/**
* @brief Perform \p itcnt iterations of HMAC() on the given buffer \p in
* using \p salt, writing the output into \p out which must be
* at least EVP_MAX_MD_SIZE. Actual size is updated in \p *outsize.
* @returns 0 on success, else -1
*/
static int
rd_kafka_sasl_scram_Hi (rd_kafka_transport_t *rktrans,
const rd_chariov_t *in,
const rd_chariov_t *salt,
int itcnt, rd_chariov_t *out) {
const EVP_MD *evp =
rktrans->rktrans_rkb->rkb_rk->rk_conf.sasl.scram_evp;
unsigned int ressize = 0;
unsigned char tempres[EVP_MAX_MD_SIZE];
unsigned char *saltplus;
int i;
/* U1 := HMAC(str, salt + INT(1)) */
saltplus = rd_alloca(salt->size + 4);
memcpy(saltplus, salt->ptr, salt->size);
saltplus[salt->size] = 0;
saltplus[salt->size+1] = 0;
saltplus[salt->size+2] = 0;
saltplus[salt->size+3] = 1;
/* U1 := HMAC(str, salt + INT(1)) */
if (!HMAC(evp,
(const unsigned char *)in->ptr, (int)in->size,
saltplus, salt->size+4,
tempres, &ressize)) {
rd_rkb_dbg(rktrans->rktrans_rkb, SECURITY, "SCRAM",
"HMAC priming failed");
return -1;
}
memcpy(out->ptr, tempres, ressize);
/* Ui-1 := HMAC(str, Ui-2) .. */
for (i = 1 ; i < itcnt ; i++) {
unsigned char tempdest[EVP_MAX_MD_SIZE];
int j;
if (unlikely(!HMAC(evp,
(const unsigned char *)in->ptr, (int)in->size,
tempres, ressize,
tempdest, NULL))) {
rd_rkb_dbg(rktrans->rktrans_rkb, SECURITY, "SCRAM",
"Hi() HMAC #%d/%d failed", i, itcnt);
return -1;
}
/* U1 XOR U2 .. */
for (j = 0 ; j < (int)ressize ; j++) {
out->ptr[j] ^= tempdest[j];
tempres[j] = tempdest[j];
}
}
out->size = ressize;
return 0;
}
/**
* @brief Test creation of partitions
*
*
*/
static void do_test_CreatePartitions (const char *what,
rd_kafka_t *rk, rd_kafka_queue_t *useq,
int op_timeout) {
rd_kafka_queue_t *q = useq ? useq : rd_kafka_queue_new(rk);
#define MY_CRP_TOPICS_CNT 9
char *topics[MY_CRP_TOPICS_CNT];
rd_kafka_NewTopic_t *new_topics[MY_CRP_TOPICS_CNT];
rd_kafka_NewPartitions_t *crp_topics[MY_CRP_TOPICS_CNT];
rd_kafka_AdminOptions_t *options = NULL;
/* Expected topics in metadata */
rd_kafka_metadata_topic_t exp_mdtopics[MY_CRP_TOPICS_CNT] = {{0}};
rd_kafka_metadata_partition_t exp_mdparts[2] = {{0}};
int exp_mdtopic_cnt = 0;
int i;
char errstr[512];
rd_kafka_resp_err_t err;
test_timing_t timing;
int metadata_tmout;
int num_replicas = (int)avail_broker_cnt;
TEST_SAY(_C_MAG "[ %s CreatePartitions with %s, op_timeout %d ]\n",
rd_kafka_name(rk), what, op_timeout);
/* Set up two expected partitions with different replication sets
* so they can be matched by the metadata checker later.
* Even partitions use exp_mdparts[0] while odd partitions
* use exp_mdparts[1]. */
/* Set valid replica assignments (even, and odd (reverse) ) */
exp_mdparts[0].replicas = rd_alloca(sizeof(*exp_mdparts[0].replicas) *
num_replicas);
exp_mdparts[1].replicas = rd_alloca(sizeof(*exp_mdparts[1].replicas) *
num_replicas);
exp_mdparts[0].replica_cnt = num_replicas;
exp_mdparts[1].replica_cnt = num_replicas;
for (i = 0 ; i < num_replicas ; i++) {
exp_mdparts[0].replicas[i] = avail_brokers[i];
exp_mdparts[1].replicas[i] = avail_brokers[num_replicas-i-1];
}
/**
* Construct CreatePartitions array
*/
for (i = 0 ; i < MY_CRP_TOPICS_CNT ; i++) {
char *topic = rd_strdup(test_mk_topic_name(__FUNCTION__, 1));
int initial_part_cnt = 1 + (i * 2);
int new_part_cnt = 1 + (i / 2);
int final_part_cnt = initial_part_cnt + new_part_cnt;
int set_replicas = !(i % 2);
int pi;
topics[i] = topic;
/* Topic to create with initial partition count */
new_topics[i] = rd_kafka_NewTopic_new(topic, initial_part_cnt,
set_replicas ?
-1 : num_replicas,
NULL, 0);
/* .. and later add more partitions to */
crp_topics[i] = rd_kafka_NewPartitions_new(topic,
final_part_cnt,
errstr,
sizeof(errstr));
if (set_replicas) {
exp_mdtopics[exp_mdtopic_cnt].partitions =
rd_alloca(final_part_cnt *
sizeof(*exp_mdtopics[exp_mdtopic_cnt].
partitions));
for (pi = 0 ; pi < final_part_cnt ; pi++) {
const rd_kafka_metadata_partition_t *exp_mdp =
&exp_mdparts[pi & 1];
exp_mdtopics[exp_mdtopic_cnt].
partitions[pi] = *exp_mdp; /* copy */
exp_mdtopics[exp_mdtopic_cnt].
partitions[pi].id = pi;
if (pi < initial_part_cnt) {
/* Set replica assignment
* for initial partitions */
err = rd_kafka_NewTopic_set_replica_assignment(
new_topics[i], pi,
exp_mdp->replicas,
(size_t)exp_mdp->replica_cnt,
errstr, sizeof(errstr));
TEST_ASSERT(!err, "NewTopic_set_replica_assignment: %s",
errstr);
} else {
/* Set replica assignment for new
* partitions */
err = rd_kafka_NewPartitions_set_replica_assignment(
crp_topics[i],
pi - initial_part_cnt,
exp_mdp->replicas,
(size_t)exp_mdp->replica_cnt,
errstr, sizeof(errstr));
TEST_ASSERT(!err, "NewPartitions_set_replica_assignment: %s",
errstr);
}
}
}
TEST_SAY(_C_YEL "Topic %s with %d initial partitions will grow "
"by %d to %d total partitions with%s replicas set\n",
topics[i],
initial_part_cnt, new_part_cnt, final_part_cnt,
set_replicas ? "" : "out");
exp_mdtopics[exp_mdtopic_cnt].topic = topic;
exp_mdtopics[exp_mdtopic_cnt].partition_cnt = final_part_cnt;
exp_mdtopic_cnt++;
}
if (op_timeout != -1) {
options = rd_kafka_AdminOptions_new(
rk, RD_KAFKA_ADMIN_OP_ANY);
err = rd_kafka_AdminOptions_set_operation_timeout(
options, op_timeout, errstr, sizeof(errstr));
TEST_ASSERT(!err, "%s", rd_kafka_err2str(err));
}
/*
* Create topics with initial partition count
*/
TIMING_START(&timing, "CreateTopics");
TEST_SAY("Creating topics with initial partition counts\n");
rd_kafka_CreateTopics(rk, new_topics, MY_CRP_TOPICS_CNT,
options, q);
TIMING_ASSERT_LATER(&timing, 0, 50);
err = test_wait_topic_admin_result(q,
RD_KAFKA_EVENT_CREATETOPICS_RESULT,
NULL, 15000);
TEST_ASSERT(!err, "CreateTopics failed: %s", rd_kafka_err2str(err));
rd_kafka_NewTopic_destroy_array(new_topics, MY_CRP_TOPICS_CNT);
/*
* Create new partitions
*/
TIMING_START(&timing, "CreatePartitions");
TEST_SAY("Creating partitions\n");
rd_kafka_CreatePartitions(rk, crp_topics, MY_CRP_TOPICS_CNT,
options, q);
TIMING_ASSERT_LATER(&timing, 0, 50);
err = test_wait_topic_admin_result(q,
RD_KAFKA_EVENT_CREATEPARTITIONS_RESULT,
NULL, 15000);
TEST_ASSERT(!err, "CreatePartitions failed: %s", rd_kafka_err2str(err));
rd_kafka_NewPartitions_destroy_array(crp_topics, MY_CRP_TOPICS_CNT);
/**
* Verify that the expected topics are deleted and the non-expected
* are not. Allow it some time to propagate.
*/
if (op_timeout > 0)
metadata_tmout = op_timeout + 1000;
else
metadata_tmout = 10 * 1000;
test_wait_metadata_update(rk,
exp_mdtopics,
exp_mdtopic_cnt,
NULL, 0,
metadata_tmout);
for (i = 0 ; i < MY_CRP_TOPICS_CNT ; i++)
rd_free(topics[i]);
if (options)
rd_kafka_AdminOptions_destroy(options);
if (!useq)
rd_kafka_queue_destroy(q);
#undef MY_CRP_TOPICS_CNT
}
static void do_test_CreateTopics (const char *what,
rd_kafka_t *rk, rd_kafka_queue_t *useq,
int op_timeout, rd_bool_t validate_only) {
rd_kafka_queue_t *q = useq ? useq : rd_kafka_queue_new(rk);
#define MY_NEW_TOPICS_CNT 6
char *topics[MY_NEW_TOPICS_CNT];
rd_kafka_NewTopic_t *new_topics[MY_NEW_TOPICS_CNT];
rd_kafka_AdminOptions_t *options = NULL;
rd_kafka_resp_err_t exp_topicerr[MY_NEW_TOPICS_CNT] = {0};
rd_kafka_resp_err_t exp_err = RD_KAFKA_RESP_ERR_NO_ERROR;
/* Expected topics in metadata */
rd_kafka_metadata_topic_t exp_mdtopics[MY_NEW_TOPICS_CNT] = {{0}};
int exp_mdtopic_cnt = 0;
/* Not expected topics in metadata */
rd_kafka_metadata_topic_t exp_not_mdtopics[MY_NEW_TOPICS_CNT] = {{0}};
int exp_not_mdtopic_cnt = 0;
int i;
char errstr[512];
const char *errstr2;
rd_kafka_resp_err_t err;
test_timing_t timing;
rd_kafka_event_t *rkev;
const rd_kafka_CreateTopics_result_t *res;
const rd_kafka_topic_result_t **restopics;
size_t restopic_cnt;
int metadata_tmout ;
int num_replicas = (int)avail_broker_cnt;
int32_t *replicas;
/* Set up replicas */
replicas = rd_alloca(sizeof(*replicas) * num_replicas);
for (i = 0 ; i < num_replicas ; i++)
replicas[i] = avail_brokers[i];
TEST_SAY(_C_MAG "[ %s CreateTopics with %s, "
"op_timeout %d, validate_only %d ]\n",
rd_kafka_name(rk), what, op_timeout, validate_only);
/**
* Construct NewTopic array with different properties for
* different partitions.
*/
for (i = 0 ; i < MY_NEW_TOPICS_CNT ; i++) {
char *topic = rd_strdup(test_mk_topic_name(__FUNCTION__, 1));
int num_parts = i * 7 + 1;
int set_config = (i & 1);
int add_invalid_config = (i == 1);
int set_replicas = !(i % 3);
rd_kafka_resp_err_t this_exp_err = RD_KAFKA_RESP_ERR_NO_ERROR;
topics[i] = topic;
new_topics[i] = rd_kafka_NewTopic_new(topic,
num_parts,
set_replicas ? -1 :
num_replicas,
NULL, 0);
if (set_config) {
/*
* Add various configuration properties
*/
err = rd_kafka_NewTopic_set_config(
new_topics[i], "compression.type", "lz4");
TEST_ASSERT(!err, "%s", rd_kafka_err2str(err));
err = rd_kafka_NewTopic_set_config(
new_topics[i], "delete.retention.ms", "900");
TEST_ASSERT(!err, "%s", rd_kafka_err2str(err));
}
if (add_invalid_config) {
/* Add invalid config property */
err = rd_kafka_NewTopic_set_config(
new_topics[i],
"dummy.doesntexist",
"broker is verifying this");
TEST_ASSERT(!err, "%s", rd_kafka_err2str(err));
this_exp_err = RD_KAFKA_RESP_ERR_INVALID_CONFIG;
}
TEST_SAY("Expected result for topic #%d: %s "
"(set_config=%d, add_invalid_config=%d, "
"set_replicas=%d)\n",
i, rd_kafka_err2name(this_exp_err),
set_config, add_invalid_config, set_replicas);
if (set_replicas) {
int32_t p;
/*
* Set valid replica assignments
*/
for (p = 0 ; p < num_parts ; p++) {
err = rd_kafka_NewTopic_set_replica_assignment(
new_topics[i], p,
replicas, num_replicas,
errstr, sizeof(errstr));
TEST_ASSERT(!err, "%s", errstr);
}
}
if (this_exp_err || validate_only) {
exp_topicerr[i] = this_exp_err;
exp_not_mdtopics[exp_not_mdtopic_cnt++].topic = topic;
} else {
exp_mdtopics[exp_mdtopic_cnt].topic = topic;
exp_mdtopics[exp_mdtopic_cnt].partition_cnt =
num_parts;
exp_mdtopic_cnt++;
}
}
if (op_timeout != -1 || validate_only) {
options = rd_kafka_AdminOptions_new(
rk, RD_KAFKA_ADMIN_OP_CREATETOPICS);
if (op_timeout != -1) {
err = rd_kafka_AdminOptions_set_operation_timeout(
options, op_timeout, errstr, sizeof(errstr));
TEST_ASSERT(!err, "%s", rd_kafka_err2str(err));
}
if (validate_only) {
err = rd_kafka_AdminOptions_set_validate_only(
options, validate_only, errstr, sizeof(errstr));
TEST_ASSERT(!err, "%s", rd_kafka_err2str(err));
}
}
TIMING_START(&timing, "CreateTopics");
TEST_SAY("Call CreateTopics\n");
rd_kafka_CreateTopics(rk, new_topics, MY_NEW_TOPICS_CNT,
options, q);
TIMING_ASSERT_LATER(&timing, 0, 50);
/* Poll result queue for CreateTopics result.
* Print but otherwise ignore other event types
* (typically generic Error events). */
TIMING_START(&timing, "CreateTopics.queue_poll");
do {
rkev = rd_kafka_queue_poll(q, tmout_multip(20*1000));
TEST_SAY("CreateTopics: got %s in %.3fms\n",
rd_kafka_event_name(rkev),
TIMING_DURATION(&timing) / 1000.0f);
if (rd_kafka_event_error(rkev))
TEST_SAY("%s: %s\n",
rd_kafka_event_name(rkev),
rd_kafka_event_error_string(rkev));
} while (rd_kafka_event_type(rkev) !=
RD_KAFKA_EVENT_CREATETOPICS_RESULT);
/* Convert event to proper result */
res = rd_kafka_event_CreateTopics_result(rkev);
TEST_ASSERT(res, "expected CreateTopics_result, not %s",
rd_kafka_event_name(rkev));
/* Expecting error */
err = rd_kafka_event_error(rkev);
errstr2 = rd_kafka_event_error_string(rkev);
TEST_ASSERT(err == exp_err,
"expected CreateTopics to return %s, not %s (%s)",
rd_kafka_err2str(exp_err),
rd_kafka_err2str(err),
err ? errstr2 : "n/a");
TEST_SAY("CreateTopics: returned %s (%s)\n",
rd_kafka_err2str(err), err ? errstr2 : "n/a");
/* Extract topics */
restopics = rd_kafka_CreateTopics_result_topics(res, &restopic_cnt);
/* Scan topics for proper fields and expected failures. */
for (i = 0 ; i < (int)restopic_cnt ; i++) {
const rd_kafka_topic_result_t *terr = restopics[i];
/* Verify that topic order matches our request. */
if (strcmp(rd_kafka_topic_result_name(terr), topics[i]))
TEST_FAIL_LATER("Topic result order mismatch at #%d: "
"expected %s, got %s",
i, topics[i],
rd_kafka_topic_result_name(terr));
TEST_SAY("CreateTopics result: #%d: %s: %s: %s\n",
i,
rd_kafka_topic_result_name(terr),
rd_kafka_err2name(rd_kafka_topic_result_error(terr)),
rd_kafka_topic_result_error_string(terr));
if (rd_kafka_topic_result_error(terr) != exp_topicerr[i])
TEST_FAIL_LATER(
"Expected %s, not %d: %s",
rd_kafka_err2name(exp_topicerr[i]),
rd_kafka_topic_result_error(terr),
rd_kafka_err2name(rd_kafka_topic_result_error(
terr)));
}
/**
* Verify that the expecteded topics are created and the non-expected
* are not. Allow it some time to propagate.
*/
if (validate_only) {
/* No topics should have been created, give it some time
* before checking. */
rd_sleep(2);
metadata_tmout = 5 * 1000;
} else {
if (op_timeout > 0)
metadata_tmout = op_timeout + 1000;
else
metadata_tmout = 10 * 1000;
}
test_wait_metadata_update(rk,
exp_mdtopics,
exp_mdtopic_cnt,
exp_not_mdtopics,
exp_not_mdtopic_cnt,
metadata_tmout);
rd_kafka_event_destroy(rkev);
for (i = 0 ; i < MY_NEW_TOPICS_CNT ; i++) {
rd_kafka_NewTopic_destroy(new_topics[i]);
rd_free(topics[i]);
}
if (options)
rd_kafka_AdminOptions_destroy(options);
if (!useq)
rd_kafka_queue_destroy(q);
#undef MY_NEW_TOPICS_CNT
}
/**
* @brief Build client-final-message
* @returns -1 on error.
*/
static int
rd_kafka_sasl_scram_build_client_final_message (
rd_kafka_transport_t *rktrans,
const rd_chariov_t *salt,
const char *server_nonce,
const rd_chariov_t *server_first_msg,
int itcnt, rd_chariov_t *out) {
struct rd_kafka_sasl_scram_state *state = rktrans->rktrans_sasl.state;
const rd_kafka_conf_t *conf = &rktrans->rktrans_rkb->rkb_rk->rk_conf;
rd_chariov_t SaslPassword =
{ .ptr = conf->sasl.password,
.size = strlen(conf->sasl.password) };
rd_chariov_t SaltedPassword =
{ .ptr = rd_alloca(EVP_MAX_MD_SIZE) };
rd_chariov_t ClientKey =
{ .ptr = rd_alloca(EVP_MAX_MD_SIZE) };
rd_chariov_t ServerKey =
{ .ptr = rd_alloca(EVP_MAX_MD_SIZE) };
rd_chariov_t StoredKey =
{ .ptr = rd_alloca(EVP_MAX_MD_SIZE) };
rd_chariov_t AuthMessage = RD_ZERO_INIT;
rd_chariov_t ClientSignature =
{ .ptr = rd_alloca(EVP_MAX_MD_SIZE) };
rd_chariov_t ServerSignature =
{ .ptr = rd_alloca(EVP_MAX_MD_SIZE) };
const rd_chariov_t ClientKeyVerbatim =
{ .ptr = "Client Key", .size = 10 };
const rd_chariov_t ServerKeyVerbatim =
{ .ptr = "Server Key", .size = 10 };
rd_chariov_t ClientProof =
{ .ptr = rd_alloca(EVP_MAX_MD_SIZE) };
rd_chariov_t client_final_msg_wo_proof;
char *ClientProofB64;
int i;
/* Constructing the ClientProof attribute (p):
*
* p = Base64-encoded ClientProof
* SaltedPassword := Hi(Normalize(password), salt, i)
* ClientKey := HMAC(SaltedPassword, "Client Key")
* StoredKey := H(ClientKey)
* AuthMessage := client-first-message-bare + "," +
* server-first-message + "," +
* client-final-message-without-proof
* ClientSignature := HMAC(StoredKey, AuthMessage)
* ClientProof := ClientKey XOR ClientSignature
* ServerKey := HMAC(SaltedPassword, "Server Key")
* ServerSignature := HMAC(ServerKey, AuthMessage)
*/
/* SaltedPassword := Hi(Normalize(password), salt, i) */
if (rd_kafka_sasl_scram_Hi(
rktrans, &SaslPassword, salt,
itcnt, &SaltedPassword) == -1)
return -1;
/* ClientKey := HMAC(SaltedPassword, "Client Key") */
if (rd_kafka_sasl_scram_HMAC(
rktrans, &SaltedPassword, &ClientKeyVerbatim,
&ClientKey) == -1)
return -1;
/* StoredKey := H(ClientKey) */
if (rd_kafka_sasl_scram_H(rktrans, &ClientKey, &StoredKey) == -1)
return -1;
/* client-final-message-without-proof */
rd_kafka_sasl_scram_build_client_final_message_wo_proof(
state, server_nonce, &client_final_msg_wo_proof);
/* AuthMessage := client-first-message-bare + "," +
* server-first-message + "," +
* client-final-message-without-proof */
AuthMessage.size =
state->first_msg_bare.size + 1 +
server_first_msg->size + 1 +
client_final_msg_wo_proof.size;
AuthMessage.ptr = rd_alloca(AuthMessage.size+1);
rd_snprintf(AuthMessage.ptr, AuthMessage.size+1,
"%.*s,%.*s,%.*s",
(int)state->first_msg_bare.size, state->first_msg_bare.ptr,
(int)server_first_msg->size, server_first_msg->ptr,
(int)client_final_msg_wo_proof.size,
client_final_msg_wo_proof.ptr);
/*
* Calculate ServerSignature for later verification when
* server-final-message is received.
*/
/* ServerKey := HMAC(SaltedPassword, "Server Key") */
if (rd_kafka_sasl_scram_HMAC(
rktrans, &SaltedPassword, &ServerKeyVerbatim,
&ServerKey) == -1) {
rd_free(client_final_msg_wo_proof.ptr);
return -1;
}
/* ServerSignature := HMAC(ServerKey, AuthMessage) */
if (rd_kafka_sasl_scram_HMAC(rktrans, &ServerKey,
&AuthMessage, &ServerSignature) == -1) {
rd_free(client_final_msg_wo_proof.ptr);
return -1;
}
/* Store the Base64 encoded ServerSignature for quick comparison */
state->ServerSignatureB64 = rd_base64_encode(&ServerSignature);
/*
* Continue with client-final-message
*/
/* ClientSignature := HMAC(StoredKey, AuthMessage) */
if (rd_kafka_sasl_scram_HMAC(rktrans, &StoredKey,
&AuthMessage, &ClientSignature) == -1) {
rd_free(client_final_msg_wo_proof.ptr);
return -1;
}
/* ClientProof := ClientKey XOR ClientSignature */
assert(ClientKey.size == ClientSignature.size);
for (i = 0 ; i < (int)ClientKey.size ; i++)
ClientProof.ptr[i] = ClientKey.ptr[i] ^ ClientSignature.ptr[i];
ClientProof.size = ClientKey.size;
/* Base64 encoded ClientProof */
ClientProofB64 = rd_base64_encode(&ClientProof);
/* Construct client-final-message */
out->size = client_final_msg_wo_proof.size +
strlen(",p=") + strlen(ClientProofB64);
out->ptr = rd_malloc(out->size + 1);
rd_snprintf(out->ptr, out->size+1,
"%.*s,p=%s",
(int)client_final_msg_wo_proof.size,
client_final_msg_wo_proof.ptr,
ClientProofB64);
rd_free(ClientProofB64);
rd_free(client_final_msg_wo_proof.ptr);
return 0;
}
/**
* @brief Handle first message from server
*
* Parse server response which looks something like:
* "r=fyko+d2lbbFgONR....,s=QSXCR+Q6sek8bf92,i=4096"
*
* @returns -1 on error.
*/
static int
rd_kafka_sasl_scram_handle_server_first_message (rd_kafka_transport_t *rktrans,
const rd_chariov_t *in,
rd_chariov_t *out,
char *errstr,
size_t errstr_size) {
struct rd_kafka_sasl_scram_state *state = rktrans->rktrans_sasl.state;
char *server_nonce;
rd_chariov_t salt_b64, salt;
char *itcntstr;
const char *endptr;
int itcnt;
char *attr_m;
/* Mandatory future extension check */
if ((attr_m = rd_kafka_sasl_scram_get_attr(
in, 'm', NULL, NULL, 0))) {
rd_snprintf(errstr, errstr_size,
"Unsupported mandatory SCRAM extension");
rd_free(attr_m);
return -1;
}
/* Server nonce */
if (!(server_nonce = rd_kafka_sasl_scram_get_attr(
in, 'r',
"Server nonce in server-first-message",
errstr, errstr_size)))
return -1;
if (strlen(server_nonce) <= state->cnonce.size ||
strncmp(state->cnonce.ptr, server_nonce, state->cnonce.size)) {
rd_snprintf(errstr, errstr_size,
"Server/client nonce mismatch in "
"server-first-message");
rd_free(server_nonce);
return -1;
}
/* Salt (Base64) */
if (!(salt_b64.ptr = rd_kafka_sasl_scram_get_attr(
in, 's',
"Salt in server-first-message",
errstr, errstr_size))) {
rd_free(server_nonce);
return -1;
}
salt_b64.size = strlen(salt_b64.ptr);
/* Convert Salt to binary */
if (rd_base64_decode(&salt_b64, &salt) == -1) {
rd_snprintf(errstr, errstr_size,
"Invalid Base64 Salt in server-first-message");
rd_free(server_nonce);
rd_free(salt_b64.ptr);
}
rd_free(salt_b64.ptr);
/* Iteration count (as string) */
if (!(itcntstr = rd_kafka_sasl_scram_get_attr(
in, 'i',
"Iteration count in server-first-message",
errstr, errstr_size))) {
rd_free(server_nonce);
rd_free(salt.ptr);
return -1;
}
/* Iteration count (as int) */
errno = 0;
itcnt = (int)strtoul(itcntstr, (char **)&endptr, 10);
if (itcntstr == endptr || *endptr != '\0' || errno != 0 ||
itcnt > 1000000) {
rd_snprintf(errstr, errstr_size,
"Invalid value (not integer or too large) "
"for Iteration count in server-first-message");
rd_free(server_nonce);
rd_free(salt.ptr);
rd_free(itcntstr);
return -1;
}
rd_free(itcntstr);
/* Build client-final-message */
if (rd_kafka_sasl_scram_build_client_final_message(
rktrans, &salt, server_nonce, in, itcnt, out) == -1) {
rd_snprintf(errstr, errstr_size,
"Failed to build SCRAM client-final-message");
rd_free(salt.ptr);
rd_free(server_nonce);
return -1;
}
rd_free(server_nonce);
rd_free(salt.ptr);
return 0;
}
/**
* @brief Handle server-final-message
*
* This is the end of authentication and the SCRAM state
* will be freed at the end of this function regardless of
* authentication outcome.
*
* @returns -1 on failure
*/
static int
rd_kafka_sasl_scram_handle_server_final_message (
rd_kafka_transport_t *rktrans,
const rd_chariov_t *in,
char *errstr, size_t errstr_size) {
struct rd_kafka_sasl_scram_state *state = rktrans->rktrans_sasl.state;
char *attr_v, *attr_e;
if ((attr_e = rd_kafka_sasl_scram_get_attr(
in, 'e', "server-error in server-final-message",
errstr, errstr_size))) {
/* Authentication failed */
rd_snprintf(errstr, errstr_size,
"SASL SCRAM authentication failed: "
"broker responded with %s",
attr_e);
rd_free(attr_e);
return -1;
} else if ((attr_v = rd_kafka_sasl_scram_get_attr(
in, 'v', "verifier in server-final-message",
errstr, errstr_size))) {
const rd_kafka_conf_t *conf;
/* Authentication succesful on server,
* but we need to verify the ServerSignature too. */
rd_rkb_dbg(rktrans->rktrans_rkb, SECURITY | RD_KAFKA_DBG_BROKER,
"SCRAMAUTH",
"SASL SCRAM authentication succesful on server: "
"verifying ServerSignature");
if (strcmp(attr_v, state->ServerSignatureB64)) {
rd_snprintf(errstr, errstr_size,
"SASL SCRAM authentication failed: "
"ServerSignature mismatch "
"(server's %s != ours %s)",
attr_v, state->ServerSignatureB64);
rd_free(attr_v);
return -1;
}
rd_free(attr_v);
conf = &rktrans->rktrans_rkb->rkb_rk->rk_conf;
rd_rkb_dbg(rktrans->rktrans_rkb, SECURITY | RD_KAFKA_DBG_BROKER,
"SCRAMAUTH",
"Authenticated as %s using %s",
conf->sasl.username,
conf->sasl.mechanisms);
rd_kafka_sasl_auth_done(rktrans);
return 0;
} else {
rd_snprintf(errstr, errstr_size,
"SASL SCRAM authentication failed: "
"no verifier or server-error returned from broker");
return -1;
}
}
/**
* @brief Build client-first-message
*/
static void
rd_kafka_sasl_scram_build_client_first_message (
rd_kafka_transport_t *rktrans,
rd_chariov_t *out) {
char *sasl_username;
struct rd_kafka_sasl_scram_state *state = rktrans->rktrans_sasl.state;
const rd_kafka_conf_t *conf = &rktrans->rktrans_rkb->rkb_rk->rk_conf;
rd_kafka_sasl_scram_generate_nonce(&state->cnonce);
sasl_username = rd_kafka_sasl_safe_string(conf->sasl.username);
out->size = strlen("n,,n=,r=") + strlen(sasl_username) +
state->cnonce.size;
out->ptr = rd_malloc(out->size+1);
rd_snprintf(out->ptr, out->size+1,
"n,,n=%s,r=%.*s",
sasl_username,
(int)state->cnonce.size, state->cnonce.ptr);
rd_free(sasl_username);
/* Save client-first-message-bare (skip gs2-header) */
state->first_msg_bare.size = out->size-3;
state->first_msg_bare.ptr = rd_memdup(out->ptr+3,
state->first_msg_bare.size);
}
/**
* @brief SASL SCRAM client state machine
* @returns -1 on failure (errstr set), else 0.
*/
static int rd_kafka_sasl_scram_fsm (rd_kafka_transport_t *rktrans,
const rd_chariov_t *in,
char *errstr, size_t errstr_size) {
static const char *state_names[] = {
"client-first-message",
"server-first-message",
"client-final-message",
};
struct rd_kafka_sasl_scram_state *state = rktrans->rktrans_sasl.state;
rd_chariov_t out = RD_ZERO_INIT;
int r = -1;
rd_ts_t ts_start = rd_clock();
int prev_state = state->state;
rd_rkb_dbg(rktrans->rktrans_rkb, SECURITY, "SASLSCRAM",
"SASL SCRAM client in state %s",
state_names[state->state]);
switch (state->state)
{
case RD_KAFKA_SASL_SCRAM_STATE_CLIENT_FIRST_MESSAGE:
rd_dassert(!in); /* Not expecting any server-input */
rd_kafka_sasl_scram_build_client_first_message(rktrans, &out);
state->state = RD_KAFKA_SASL_SCRAM_STATE_SERVER_FIRST_MESSAGE;
break;
case RD_KAFKA_SASL_SCRAM_STATE_SERVER_FIRST_MESSAGE:
rd_dassert(in); /* Requires server-input */
if (rd_kafka_sasl_scram_handle_server_first_message(
rktrans, in, &out, errstr, errstr_size) == -1)
return -1;
state->state = RD_KAFKA_SASL_SCRAM_STATE_CLIENT_FINAL_MESSAGE;
break;
case RD_KAFKA_SASL_SCRAM_STATE_CLIENT_FINAL_MESSAGE:
rd_dassert(in); /* Requires server-input */
r = rd_kafka_sasl_scram_handle_server_final_message(
rktrans, in, errstr, errstr_size);
break;
}
if (out.ptr) {
r = rd_kafka_sasl_send(rktrans, out.ptr, (int)out.size,
errstr, errstr_size);
rd_free(out.ptr);
}
ts_start = (rd_clock() - ts_start) / 1000;
if (ts_start >= 100)
rd_rkb_dbg(rktrans->rktrans_rkb, SECURITY, "SCRAM",
"SASL SCRAM state %s handled in %"PRId64"ms",
state_names[prev_state], ts_start);
return r;
}
/**
* @brief Handle received frame from broker.
*/
static int rd_kafka_sasl_scram_recv (rd_kafka_transport_t *rktrans,
const void *buf, size_t size,
char *errstr, size_t errstr_size) {
const rd_chariov_t in = { .ptr = (char *)buf, .size = size };
return rd_kafka_sasl_scram_fsm(rktrans, &in, errstr, errstr_size);
}
/**
* @brief Initialize and start SASL SCRAM (builtin) authentication.
*
* Returns 0 on successful init and -1 on error.
*
* @locality broker thread
*/
static int rd_kafka_sasl_scram_client_new (rd_kafka_transport_t *rktrans,
const char *hostname,
char *errstr, size_t errstr_size) {
struct rd_kafka_sasl_scram_state *state;
state = rd_calloc(1, sizeof(*state));
state->state = RD_KAFKA_SASL_SCRAM_STATE_CLIENT_FIRST_MESSAGE;
rktrans->rktrans_sasl.state = state;
/* Kick off the FSM */
return rd_kafka_sasl_scram_fsm(rktrans, NULL, errstr, errstr_size);
}
/**
* @brief Validate SCRAM config and look up the hash function
*/
static int rd_kafka_sasl_scram_conf_validate (rd_kafka_t *rk,
char *errstr,
size_t errstr_size) {
const char *mech = rk->rk_conf.sasl.mechanisms;
if (!rk->rk_conf.sasl.username || !rk->rk_conf.sasl.password) {
rd_snprintf(errstr, errstr_size,
"sasl.username and sasl.password must be set");
return -1;
}
if (!strcmp(mech, "SCRAM-SHA-1")) {
rk->rk_conf.sasl.scram_evp = EVP_sha1();
rk->rk_conf.sasl.scram_H = SHA1;
rk->rk_conf.sasl.scram_H_size = SHA_DIGEST_LENGTH;
} else if (!strcmp(mech, "SCRAM-SHA-256")) {
rk->rk_conf.sasl.scram_evp = EVP_sha256();
rk->rk_conf.sasl.scram_H = SHA256;
rk->rk_conf.sasl.scram_H_size = SHA256_DIGEST_LENGTH;
} else if (!strcmp(mech, "SCRAM-SHA-512")) {
rk->rk_conf.sasl.scram_evp = EVP_sha512();
rk->rk_conf.sasl.scram_H = SHA512;
rk->rk_conf.sasl.scram_H_size = SHA512_DIGEST_LENGTH;
} else {
rd_snprintf(errstr, errstr_size,
"Unsupported hash function: %s "
"(try SCRAM-SHA-512)",
mech);
return -1;
}
return 0;
}
const struct rd_kafka_sasl_provider rd_kafka_sasl_scram_provider = {
.name = "SCRAM (builtin)",
.client_new = rd_kafka_sasl_scram_client_new,
.recv = rd_kafka_sasl_scram_recv,
.close = rd_kafka_sasl_scram_close,
.conf_validate = rd_kafka_sasl_scram_conf_validate,
};