static bool
_mongoc_scram_generate_client_proof (mongoc_scram_t *scram,
uint8_t *outbuf,
uint32_t outbufmax,
uint32_t *outbuflen)
{
uint8_t stored_key[MONGOC_SCRAM_HASH_MAX_SIZE];
uint8_t client_signature[MONGOC_SCRAM_HASH_MAX_SIZE];
unsigned char client_proof[MONGOC_SCRAM_HASH_MAX_SIZE];
int i;
int r = 0;
if (!*scram->client_key) {
/* ClientKey := HMAC(saltedPassword, "Client Key") */
mongoc_crypto_hmac (&scram->crypto,
scram->salted_password,
_scram_hash_size (scram),
(uint8_t *) MONGOC_SCRAM_CLIENT_KEY,
(int) strlen (MONGOC_SCRAM_CLIENT_KEY),
scram->client_key);
}
/* StoredKey := H(client_key) */
mongoc_crypto_hash (&scram->crypto,
scram->client_key,
(size_t) _scram_hash_size (scram),
stored_key);
/* ClientSignature := HMAC(StoredKey, AuthMessage) */
mongoc_crypto_hmac (&scram->crypto,
stored_key,
_scram_hash_size (scram),
scram->auth_message,
scram->auth_messagelen,
client_signature);
/* ClientProof := ClientKey XOR ClientSignature */
for (i = 0; i < _scram_hash_size (scram); i++) {
client_proof[i] = scram->client_key[i] ^ client_signature[i];
}
r = bson_b64_ntop (client_proof,
_scram_hash_size (scram),
(char *) outbuf + *outbuflen,
outbufmax - *outbuflen);
if (-1 == r) {
return false;
}
*outbuflen += r;
return true;
}
static bool
_mongoc_scram_verify_server_signature (mongoc_scram_t *scram,
uint8_t *verification,
uint32_t len)
{
char encoded_server_signature[MONGOC_SCRAM_B64_HASH_SIZE];
int32_t encoded_server_signature_len;
uint8_t server_signature[MONGOC_SCRAM_HASH_SIZE];
if (!*scram->server_key) {
/* ServerKey := HMAC(SaltedPassword, "Server Key") */
mongoc_crypto_hmac_sha1 (&scram->crypto,
scram->salted_password,
MONGOC_SCRAM_HASH_SIZE,
(uint8_t *) MONGOC_SCRAM_SERVER_KEY,
strlen (MONGOC_SCRAM_SERVER_KEY),
scram->server_key);
}
/* ServerSignature := HMAC(ServerKey, AuthMessage) */
mongoc_crypto_hmac_sha1 (&scram->crypto,
scram->server_key,
MONGOC_SCRAM_HASH_SIZE,
scram->auth_message,
scram->auth_messagelen,
server_signature);
encoded_server_signature_len =
bson_b64_ntop (server_signature,
sizeof (server_signature),
encoded_server_signature,
sizeof (encoded_server_signature));
if (encoded_server_signature_len == -1) {
return false;
}
return (len == encoded_server_signature_len) &&
(mongoc_memcmp (verification, encoded_server_signature, len) == 0);
}
/* generate client-first-message:
* n,a=authzid,n=encoded-username,r=client-nonce
*
* note that a= is optional, so we aren't dealing with that here
*/
static bool
_mongoc_scram_start (mongoc_scram_t *scram,
uint8_t *outbuf,
uint32_t outbufmax,
uint32_t *outbuflen,
bson_error_t *error)
{
uint8_t nonce[24];
const char *ptr;
bool rval = true;
BSON_ASSERT (scram);
BSON_ASSERT (outbuf);
BSON_ASSERT (outbufmax);
BSON_ASSERT (outbuflen);
if (!scram->user) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: username is not set");
goto FAIL;
}
/* auth message is as big as the outbuf just because */
scram->auth_message = (uint8_t *) bson_malloc (outbufmax);
scram->auth_messagemax = outbufmax;
/* the server uses a 24 byte random nonce. so we do as well */
if (1 != _mongoc_rand_bytes (nonce, sizeof (nonce))) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: could not generate a cryptographically "
"secure nonce in sasl step 1");
goto FAIL;
}
scram->encoded_nonce_len = bson_b64_ntop (nonce,
sizeof (nonce),
scram->encoded_nonce,
sizeof (scram->encoded_nonce));
if (-1 == scram->encoded_nonce_len) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: could not encode nonce");
goto FAIL;
}
if (!_mongoc_scram_buf_write ("n,,n=", -1, outbuf, outbufmax, outbuflen)) {
goto BUFFER;
}
for (ptr = scram->user; *ptr; ptr++) {
/* RFC 5802 specifies that ',' and '=' and encoded as '=2C' and '=3D'
* respectively in the user name */
switch (*ptr) {
case ',':
if (!_mongoc_scram_buf_write (
"=2C", -1, outbuf, outbufmax, outbuflen)) {
goto BUFFER;
}
break;
case '=':
if (!_mongoc_scram_buf_write (
"=3D", -1, outbuf, outbufmax, outbuflen)) {
goto BUFFER;
}
break;
default:
if (!_mongoc_scram_buf_write (ptr, 1, outbuf, outbufmax, outbuflen)) {
goto BUFFER;
}
break;
}
}
if (!_mongoc_scram_buf_write (",r=", -1, outbuf, outbufmax, outbuflen)) {
goto BUFFER;
}
if (!_mongoc_scram_buf_write (scram->encoded_nonce,
scram->encoded_nonce_len,
outbuf,
outbufmax,
outbuflen)) {
goto BUFFER;
}
/* we have to keep track of the conversation to create a client proof later
* on. This copies the message we're crafting from the 'n=' portion onwards
* into a buffer we're managing */
if (!_mongoc_scram_buf_write ((char *) outbuf + 3,
*outbuflen - 3,
scram->auth_message,
scram->auth_messagemax,
&scram->auth_messagelen)) {
goto BUFFER_AUTH;
}
if (!_mongoc_scram_buf_write (",",
-1,
scram->auth_message,
scram->auth_messagemax,
&scram->auth_messagelen)) {
goto BUFFER_AUTH;
}
goto CLEANUP;
BUFFER_AUTH:
bson_set_error (
error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: could not buffer auth message in sasl step1");
goto FAIL;
BUFFER:
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: could not buffer sasl step1");
goto FAIL;
FAIL:
rval = false;
CLEANUP:
return rval;
}
