search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Replace functions which called once with their bodies
[pidgin-git.git] / libpurple / protocols / jabber / auth_scram.c
blob9ed336c8336122b025b7db2cc80817706e4878f8
1 /*
2 * purple - Jabber Protocol Plugin
3 *
4 * Purple is the legal property of its developers, whose names are too numerous
5 * to list here. Please refer to the COPYRIGHT file distributed with this
6 * source distribution.
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA
21 *
22 */
23 #include "internal.h"
24
25 #include "auth.h"
26 #include "auth_scram.h"
27
28 #include "debug.h"
29
30 static const JabberScramHash hashes[] = {
31 { "-SHA-1", G_CHECKSUM_SHA1 },
32 };
33
34 static const JabberScramHash *mech_to_hash(const char *mech)
35 {
36 gsize i;
37
38 g_return_val_if_fail(mech != NULL && *mech != '\0', NULL);
39
40 for (i = 0; i < G_N_ELEMENTS(hashes); ++i) {
41 if (strstr(mech, hashes[i].mech_substr))
42 return &(hashes[i]);
43 }
44
45 purple_debug_error("jabber", "Unknown SCRAM mechanism %s\n", mech);
46 g_return_val_if_reached(NULL);
47 }
48
49 guchar *jabber_scram_hi(const JabberScramHash *hash, const GString *str,
50 GString *salt, guint iterations)
51 {
52 GHmac *hmac;
53 gsize digest_len;
54 guchar *result;
55 guint i;
56 guchar *prev, *tmp;
57
58 g_return_val_if_fail(hash != NULL, NULL);
59 g_return_val_if_fail(str != NULL && str->len > 0, NULL);
60 g_return_val_if_fail(salt != NULL && salt->len > 0, NULL);
61 g_return_val_if_fail(iterations > 0, NULL);
62
63 digest_len = g_checksum_type_get_length(hash->type);
64 prev = g_new0(guchar, digest_len);
65 tmp = g_new0(guchar, digest_len);
66 result = g_new0(guchar, digest_len);
67
68 hmac = g_hmac_new(hash->type, (guchar *)str->str, str->len);
69
70 /* Append INT(1), a four-octet encoding of the integer 1, most significant
71 * octet first. */
72 g_string_append_len(salt, "\0\0\0\1", 4);
73
74 /* Compute U0 */
75 g_hmac_update(hmac, (guchar *)salt->str, salt->len);
76 g_hmac_get_digest(hmac, result, &digest_len);
77 g_hmac_unref(hmac);
78
79 memcpy(prev, result, digest_len);
80
81 /* Compute U1...Ui */
82 for (i = 1; i < iterations; ++i) {
83 guint j;
84 hmac = g_hmac_new(hash->type, (guchar *)str->str, str->len);
85 g_hmac_update(hmac, prev, digest_len);
86 g_hmac_get_digest(hmac, tmp, &digest_len);
87 g_hmac_unref(hmac);
88
89 for (j = 0; j < digest_len; ++j)
90 result[j] ^= tmp[j];
91
92 memcpy(prev, tmp, digest_len);
93 }
94
95 g_free(tmp);
96 g_free(prev);
97 return result;
98 }
99
100 /*
101 * Helper functions for doing the SCRAM calculations. The first argument
102 * is the hash algorithm. All buffers must be of the appropriate size
103 * according to the JabberScramHash.
104 *
105 * "str" is a NULL-terminated string for jabber_scram_hmac().
106 *
107 * Needless to say, these are fragile.
108 */
109 static void
110 jabber_scram_hmac(const JabberScramHash *hash, guchar *out, const guchar *key, const gchar *str)
111 {
112 GHmac *hmac;
113 gsize digest_len = g_checksum_type_get_length(hash->type);
114
115 hmac = g_hmac_new(hash->type, key, digest_len);
116 g_hmac_update(hmac, (guchar *)str, -1);
117 g_hmac_get_digest(hmac, out, &digest_len);
118 g_hmac_unref(hmac);
119 }
120
121 static void
122 jabber_scram_hash(const JabberScramHash *hash, guchar *out, const guchar *data)
123 {
124 GChecksum *checksum;
125 gsize digest_len = g_checksum_type_get_length(hash->type);
126
127 checksum = g_checksum_new(hash->type);
128 g_checksum_update(checksum, data, digest_len);
129 g_checksum_get_digest(checksum, out, &digest_len);
130 g_checksum_free(checksum);
131 }
132
133 gboolean
134 jabber_scram_calc_proofs(JabberScramData *data, GString *salt, guint iterations)
135 {
136 guint hash_len = g_checksum_type_get_length(data->hash->type);
137 guint i;
138
139 GString *pass = g_string_new(data->password);
140
141 guchar *salted_password;
142 guchar *client_key, *stored_key, *client_signature, *server_key;
143
144 data->client_proof = g_string_sized_new(hash_len);
145 data->client_proof->len = hash_len;
146 data->server_signature = g_string_sized_new(hash_len);
147 data->server_signature->len = hash_len;
148
149 salted_password = jabber_scram_hi(data->hash, pass, salt, iterations);
150
151 memset(pass->str, 0, pass->allocated_len);
152 g_string_free(pass, TRUE);
153
154 if (!salted_password)
155 return FALSE;
156
157 client_key = g_new0(guchar, hash_len);
158 stored_key = g_new0(guchar, hash_len);
159 client_signature = g_new0(guchar, hash_len);
160 server_key = g_new0(guchar, hash_len);
161
162 /* client_key = HMAC(salted_password, "Client Key") */
163 jabber_scram_hmac(data->hash, client_key, salted_password, "Client Key");
164 /* server_key = HMAC(salted_password, "Server Key") */
165 jabber_scram_hmac(data->hash, server_key, salted_password, "Server Key");
166 g_free(salted_password);
167
168 /* stored_key = HASH(client_key) */
169 jabber_scram_hash(data->hash, stored_key, client_key);
170
171 /* client_signature = HMAC(stored_key, auth_message) */
172 jabber_scram_hmac(data->hash, client_signature, stored_key, data->auth_message->str);
173 /* server_signature = HMAC(server_key, auth_message) */
174 jabber_scram_hmac(data->hash, (guchar *)data->server_signature->str, server_key, data->auth_message->str);
175
176 /* client_proof = client_key XOR client_signature */
177 for (i = 0; i < hash_len; ++i)
178 data->client_proof->str[i] = client_key[i] ^ client_signature[i];
179
180 g_free(server_key);
181 g_free(client_signature);
182 g_free(stored_key);
183 g_free(client_key);
184
185 return TRUE;
186 }
187
188 static gboolean
189 parse_server_step1(JabberScramData *data, const char *challenge,
190 gchar **out_nonce, GString **out_salt, guint *out_iterations)
191 {
192 char **tokens;
193 char *token, *decoded, *tmp;
194 gsize len;
195 char *nonce = NULL;
196 GString *salt = NULL;
197 guint iterations;
198
199 tokens = g_strsplit(challenge, ",", -1);
200 if (tokens == NULL)
201 return FALSE;
202
203 token = tokens[0];
204 if (token[0] != 'r' || token[1] != '=')
205 goto err;
206
207 /* Ensure that the first cnonce_len bytes of the nonce are the original
208 * cnonce we sent to the server.
209 */
210 if (0 != strncmp(data->cnonce, token + 2, strlen(data->cnonce)))
211 goto err;
212
213 nonce = g_strdup(token + 2);
214
215 /* The Salt, base64-encoded */
216 token = tokens[1];
217 if (token[0] != 's' || token[1] != '=')
218 goto err;
219
220 decoded = (gchar *)g_base64_decode(token + 2, &len);
221 if (!decoded || *decoded == '\0') {
222 g_free(decoded);
223 goto err;
224 }
225 salt = g_string_new_len(decoded, len);
226 g_free(decoded);
227
228 /* The iteration count */
229 token = tokens[2];
230 if (token[0] != 'i' || token[1] != '=' || token[2] == '\0')
231 goto err;
232
233 /* Validate the string */
234 for (tmp = token + 2; *tmp; ++tmp)
235 if (!g_ascii_isdigit(*tmp))
236 goto err;
237
238 iterations = strtoul(token + 2, NULL, 10);
239
240 g_strfreev(tokens);
241 *out_nonce = nonce;
242 *out_salt = salt;
243 *out_iterations = iterations;
244 return TRUE;
245
246 err:
247 g_free(nonce);
248 if (salt)
249 g_string_free(salt, TRUE);
250 g_strfreev(tokens);
251 return FALSE;
252 }
253
254 static gboolean
255 parse_server_step2(JabberScramData *data, const char *challenge, gchar **out_verifier)
256 {
257 char **tokens;
258 char *token;
259
260 tokens = g_strsplit(challenge, ",", -1);
261 if (tokens == NULL)
262 return FALSE;
263
264 token = tokens[0];
265 if (token[0] != 'v' || token[1] != '=' || token[2] == '\0') {
266 g_strfreev(tokens);
267 return FALSE;
268 }
269
270 *out_verifier = g_strdup(token + 2);
271 g_strfreev(tokens);
272 return TRUE;
273 }
274
275 gboolean
276 jabber_scram_feed_parser(JabberScramData *data, gchar *in, gchar **out)
277 {
278 gboolean ret;
279
280 g_return_val_if_fail(data != NULL, FALSE);
281
282 g_string_append_c(data->auth_message, ',');
283 g_string_append(data->auth_message, in);
284
285 if (data->step == 1) {
286 gchar *nonce, *proof;
287 GString *salt;
288 guint iterations;
289
290 ret = parse_server_step1(data, in, &nonce, &salt, &iterations);
291 if (!ret)
292 return FALSE;
293
294 g_string_append_c(data->auth_message, ',');
295
296 /* "biws" is the base64 encoding of "n,,". I promise. */
297 g_string_append_printf(data->auth_message, "c=%s,r=%s", "biws", nonce);
298 #ifdef CHANNEL_BINDING
299 #error fix this
300 #endif
301
302 ret = jabber_scram_calc_proofs(data, salt, iterations);
303
304 g_string_free(salt, TRUE);
305 salt = NULL;
306 if (!ret) {
307 g_free(nonce);
308 return FALSE;
309 }
310
311 proof = g_base64_encode((guchar *)data->client_proof->str, data->client_proof->len);
312 *out = g_strdup_printf("c=%s,r=%s,p=%s", "biws", nonce, proof);
313 g_free(nonce);
314 g_free(proof);
315 } else if (data->step == 2) {
316 gchar *server_sig, *enc_server_sig;
317 gsize len;
318
319 ret = parse_server_step2(data, in, &enc_server_sig);
320 if (!ret)
321 return FALSE;
322
323 server_sig = (gchar *)g_base64_decode(enc_server_sig, &len);
324 g_free(enc_server_sig);
325
326 if (server_sig == NULL || len != data->server_signature->len) {
327 g_free(server_sig);
328 return FALSE;
329 }
330
331 if (0 != memcmp(server_sig, data->server_signature->str, len)) {
332 g_free(server_sig);
333 return FALSE;
334 }
335 g_free(server_sig);
336
337 *out = NULL;
338 } else {
339 purple_debug_error("jabber", "SCRAM: There is no step %d\n", data->step);
340 return FALSE;
341 }
342
343 return TRUE;
344 }
345
346 static gchar *escape_username(const gchar *in)
347 {
348 gchar *tmp, *tmp2;
349
350 tmp = purple_strreplace(in, "=", "=3D");
351 tmp2 = purple_strreplace(tmp, ",", "=2C");
352 g_free(tmp);
353 return tmp2;
354 }
355
356 static JabberSaslState
357 scram_start(JabberStream *js, PurpleXmlNode *mechanisms, PurpleXmlNode **out, char **error)
358 {
359 PurpleXmlNode *reply;
360 JabberScramData *data;
361 guint64 cnonce;
362 #ifdef CHANNEL_BINDING
363 gboolean binding_supported = TRUE;
364 #endif
365 gchar *dec_out, *enc_out;
366 gchar *prepped_node, *tmp;
367 gchar *prepped_pass;
368
369 prepped_node = jabber_saslprep(js->user->node);
370 if (!prepped_node) {
371 *error = g_strdup(_("Unable to canonicalize username"));
372 return JABBER_SASL_STATE_FAIL;
373 }
374
375 tmp = escape_username(prepped_node);
376 g_free(prepped_node);
377 prepped_node = tmp;
378
379 prepped_pass = jabber_saslprep(purple_connection_get_password(js->gc));
380 if (!prepped_pass) {
381 g_free(prepped_node);
382 *error = g_strdup(_("Unable to canonicalize password"));
383 return JABBER_SASL_STATE_FAIL;
384 }
385
386 data = js->auth_mech_data = g_new0(JabberScramData, 1);
387 data->hash = mech_to_hash(js->auth_mech->name);
388 data->password = prepped_pass;
389
390 #ifdef CHANNEL_BINDING
391 if (strstr(js->auth_mech_name, "-PLUS"))
392 data->channel_binding = TRUE;
393 #endif
394 cnonce = ((guint64)g_random_int() << 32) | g_random_int();
395 data->cnonce = g_base64_encode((guchar *)&cnonce, sizeof(cnonce));
396
397 data->auth_message = g_string_new(NULL);
398 g_string_printf(data->auth_message, "n=%s,r=%s",
399 prepped_node, data->cnonce);
400 g_free(prepped_node);
401
402 data->step = 1;
403
404 reply = purple_xmlnode_new("auth");
405 purple_xmlnode_set_namespace(reply, NS_XMPP_SASL);
406 purple_xmlnode_set_attrib(reply, "mechanism", js->auth_mech->name);
407
408 /* TODO: Channel binding */
409 dec_out = g_strdup_printf("%c,,%s", 'n', data->auth_message->str);
410 enc_out = g_base64_encode((guchar *)dec_out, strlen(dec_out));
411 purple_debug_misc("jabber", "initial SCRAM message '%s'\n", dec_out);
412
413 purple_xmlnode_insert_data(reply, enc_out, -1);
414
415 g_free(enc_out);
416 g_free(dec_out);
417
418 *out = reply;
419 return JABBER_SASL_STATE_CONTINUE;
420 }
421
422 static JabberSaslState
423 scram_handle_challenge(JabberStream *js, PurpleXmlNode *challenge, PurpleXmlNode **out, char **error)
424 {
425 JabberScramData *data = js->auth_mech_data;
426 PurpleXmlNode *reply;
427 gchar *enc_in, *dec_in = NULL;
428 gchar *enc_out = NULL, *dec_out = NULL;
429 gsize len;
430 JabberSaslState state = JABBER_SASL_STATE_FAIL;
431
432 enc_in = purple_xmlnode_get_data(challenge);
433 if (!enc_in || *enc_in == '\0') {
434 reply = purple_xmlnode_new("abort");
435 purple_xmlnode_set_namespace(reply, NS_XMPP_SASL);
436 data->step = -1;
437 *error = g_strdup(_("Invalid challenge from server"));
438 goto out;
439 }
440
441 dec_in = (gchar *)g_base64_decode(enc_in, &len);
442 if (!dec_in || len != strlen(dec_in)) {
443 /* Danger afoot; SCRAM shouldn't contain NUL bytes */
444 reply = purple_xmlnode_new("abort");
445 purple_xmlnode_set_namespace(reply, NS_XMPP_SASL);
446 data->step = -1;
447 *error = g_strdup(_("Malicious challenge from server"));
448 goto out;
449 }
450
451 purple_debug_misc("jabber", "decoded challenge: %s\n", dec_in);
452
453 if (!jabber_scram_feed_parser(data, dec_in, &dec_out)) {
454 reply = purple_xmlnode_new("abort");
455 purple_xmlnode_set_namespace(reply, NS_XMPP_SASL);
456 data->step = -1;
457 *error = g_strdup(_("Invalid challenge from server"));
458 goto out;
459 }
460
461 data->step += 1;
462
463 reply = purple_xmlnode_new("response");
464 purple_xmlnode_set_namespace(reply, NS_XMPP_SASL);
465
466 purple_debug_misc("jabber", "decoded response: %s\n", dec_out ? dec_out : "(null)");
467 if (dec_out) {
468 enc_out = g_base64_encode((guchar *)dec_out, strlen(dec_out));
469 purple_xmlnode_insert_data(reply, enc_out, -1);
470 }
471
472 state = JABBER_SASL_STATE_CONTINUE;
473
474 out:
475 g_free(enc_in);
476 g_free(dec_in);
477 g_free(enc_out);
478 g_free(dec_out);
479
480 *out = reply;
481 return state;
482 }
483
484 static JabberSaslState
485 scram_handle_success(JabberStream *js, PurpleXmlNode *packet, char **error)
486 {
487 JabberScramData *data = js->auth_mech_data;
488 char *enc_in, *dec_in;
489 char *dec_out = NULL;
490 gsize len;
491
492 enc_in = purple_xmlnode_get_data(packet);
493 if (data->step != 3 && (!enc_in || *enc_in == '\0')) {
494 *error = g_strdup(_("Invalid challenge from server"));
495 g_free(enc_in);
496 return JABBER_SASL_STATE_FAIL;
497 }
498
499 if (data->step == 3) {
500 /*
501 * If the server took the slow approach (sending the verifier
502 * as a challenge/response pair), we get here.
503 */
504 g_free(enc_in);
505 return JABBER_SASL_STATE_OK;
506 }
507
508 if (data->step != 2) {
509 *error = g_strdup(_("Unexpected response from server"));
510 g_free(enc_in);
511 return JABBER_SASL_STATE_FAIL;
512 }
513
514 dec_in = (gchar *)g_base64_decode(enc_in, &len);
515 g_free(enc_in);
516 if (!dec_in || len != strlen(dec_in)) {
517 /* Danger afoot; SCRAM shouldn't contain NUL bytes */
518 g_free(dec_in);
519 *error = g_strdup(_("Malicious challenge from server"));
520 return JABBER_SASL_STATE_FAIL;
521 }
522
523 purple_debug_misc("jabber", "decoded success: %s\n", dec_in);
524
525 if (!jabber_scram_feed_parser(data, dec_in, &dec_out) || dec_out != NULL) {
526 g_free(dec_in);
527 g_free(dec_out);
528 *error = g_strdup(_("Invalid challenge from server"));
529 return JABBER_SASL_STATE_FAIL;
530 }
531
532 g_free(dec_in);
533 /* Hooray */
534 return JABBER_SASL_STATE_OK;
535 }
536
537 void jabber_scram_data_destroy(JabberScramData *data)
538 {
539 g_free(data->cnonce);
540 if (data->auth_message)
541 g_string_free(data->auth_message, TRUE);
542 if (data->client_proof)
543 g_string_free(data->client_proof, TRUE);
544 if (data->server_signature)
545 g_string_free(data->server_signature, TRUE);
546 if (data->password) {
547 memset(data->password, 0, strlen(data->password));
548 g_free(data->password);
549 }
550
551 g_free(data);
552 }
553
554 static void scram_dispose(JabberStream *js)
555 {
556 if (js->auth_mech_data) {
557 jabber_scram_data_destroy(js->auth_mech_data);
558 js->auth_mech_data = NULL;
559 }
560 }
561
562 static JabberSaslMech scram_sha1_mech = {
563 50, /* priority */
564 "SCRAM-SHA-1", /* name */
565 scram_start,
566 scram_handle_challenge,
567 scram_handle_success,
568 NULL, /* handle_failure */
569 scram_dispose
570 };
571
572 #ifdef CHANNEL_BINDING
573 /* With channel binding */
574 static JabberSaslMech scram_sha1_plus_mech = {
575 scram_sha1_mech.priority + 1, /* priority */
576 "SCRAM-SHA-1-PLUS", /* name */
577 scram_start,
578 scram_handle_challenge,
579 scram_handle_success,
580 NULL, /* handle_failure */
581 scram_dispose
582 };
583 #endif
584
585 JabberSaslMech **jabber_auth_get_scram_mechs(gint *count)
586 {
587 static JabberSaslMech *mechs[] = {
588 &scram_sha1_mech,
589 #ifdef CHANNEL_BINDING
590 &scram_sha1_plus_mech,
591 #endif
592 };
593
594 *count = G_N_ELEMENTS(mechs);
595 return mechs;
596 }
Git mirror of Pidgin's Mercurial repository