static bool
_mongoc_scram_verify_server_signature (mongoc_scram_t *scram,
uint8_t *verification,
uint32_t len)
{
char encoded_server_signature[MONGOC_SCRAM_B64_HASH_SIZE];
int32_t encoded_server_signature_len;
uint8_t server_signature[MONGOC_SCRAM_HASH_SIZE];
if (!*scram->server_key) {
/* ServerKey := HMAC(SaltedPassword, "Server Key") */
mongoc_crypto_hmac_sha1 (&scram->crypto,
scram->salted_password,
MONGOC_SCRAM_HASH_SIZE,
(uint8_t *) MONGOC_SCRAM_SERVER_KEY,
strlen (MONGOC_SCRAM_SERVER_KEY),
scram->server_key);
}
/* ServerSignature := HMAC(ServerKey, AuthMessage) */
mongoc_crypto_hmac_sha1 (&scram->crypto,
scram->server_key,
MONGOC_SCRAM_HASH_SIZE,
scram->auth_message,
scram->auth_messagelen,
server_signature);
encoded_server_signature_len =
bson_b64_ntop (server_signature,
sizeof (server_signature),
encoded_server_signature,
sizeof (encoded_server_signature));
if (encoded_server_signature_len == -1) {
return false;
}
return (len == encoded_server_signature_len) &&
(mongoc_memcmp (verification, encoded_server_signature, len) == 0);
}
/* Parse server-first-message of the form:
* r=client-nonce|server-nonce,s=user-salt,i=iteration-count
*
* Generate client-final-message of the form:
* c=channel-binding(base64),r=client-nonce|server-nonce,p=client-proof
*/
static bool
_mongoc_scram_step2 (mongoc_scram_t *scram,
const uint8_t *inbuf,
uint32_t inbuflen,
uint8_t *outbuf,
uint32_t outbufmax,
uint32_t *outbuflen,
bson_error_t *error)
{
uint8_t *val_r = NULL;
uint32_t val_r_len;
uint8_t *val_s = NULL;
uint32_t val_s_len;
uint8_t *val_i = NULL;
uint32_t val_i_len;
uint8_t **current_val;
uint32_t *current_val_len;
const uint8_t *ptr;
const uint8_t *next_comma;
char *tmp;
char *hashed_password;
uint8_t decoded_salt[MONGOC_SCRAM_B64_HASH_SIZE] = {0};
int32_t decoded_salt_len;
bool rval = true;
int iterations;
BSON_ASSERT (scram);
BSON_ASSERT (outbuf);
BSON_ASSERT (outbufmax);
BSON_ASSERT (outbuflen);
/* all our passwords go through md5 thanks to MONGODB-CR */
tmp = bson_strdup_printf ("%s:mongo:%s", scram->user, scram->pass);
hashed_password = _mongoc_hex_md5 (tmp);
bson_zero_free (tmp, strlen (tmp));
/* we need all of the incoming message for the final client proof */
if (!_mongoc_scram_buf_write ((char *) inbuf,
inbuflen,
scram->auth_message,
scram->auth_messagemax,
&scram->auth_messagelen)) {
goto BUFFER_AUTH;
}
if (!_mongoc_scram_buf_write (",",
-1,
scram->auth_message,
scram->auth_messagemax,
&scram->auth_messagelen)) {
goto BUFFER_AUTH;
}
for (ptr = inbuf; ptr < inbuf + inbuflen;) {
switch (*ptr) {
case 'r':
current_val = &val_r;
current_val_len = &val_r_len;
break;
case 's':
current_val = &val_s;
current_val_len = &val_s_len;
break;
case 'i':
current_val = &val_i;
current_val_len = &val_i_len;
break;
default:
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: unknown key (%c) in sasl step 2",
*ptr);
goto FAIL;
break;
}
ptr++;
if (*ptr != '=') {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: invalid parse state in sasl step 2");
goto FAIL;
}
ptr++;
next_comma =
(const uint8_t *) memchr (ptr, ',', (inbuf + inbuflen) - ptr);
if (next_comma) {
*current_val_len = (uint32_t) (next_comma - ptr);
} else {
*current_val_len = (uint32_t) ((inbuf + inbuflen) - ptr);
}
*current_val = (uint8_t *) bson_malloc (*current_val_len + 1);
memcpy (*current_val, ptr, *current_val_len);
(*current_val)[*current_val_len] = '\0';
if (next_comma) {
ptr = next_comma + 1;
} else {
break;
}
}
if (!val_r) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: no r param in sasl step 2");
goto FAIL;
}
if (!val_s) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: no s param in sasl step 2");
goto FAIL;
}
if (!val_i) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: no i param in sasl step 2");
goto FAIL;
}
/* verify our nonce */
if (val_r_len < scram->encoded_nonce_len ||
mongoc_memcmp (val_r, scram->encoded_nonce, scram->encoded_nonce_len)) {
bson_set_error (
error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: client nonce not repeated in sasl step 2");
}
*outbuflen = 0;
if (!_mongoc_scram_buf_write (
"c=biws,r=", -1, outbuf, outbufmax, outbuflen)) {
goto BUFFER;
}
if (!_mongoc_scram_buf_write (
(char *) val_r, val_r_len, outbuf, outbufmax, outbuflen)) {
goto BUFFER;
}
if (!_mongoc_scram_buf_write ((char *) outbuf,
*outbuflen,
scram->auth_message,
scram->auth_messagemax,
&scram->auth_messagelen)) {
goto BUFFER_AUTH;
}
if (!_mongoc_scram_buf_write (",p=", -1, outbuf, outbufmax, outbuflen)) {
goto BUFFER;
}
decoded_salt_len =
bson_b64_pton ((char *) val_s, decoded_salt, sizeof (decoded_salt));
if (-1 == decoded_salt_len) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: unable to decode salt in sasl step2");
goto FAIL;
}
if (16 != decoded_salt_len) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: invalid salt length of %d in sasl step2",
decoded_salt_len);
goto FAIL;
}
iterations = (int) bson_ascii_strtoll ((char *) val_i, &tmp, 10);
/* tmp holds the location of the failed to parse character. So if it's
* null, we got to the end of the string and didn't have a parse error */
if (*tmp) {
bson_set_error (
error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: unable to parse iterations in sasl step2");
goto FAIL;
}
if (iterations < 0) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: iterations is negative in sasl step2");
goto FAIL;
}
/* Save the presecrets for caching */
scram->hashed_password = bson_strdup (hashed_password);
scram->iterations = iterations;
memcpy (scram->decoded_salt, decoded_salt, sizeof (scram->decoded_salt));
if (scram->cache &&
_mongoc_scram_cache_has_presecrets (scram->cache, scram)) {
_mongoc_scram_cache_apply_secrets (scram->cache, scram);
}
if (!*scram->salted_password) {
_mongoc_scram_salt_password (scram,
hashed_password,
(uint32_t) strlen (hashed_password),
decoded_salt,
decoded_salt_len,
(uint32_t) iterations);
}
_mongoc_scram_generate_client_proof (scram, outbuf, outbufmax, outbuflen);
goto CLEANUP;
BUFFER_AUTH:
bson_set_error (
error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: could not buffer auth message in sasl step2");
goto FAIL;
BUFFER:
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: could not buffer sasl step2");
goto FAIL;
FAIL:
rval = false;
CLEANUP:
bson_free (val_r);
bson_free (val_s);
bson_free (val_i);
if (hashed_password) {
bson_zero_free (hashed_password, strlen (hashed_password));
}
return rval;
}
/* Parse server-first-message of the form:
* r=client-nonce|server-nonce,s=user-salt,i=iteration-count
*
* Generate client-final-message of the form:
* c=channel-binding(base64),r=client-nonce|server-nonce,p=client-proof
*/
static bool
_mongoc_scram_step2 (mongoc_scram_t *scram,
const uint8_t *inbuf,
uint32_t inbuflen,
uint8_t *outbuf,
uint32_t outbufmax,
uint32_t *outbuflen,
bson_error_t *error)
{
uint8_t *val_r = NULL;
uint32_t val_r_len;
uint8_t *val_s = NULL;
uint32_t val_s_len;
uint8_t *val_i = NULL;
uint32_t val_i_len;
uint8_t **current_val;
uint32_t *current_val_len;
const uint8_t *ptr;
const uint8_t *next_comma;
char *tmp;
char *hashed_password;
uint8_t decoded_salt[MONGOC_SCRAM_B64_HASH_MAX_SIZE] = {0};
int32_t decoded_salt_len;
/* the decoded salt leaves four trailing bytes to add the int32 0x00000001 */
const int32_t expected_salt_length = _scram_hash_size (scram) - 4;
bool rval = true;
int iterations;
BSON_ASSERT (scram);
BSON_ASSERT (outbuf);
BSON_ASSERT (outbufmax);
BSON_ASSERT (outbuflen);
if (scram->crypto.algorithm == MONGOC_CRYPTO_ALGORITHM_SHA_1) {
/* Auth spec for SCRAM-SHA-1: "The password variable MUST be the mongodb
* hashed variant. The mongo hashed variant is computed as hash = HEX(
* MD5( UTF8( username + ':mongo:' + plain_text_password )))" */
tmp = bson_strdup_printf ("%s:mongo:%s", scram->user, scram->pass);
hashed_password = _mongoc_hex_md5 (tmp);
bson_zero_free (tmp, strlen (tmp));
} else if (scram->crypto.algorithm == MONGOC_CRYPTO_ALGORITHM_SHA_256) {
/* Auth spec for SCRAM-SHA-256: "Passwords MUST be prepared with SASLprep,
* per RFC 5802. Passwords are used directly for key derivation; they
* MUST NOT be digested as they are in SCRAM-SHA-1." */
hashed_password =
_mongoc_sasl_prep (scram->pass, (int) strlen (scram->pass), error);
if (!hashed_password) {
goto FAIL;
}
} else {
BSON_ASSERT (false);
}
/* we need all of the incoming message for the final client proof */
if (!_mongoc_scram_buf_write ((char *) inbuf,
inbuflen,
scram->auth_message,
scram->auth_messagemax,
&scram->auth_messagelen)) {
goto BUFFER_AUTH;
}
if (!_mongoc_scram_buf_write (",",
-1,
scram->auth_message,
scram->auth_messagemax,
&scram->auth_messagelen)) {
goto BUFFER_AUTH;
}
for (ptr = inbuf; ptr < inbuf + inbuflen;) {
switch (*ptr) {
case 'r':
current_val = &val_r;
current_val_len = &val_r_len;
break;
case 's':
current_val = &val_s;
current_val_len = &val_s_len;
break;
case 'i':
current_val = &val_i;
current_val_len = &val_i_len;
break;
default:
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: unknown key (%c) in sasl step 2",
*ptr);
goto FAIL;
}
ptr++;
if (*ptr != '=') {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: invalid parse state in sasl step 2");
goto FAIL;
}
ptr++;
next_comma =
(const uint8_t *) memchr (ptr, ',', (inbuf + inbuflen) - ptr);
if (next_comma) {
*current_val_len = (uint32_t) (next_comma - ptr);
} else {
*current_val_len = (uint32_t) ((inbuf + inbuflen) - ptr);
}
*current_val = (uint8_t *) bson_malloc (*current_val_len + 1);
memcpy (*current_val, ptr, *current_val_len);
(*current_val)[*current_val_len] = '\0';
if (next_comma) {
ptr = next_comma + 1;
} else {
break;
}
}
if (!val_r) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: no r param in sasl step 2");
goto FAIL;
}
if (!val_s) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: no s param in sasl step 2");
goto FAIL;
}
if (!val_i) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: no i param in sasl step 2");
goto FAIL;
}
/* verify our nonce */
if (val_r_len < scram->encoded_nonce_len ||
mongoc_memcmp (val_r, scram->encoded_nonce, scram->encoded_nonce_len)) {
bson_set_error (
error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: client nonce not repeated in sasl step 2");
}
*outbuflen = 0;
if (!_mongoc_scram_buf_write (
"c=biws,r=", -1, outbuf, outbufmax, outbuflen)) {
goto BUFFER;
}
if (!_mongoc_scram_buf_write (
(char *) val_r, val_r_len, outbuf, outbufmax, outbuflen)) {
goto BUFFER;
}
if (!_mongoc_scram_buf_write ((char *) outbuf,
*outbuflen,
scram->auth_message,
scram->auth_messagemax,
&scram->auth_messagelen)) {
goto BUFFER_AUTH;
}
if (!_mongoc_scram_buf_write (",p=", -1, outbuf, outbufmax, outbuflen)) {
goto BUFFER;
}
decoded_salt_len =
bson_b64_pton ((char *) val_s, decoded_salt, sizeof (decoded_salt));
if (-1 == decoded_salt_len) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: unable to decode salt in sasl step2");
goto FAIL;
}
if (expected_salt_length != decoded_salt_len) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: invalid salt length of %d in sasl step2",
decoded_salt_len);
goto FAIL;
}
iterations = (int) bson_ascii_strtoll ((char *) val_i, &tmp, 10);
/* tmp holds the location of the failed to parse character. So if it's
* null, we got to the end of the string and didn't have a parse error */
if (*tmp) {
bson_set_error (
error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: unable to parse iterations in sasl step2");
goto FAIL;
}
if (iterations < 0) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: iterations is negative in sasl step2");
goto FAIL;
}
/* drivers MUST enforce a minimum iteration count of 4096 and MUST error if
* the authentication conversation specifies a lower count. This mitigates
* downgrade attacks by a man-in-the-middle attacker. */
if (iterations < 4096) {
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: iterations must be at least 4096");
goto FAIL;
}
/* Save the presecrets for caching */
scram->hashed_password = bson_strdup (hashed_password);
scram->iterations = iterations;
memcpy (scram->decoded_salt, decoded_salt, sizeof (scram->decoded_salt));
if (scram->cache &&
_mongoc_scram_cache_has_presecrets (scram->cache, scram)) {
_mongoc_scram_cache_apply_secrets (scram->cache, scram);
}
if (!*scram->salted_password) {
_mongoc_scram_salt_password (scram,
hashed_password,
(uint32_t) strlen (hashed_password),
decoded_salt,
decoded_salt_len,
(uint32_t) iterations);
}
_mongoc_scram_generate_client_proof (scram, outbuf, outbufmax, outbuflen);
goto CLEANUP;
BUFFER_AUTH:
bson_set_error (
error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: could not buffer auth message in sasl step2");
goto FAIL;
BUFFER:
bson_set_error (error,
MONGOC_ERROR_SCRAM,
MONGOC_ERROR_SCRAM_PROTOCOL_ERROR,
"SCRAM Failure: could not buffer sasl step2");
goto FAIL;
FAIL:
rval = false;
CLEANUP:
bson_free (val_r);
bson_free (val_s);
bson_free (val_i);
if (hashed_password) {
bson_zero_free (hashed_password, strlen (hashed_password));
}
return rval;
}
