From 9b76b557ecaece2a5fa862ea4dc75ed613e3fbf0 Mon Sep 17 00:00:00 2001
From: Patrick Okraku <patrick@okraku.com>
Date: Wed, 1 Nov 2023 19:12:32 +0100
Subject: Added support for SCRAM-SHA-1, SCRAM-SHA-256 and SCRAM-SHA-512

---
 src/common/scram.c | 323 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 323 insertions(+)
 create mode 100644 src/common/scram.c

(limited to 'src/common/scram.c')

diff --git a/src/common/scram.c b/src/common/scram.c
new file mode 100644
index 00000000..529abd5d
--- /dev/null
+++ b/src/common/scram.c
@@ -0,0 +1,323 @@
+/* HexChat
+ * Copyright (C) 2023 Patrick Okraku
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#include "hexchat.h"
+
+#ifdef USE_OPENSSL
+
+#include "scram.h"
+#include <openssl/hmac.h>
+#include <openssl/rand.h>
+
+#define NONCE_LENGTH 18
+#define CLIENT_KEY "Client Key"
+#define SERVER_KEY "Server Key"
+
+// EVP_MD_CTX_create() and EVP_MD_CTX_destroy() were renamed in OpenSSL 1.1.0
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#define EVP_MD_CTX_new(ctx) EVP_MD_CTX_create(ctx)
+#define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy(ctx)
+#endif
+
+scram_session
+*scram_create_session (const char *digest, const char *username, const char *password)
+{
+	scram_session *session;
+	const EVP_MD *md;
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+	OpenSSL_add_all_algorithms ();
+#endif
+	md = EVP_get_digestbyname (digest);
+
+	if (md == NULL)
+	{
+		// Unknown message digest
+		return NULL;
+	}
+
+	session = g_new0 (scram_session, 1);
+	session->digest = md;
+	session->digest_size = EVP_MD_size (md);
+	session->username = g_strdup (username);
+	session->password = g_strdup (password);
+	return session;
+}
+
+void
+scram_free_session (scram_session *session)
+{
+	if (session == NULL)
+	{
+		return;
+	}
+
+	g_free (session->username);
+	g_free (session->password);
+	g_free (session->client_nonce_b64);
+	g_free (session->client_first_message_bare);
+	g_free (session->salted_password);
+	g_free (session->auth_message);
+	g_free (session->error);
+
+	g_free (session);
+}
+
+static int
+create_nonce (void *buffer, size_t length)
+{
+	return RAND_bytes (buffer, length);
+}
+
+static int
+create_SHA (scram_session *session, const unsigned char *input, size_t input_len,
+			unsigned char *output, unsigned int *output_len)
+{
+	EVP_MD_CTX *md_ctx = EVP_MD_CTX_new ();
+
+	if (!EVP_DigestInit_ex (md_ctx, session->digest, NULL))
+	{
+		session->error = g_strdup ("Message digest initialization failed");
+		EVP_MD_CTX_free (md_ctx);
+		return SCRAM_ERROR;
+	}
+
+	if (!EVP_DigestUpdate (md_ctx, input, input_len))
+	{
+		session->error = g_strdup ("Message digest update failed");
+		EVP_MD_CTX_free (md_ctx);
+		return SCRAM_ERROR;
+	}
+
+	if (!EVP_DigestFinal_ex (md_ctx, output, output_len))
+	{
+		session->error = g_strdup ("Message digest finalization failed");
+		EVP_MD_CTX_free (md_ctx);
+		return SCRAM_ERROR;
+	}
+
+	EVP_MD_CTX_free (md_ctx);
+	return SCRAM_IN_PROGRESS;
+}
+
+static scram_status
+process_client_first (scram_session *session, char **output, size_t *output_len)
+{
+	char nonce[NONCE_LENGTH];
+
+	if (!create_nonce (nonce, NONCE_LENGTH))
+	{
+		session->error = g_strdup ("Could not create client nonce");
+		return SCRAM_ERROR;
+	}
+
+	session->client_nonce_b64 = g_base64_encode ((guchar *) nonce, NONCE_LENGTH);
+	*output = g_strdup_printf ("n,,n=%s,r=%s", session->username, session->client_nonce_b64);
+	*output_len = strlen (*output);
+	session->client_first_message_bare = g_strdup (*output + 3);
+	session->step++;
+	return SCRAM_IN_PROGRESS;
+}
+
+static scram_status
+process_server_first (scram_session *session, const char *data, char **output,
+					  size_t *output_len)
+{
+	char **params, *client_final_message_without_proof, *salt, *server_nonce_b64,
+			*client_proof_b64;
+	unsigned char *client_key, stored_key[EVP_MAX_MD_SIZE], *client_signature, *client_proof;
+	unsigned int i, param_count, iteration_count, client_key_len, stored_key_len;
+	gsize salt_len = 0;
+	size_t client_nonce_len;
+
+	params = g_strsplit (data, ",", -1);
+	param_count = g_strv_length (params);
+
+	if (param_count < 3)
+	{
+		session->error = g_strdup_printf ("Invalid server-first-message: %s", data);
+		g_strfreev (params);
+		return SCRAM_ERROR;
+	}
+
+	server_nonce_b64 = NULL;
+	salt = NULL;
+	iteration_count = 0;
+
+	for (i = 0; i < param_count; i++)
+	{
+		if (!strncmp (params[i], "r=", 2))
+		{
+			server_nonce_b64 = g_strdup (params[i] + 2);
+		}
+		else if (!strncmp (params[i], "s=", 2))
+		{
+			salt = g_strdup (params[i] + 2);
+		}
+		else if (!strncmp (params[i], "i=", 2))
+		{
+			iteration_count = strtoul (params[i] + 2, NULL, 10);
+		}
+	}
+
+	g_strfreev (params);
+
+	if (server_nonce_b64 == NULL || *server_nonce_b64 == '\0' || salt == NULL ||
+		*salt == '\0' || iteration_count == 0)
+	{
+		session->error = g_strdup_printf ("Invalid server-first-message: %s", data);
+		return SCRAM_ERROR;
+	}
+
+	client_nonce_len = strlen (session->client_nonce_b64);
+
+	// The server can append his nonce to the client's nonce
+	if (strlen (server_nonce_b64) < client_nonce_len ||
+		strncmp (server_nonce_b64, session->client_nonce_b64, client_nonce_len))
+	{
+		session->error = g_strdup_printf ("Invalid server nonce: %s", server_nonce_b64);
+		return SCRAM_ERROR;
+	}
+
+	g_base64_decode_inplace ((gchar *) salt, &salt_len);
+
+	// SaltedPassword := Hi(Normalize(password), salt, i)
+	session->salted_password = g_malloc (session->digest_size);
+
+	PKCS5_PBKDF2_HMAC (session->password, strlen (session->password), (unsigned char *) salt,
+					   salt_len, iteration_count, session->digest, session->digest_size,
+					   session->salted_password);
+
+	// AuthMessage := client-first-message-bare + "," +
+	//                server-first-message + "," +
+	//                client-final-message-without-proof
+	client_final_message_without_proof = g_strdup_printf ("c=biws,r=%s", server_nonce_b64);
+
+	session->auth_message = g_strdup_printf ("%s,%s,%s", session->client_first_message_bare,
+											 data, client_final_message_without_proof);
+
+	// ClientKey := HMAC(SaltedPassword, "Client Key")
+	client_key = g_malloc0 (session->digest_size);
+
+	HMAC (session->digest, session->salted_password, session->digest_size,
+		  (unsigned char *) CLIENT_KEY, strlen (CLIENT_KEY), client_key, &client_key_len);
+
+	// StoredKey := H(ClientKey)
+	if (!create_SHA (session, client_key, session->digest_size, stored_key, &stored_key_len))
+	{
+		return SCRAM_ERROR;
+	}
+
+	// ClientSignature := HMAC(StoredKey, AuthMessage)
+	client_signature = g_malloc0 (session->digest_size);
+	HMAC (session->digest, stored_key, stored_key_len, (unsigned char *) session->auth_message,
+		  strlen ((char *) session->auth_message), client_signature, NULL);
+
+	// ClientProof := ClientKey XOR ClientSignature
+	client_proof = g_malloc0 (client_key_len);
+
+	for (i = 0; i < client_key_len; i++)
+	{
+		client_proof[i] = client_key[i] ^ client_signature[i];
+	}
+
+	client_proof_b64 = g_base64_encode ((guchar *) client_proof, client_key_len);
+
+	*output = g_strdup_printf ("%s,p=%s", client_final_message_without_proof, client_proof_b64);
+	*output_len = strlen (*output);
+
+	g_free (server_nonce_b64);
+	g_free (client_final_message_without_proof);
+	g_free (salt);
+	g_free (client_signature);
+	g_free (client_proof);
+
+	session->step++;
+	return SCRAM_IN_PROGRESS;
+}
+
+static scram_status
+process_server_final (scram_session *session, const char *data)
+{
+	char *verifier;
+	unsigned char *server_key, *server_signature;
+	unsigned int server_key_len = 0, server_signature_len = 0;
+	gsize verifier_len = 0;
+
+	if (strlen (data) < 3 || (data[0] != 'v' && data[1] != '='))
+	{
+		return SCRAM_ERROR;
+	}
+
+	verifier = g_strdup (data + 2);
+	g_base64_decode_inplace (verifier, &verifier_len);
+
+	// ServerKey := HMAC(SaltedPassword, "Server Key")
+	server_key = g_malloc0 (session->digest_size);
+	HMAC (session->digest, session->salted_password, session->digest_size,
+		  (unsigned char *) SERVER_KEY, strlen (SERVER_KEY), server_key, &server_key_len);
+
+	// ServerSignature := HMAC(ServerKey, AuthMessage)
+	server_signature = g_malloc0 (session->digest_size);
+	HMAC (session->digest, server_key, session->digest_size,
+		  (unsigned char *) session->auth_message, strlen ((char *) session->auth_message),
+		  server_signature, &server_signature_len);
+
+	if (verifier_len == server_signature_len &&
+		memcmp (verifier, server_signature, verifier_len) == 0)
+	{
+		g_free (verifier);
+		g_free (server_key);
+		g_free (server_signature);
+		return SCRAM_SUCCESS;
+	}
+	else
+	{
+		g_free (verifier);
+		g_free (server_key);
+		g_free (server_signature);
+		return SCRAM_ERROR;
+	}
+}
+
+scram_status
+scram_process (scram_session *session, const char *input, char **output, size_t *output_len)
+{
+	scram_status status;
+
+	switch (session->step)
+	{
+		case 0:
+			status = process_client_first (session, output, output_len);
+			break;
+		case 1:
+			status = process_server_first (session, input, output, output_len);
+			break;
+		case 2:
+			status = process_server_final (session, input);
+			break;
+		default:
+			*output = NULL;
+			*output_len = 0;
+			status = SCRAM_ERROR;
+			break;
+	}
+
+	return status;
+}
+
+#endif
\ No newline at end of file
-- 
cgit 1.4.1


From c82ad321713dbbe77ff861dc2fa29954c214000c Mon Sep 17 00:00:00 2001
From: Patrick Okraku <patrick@okraku.com>
Date: Mon, 6 Nov 2023 15:04:15 +0100
Subject: SASL SCRAM: Apply changes from code review

---
 src/common/inbound.c |  2 +-
 src/common/scram.c   | 14 ++++++++++++--
 src/common/scram.h   |  2 +-
 3 files changed, 14 insertions(+), 4 deletions(-)

(limited to 'src/common/scram.c')

diff --git a/src/common/inbound.c b/src/common/inbound.c
index 9b38f7c7..e8cfd0b5 100644
--- a/src/common/inbound.c
+++ b/src/common/inbound.c
@@ -1985,7 +1985,7 @@ scram_authenticate (server *serv, const char *data, const char *digest,
 
 	if (serv->scram_session == NULL)
 	{
-		serv->scram_session = scram_create_session (digest, user, password);
+		serv->scram_session = scram_session_create (digest, user, password);
 
 		if (serv->scram_session == NULL)
 		{
diff --git a/src/common/scram.c b/src/common/scram.c
index 529abd5d..b9f2beb0 100644
--- a/src/common/scram.c
+++ b/src/common/scram.c
@@ -35,7 +35,7 @@
 #endif
 
 scram_session
-*scram_create_session (const char *digest, const char *username, const char *password)
+*scram_session_create (const char *digest, const char *username, const char *password)
 {
 	scram_session *session;
 	const EVP_MD *md;
@@ -162,10 +162,12 @@ process_server_first (scram_session *session, const char *data, char **output,
 	{
 		if (!strncmp (params[i], "r=", 2))
 		{
+			g_free (server_nonce_b64);
 			server_nonce_b64 = g_strdup (params[i] + 2);
 		}
 		else if (!strncmp (params[i], "s=", 2))
 		{
+			g_free (salt);
 			salt = g_strdup (params[i] + 2);
 		}
 		else if (!strncmp (params[i], "i=", 2))
@@ -180,6 +182,8 @@ process_server_first (scram_session *session, const char *data, char **output,
 		*salt == '\0' || iteration_count == 0)
 	{
 		session->error = g_strdup_printf ("Invalid server-first-message: %s", data);
+		g_free (server_nonce_b64);
+		g_free (salt);
 		return SCRAM_ERROR;
 	}
 
@@ -219,6 +223,10 @@ process_server_first (scram_session *session, const char *data, char **output,
 	// StoredKey := H(ClientKey)
 	if (!create_SHA (session, client_key, session->digest_size, stored_key, &stored_key_len))
 	{
+		g_free (client_final_message_without_proof);
+		g_free (server_nonce_b64);
+		g_free (salt);
+		g_free (client_key);
 		return SCRAM_ERROR;
 	}
 
@@ -241,10 +249,12 @@ process_server_first (scram_session *session, const char *data, char **output,
 	*output_len = strlen (*output);
 
 	g_free (server_nonce_b64);
-	g_free (client_final_message_without_proof);
 	g_free (salt);
+	g_free (client_final_message_without_proof);
+	g_free (client_key);
 	g_free (client_signature);
 	g_free (client_proof);
+	g_free (client_proof_b64);
 
 	session->step++;
 	return SCRAM_IN_PROGRESS;
diff --git a/src/common/scram.h b/src/common/scram.h
index d8f1429c..68672448 100644
--- a/src/common/scram.h
+++ b/src/common/scram.h
@@ -43,7 +43,7 @@ typedef enum
 	SCRAM_SUCCESS
 } scram_status;
 
-scram_session *scram_create_session (const char *digset, const char *username, const char *password);
+scram_session *scram_session_create (const char *digset, const char *username, const char *password);
 void scram_free_session (scram_session *session);
 scram_status scram_process (scram_session *session, const char *input, char **output, size_t *output_len);
 
-- 
cgit 1.4.1


From 681a88d6df2ad67e3d590fada15322b1b3ee08af Mon Sep 17 00:00:00 2001
From: Patrick Okraku <patrick@okraku.com>
Date: Sun, 12 Nov 2023 12:45:08 +0100
Subject: SASL SCRAM: renamed scram_free_session to scram_session_free

---
 src/common/inbound.c | 6 +++---
 src/common/scram.c   | 2 +-
 src/common/scram.h   | 2 +-
 src/common/server.c  | 4 ++--
 4 files changed, 7 insertions(+), 7 deletions(-)

(limited to 'src/common/scram.c')

diff --git a/src/common/inbound.c b/src/common/inbound.c
index e8cfd0b5..fdee2ecc 100644
--- a/src/common/inbound.c
+++ b/src/common/inbound.c
@@ -2012,7 +2012,7 @@ scram_authenticate (server *serv, const char *data, const char *digest,
 	{
 		// Authentication succeeded
 		tcp_sendf (serv, "AUTHENTICATE +\r\n");
-		g_clear_pointer (&serv->scram_session, scram_free_session);
+		g_clear_pointer (&serv->scram_session, scram_session_free);
 	}
 	else if (status == SCRAM_ERROR)
 	{
@@ -2025,7 +2025,7 @@ scram_authenticate (server *serv, const char *data, const char *digest,
 			g_info ("SASL SCRAM authentication failed: %s", serv->scram_session->error);
 		}
 
-		g_clear_pointer (&serv->scram_session, scram_free_session);
+		g_clear_pointer (&serv->scram_session, scram_session_free);
 	}
 }
 #endif
@@ -2076,7 +2076,7 @@ void
 inbound_sasl_error (server *serv)
 {
 #ifdef USE_OPENSSL
-    g_clear_pointer (&serv->scram_session, scram_free_session);
+    g_clear_pointer (&serv->scram_session, scram_session_free);
 #endif
 	/* Just abort, not much we can do */
 	tcp_sendf (serv, "AUTHENTICATE *\r\n");
diff --git a/src/common/scram.c b/src/common/scram.c
index b9f2beb0..b39199de 100644
--- a/src/common/scram.c
+++ b/src/common/scram.c
@@ -59,7 +59,7 @@ scram_session
 }
 
 void
-scram_free_session (scram_session *session)
+scram_session_free (scram_session *session)
 {
 	if (session == NULL)
 	{
diff --git a/src/common/scram.h b/src/common/scram.h
index 68672448..ffe22037 100644
--- a/src/common/scram.h
+++ b/src/common/scram.h
@@ -44,7 +44,7 @@ typedef enum
 } scram_status;
 
 scram_session *scram_session_create (const char *digset, const char *username, const char *password);
-void scram_free_session (scram_session *session);
+void scram_session_free (scram_session *session);
 scram_status scram_process (scram_session *session, const char *input, char **output, size_t *output_len);
 
 #endif
diff --git a/src/common/server.c b/src/common/server.c
index 97f8425d..c78ce900 100644
--- a/src/common/server.c
+++ b/src/common/server.c
@@ -1766,7 +1766,7 @@ server_set_defaults (server *serv)
 	g_free (serv->nick_prefixes);
 	g_free (serv->nick_modes);
 #ifdef USE_OPENSSL
-        g_clear_pointer (&serv->scram_session, scram_free_session);
+        g_clear_pointer (&serv->scram_session, scram_session_free);
 #endif
 	serv->chantypes = g_strdup ("#&!+");
 	serv->chanmodes = g_strdup ("beI,k,l");
@@ -1940,7 +1940,7 @@ server_free (server *serv)
 	if (serv->ctx)
 		_SSL_context_free (serv->ctx);
 
-        g_clear_pointer (&serv->scram_session, scram_free_session);
+        g_clear_pointer (&serv->scram_session, scram_session_free);
 #endif
 
 	fe_server_callback (serv);
-- 
cgit 1.4.1


From 00b297524d7f5df07ae5d0827bc0eb4018651765 Mon Sep 17 00:00:00 2001
From: Patrick Okraku <patrick@okraku.com>
Date: Sat, 30 Dec 2023 11:09:34 +0100
Subject: SASL SCRAM: create_nonce: changed data type

---
 src/common/scram.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/common/scram.c')

diff --git a/src/common/scram.c b/src/common/scram.c
index b39199de..f572d84d 100644
--- a/src/common/scram.c
+++ b/src/common/scram.c
@@ -78,7 +78,7 @@ scram_session_free (scram_session *session)
 }
 
 static int
-create_nonce (void *buffer, size_t length)
+create_nonce (char *buffer, size_t length)
 {
 	return RAND_bytes (buffer, length);
 }
-- 
cgit 1.4.1


From 0c4878554323e6cd9a60b3dd5b19ffccb40dfb63 Mon Sep 17 00:00:00 2001
From: Patrick Okraku <patrick@okraku.com>
Date: Sat, 30 Dec 2023 13:33:36 +0100
Subject: SASL SCRAM: create_nonce: changed data type

---
 src/common/scram.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/common/scram.c')

diff --git a/src/common/scram.c b/src/common/scram.c
index f572d84d..b39199de 100644
--- a/src/common/scram.c
+++ b/src/common/scram.c
@@ -78,7 +78,7 @@ scram_session_free (scram_session *session)
 }
 
 static int
-create_nonce (char *buffer, size_t length)
+create_nonce (void *buffer, size_t length)
 {
 	return RAND_bytes (buffer, length);
 }
-- 
cgit 1.4.1