ServerKey = HMAC_f(SaltedPassword, "Server Key")
-			local StoredKey = H_f(ClientKey)
+			local ServerKey = self.state.server_key;
+			local StoredKey = self.state.stored_key;
+			
 			local AuthMessage = "n=" .. s_match(self.state.client_first_message,"n=(.+)") .. "," .. self.state.server_first_message .. "," .. s_match(client_final_message, "(.+),p=.+")
 			local ClientSignature = HMAC_f(StoredKey, AuthMessage)
-			local ClientProof     = binaryXOR(ClientKey, ClientSignature)
+			local ClientKey = binaryXOR(ClientSignature, base64.decode(self.state.proof))
 			local ServerSignature = HMAC_f(ServerKey, AuthMessage)
 
-			if base64.encode(ClientProof) == self.state.proof then
+			if StoredKey == H_f(ClientKey) then
 				local server_final_message = "v="..base64.encode(ServerSignature);
 				self["username"] = self.state.name;
 				return "success", server_final_message;
@@ -189,10 +212,10 @@ end
 
 function init(registerMechanism)
 	local function registerSCRAMMechanism(hash_name, hash, hmac_hash)
-		registerMechanism("SCRAM-"..hash_name, {"plain", "scram_"..(hash_name:lower())}, scram_gen(hash_name:lower(), hash, hmac_hash));
+		registerMechanism("SCRAM-"..hash_name, {"plain", "scram_"..(hashprep(hash_name))}, scram_gen(hash_name:lower(), hash, hmac_hash));
 	end
 
 	registerSCRAMMechanism("SHA-1", sha1, hmac_sha1);
 end
 
-return _M;
\ No newline at end of file
+return _M;