From 9b76b557ecaece2a5fa862ea4dc75ed613e3fbf0 Mon Sep 17 00:00:00 2001 From: Patrick Okraku Date: Wed, 1 Nov 2023 19:12:32 +0100 Subject: Added support for SCRAM-SHA-1, SCRAM-SHA-256 and SCRAM-SHA-512 --- src/common/scram.c | 323 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 323 insertions(+) create mode 100644 src/common/scram.c (limited to 'src/common/scram.c') diff --git a/src/common/scram.c b/src/common/scram.c new file mode 100644 index 00000000..529abd5d --- /dev/null +++ b/src/common/scram.c @@ -0,0 +1,323 @@ +/* HexChat + * Copyright (C) 2023 Patrick Okraku + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#include "hexchat.h" + +#ifdef USE_OPENSSL + +#include "scram.h" +#include +#include + +#define NONCE_LENGTH 18 +#define CLIENT_KEY "Client Key" +#define SERVER_KEY "Server Key" + +// EVP_MD_CTX_create() and EVP_MD_CTX_destroy() were renamed in OpenSSL 1.1.0 +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +#define EVP_MD_CTX_new(ctx) EVP_MD_CTX_create(ctx) +#define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy(ctx) +#endif + +scram_session +*scram_create_session (const char *digest, const char *username, const char *password) +{ + scram_session *session; + const EVP_MD *md; +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) + OpenSSL_add_all_algorithms (); +#endif + md = EVP_get_digestbyname (digest); + + if (md == NULL) + { + // Unknown message digest + return NULL; + } + + session = g_new0 (scram_session, 1); + session->digest = md; + session->digest_size = EVP_MD_size (md); + session->username = g_strdup (username); + session->password = g_strdup (password); + return session; +} + +void +scram_free_session (scram_session *session) +{ + if (session == NULL) + { + return; + } + + g_free (session->username); + g_free (session->password); + g_free (session->client_nonce_b64); + g_free (session->client_first_message_bare); + g_free (session->salted_password); + g_free (session->auth_message); + g_free (session->error); + + g_free (session); +} + +static int +create_nonce (void *buffer, size_t length) +{ + return RAND_bytes (buffer, length); +} + +static int +create_SHA (scram_session *session, const unsigned char *input, size_t input_len, + unsigned char *output, unsigned int *output_len) +{ + EVP_MD_CTX *md_ctx = EVP_MD_CTX_new (); + + if (!EVP_DigestInit_ex (md_ctx, session->digest, NULL)) + { + session->error = g_strdup ("Message digest initialization failed"); + EVP_MD_CTX_free (md_ctx); + return SCRAM_ERROR; + } + + if (!EVP_DigestUpdate (md_ctx, input, input_len)) + { + session->error = g_strdup ("Message digest update failed"); + EVP_MD_CTX_free (md_ctx); + return SCRAM_ERROR; + } + + if (!EVP_DigestFinal_ex (md_ctx, output, output_len)) + { + session->error = g_strdup ("Message digest finalization failed"); + EVP_MD_CTX_free (md_ctx); + return SCRAM_ERROR; + } + + EVP_MD_CTX_free (md_ctx); + return SCRAM_IN_PROGRESS; +} + +static scram_status +process_client_first (scram_session *session, char **output, size_t *output_len) +{ + char nonce[NONCE_LENGTH]; + + if (!create_nonce (nonce, NONCE_LENGTH)) + { + session->error = g_strdup ("Could not create client nonce"); + return SCRAM_ERROR; + } + + session->client_nonce_b64 = g_base64_encode ((guchar *) nonce, NONCE_LENGTH); + *output = g_strdup_printf ("n,,n=%s,r=%s", session->username, session->client_nonce_b64); + *output_len = strlen (*output); + session->client_first_message_bare = g_strdup (*output + 3); + session->step++; + return SCRAM_IN_PROGRESS; +} + +static scram_status +process_server_first (scram_session *session, const char *data, char **output, + size_t *output_len) +{ + char **params, *client_final_message_without_proof, *salt, *server_nonce_b64, + *client_proof_b64; + unsigned char *client_key, stored_key[EVP_MAX_MD_SIZE], *client_signature, *client_proof; + unsigned int i, param_count, iteration_count, client_key_len, stored_key_len; + gsize salt_len = 0; + size_t client_nonce_len; + + params = g_strsplit (data, ",", -1); + param_count = g_strv_length (params); + + if (param_count < 3) + { + session->error = g_strdup_printf ("Invalid server-first-message: %s", data); + g_strfreev (params); + return SCRAM_ERROR; + } + + server_nonce_b64 = NULL; + salt = NULL; + iteration_count = 0; + + for (i = 0; i < param_count; i++) + { + if (!strncmp (params[i], "r=", 2)) + { + server_nonce_b64 = g_strdup (params[i] + 2); + } + else if (!strncmp (params[i], "s=", 2)) + { + salt = g_strdup (params[i] + 2); + } + else if (!strncmp (params[i], "i=", 2)) + { + iteration_count = strtoul (params[i] + 2, NULL, 10); + } + } + + g_strfreev (params); + + if (server_nonce_b64 == NULL || *server_nonce_b64 == '\0' || salt == NULL || + *salt == '\0' || iteration_count == 0) + { + session->error = g_strdup_printf ("Invalid server-first-message: %s", data); + return SCRAM_ERROR; + } + + client_nonce_len = strlen (session->client_nonce_b64); + + // The server can append his nonce to the client's nonce + if (strlen (server_nonce_b64) < client_nonce_len || + strncmp (server_nonce_b64, session->client_nonce_b64, client_nonce_len)) + { + session->error = g_strdup_printf ("Invalid server nonce: %s", server_nonce_b64); + return SCRAM_ERROR; + } + + g_base64_decode_inplace ((gchar *) salt, &salt_len); + + // SaltedPassword := Hi(Normalize(password), salt, i) + session->salted_password = g_malloc (session->digest_size); + + PKCS5_PBKDF2_HMAC (session->password, strlen (session->password), (unsigned char *) salt, + salt_len, iteration_count, session->digest, session->digest_size, + session->salted_password); + + // AuthMessage := client-first-message-bare + "," + + // server-first-message + "," + + // client-final-message-without-proof + client_final_message_without_proof = g_strdup_printf ("c=biws,r=%s", server_nonce_b64); + + session->auth_message = g_strdup_printf ("%s,%s,%s", session->client_first_message_bare, + data, client_final_message_without_proof); + + // ClientKey := HMAC(SaltedPassword, "Client Key") + client_key = g_malloc0 (session->digest_size); + + HMAC (session->digest, session->salted_password, session->digest_size, + (unsigned char *) CLIENT_KEY, strlen (CLIENT_KEY), client_key, &client_key_len); + + // StoredKey := H(ClientKey) + if (!create_SHA (session, client_key, session->digest_size, stored_key, &stored_key_len)) + { + return SCRAM_ERROR; + } + + // ClientSignature := HMAC(StoredKey, AuthMessage) + client_signature = g_malloc0 (session->digest_size); + HMAC (session->digest, stored_key, stored_key_len, (unsigned char *) session->auth_message, + strlen ((char *) session->auth_message), client_signature, NULL); + + // ClientProof := ClientKey XOR ClientSignature + client_proof = g_malloc0 (client_key_len); + + for (i = 0; i < client_key_len; i++) + { + client_proof[i] = client_key[i] ^ client_signature[i]; + } + + client_proof_b64 = g_base64_encode ((guchar *) client_proof, client_key_len); + + *output = g_strdup_printf ("%s,p=%s", client_final_message_without_proof, client_proof_b64); + *output_len = strlen (*output); + + g_free (server_nonce_b64); + g_free (client_final_message_without_proof); + g_free (salt); + g_free (client_signature); + g_free (client_proof); + + session->step++; + return SCRAM_IN_PROGRESS; +} + +static scram_status +process_server_final (scram_session *session, const char *data) +{ + char *verifier; + unsigned char *server_key, *server_signature; + unsigned int server_key_len = 0, server_signature_len = 0; + gsize verifier_len = 0; + + if (strlen (data) < 3 || (data[0] != 'v' && data[1] != '=')) + { + return SCRAM_ERROR; + } + + verifier = g_strdup (data + 2); + g_base64_decode_inplace (verifier, &verifier_len); + + // ServerKey := HMAC(SaltedPassword, "Server Key") + server_key = g_malloc0 (session->digest_size); + HMAC (session->digest, session->salted_password, session->digest_size, + (unsigned char *) SERVER_KEY, strlen (SERVER_KEY), server_key, &server_key_len); + + // ServerSignature := HMAC(ServerKey, AuthMessage) + server_signature = g_malloc0 (session->digest_size); + HMAC (session->digest, server_key, session->digest_size, + (unsigned char *) session->auth_message, strlen ((char *) session->auth_message), + server_signature, &server_signature_len); + + if (verifier_len == server_signature_len && + memcmp (verifier, server_signature, verifier_len) == 0) + { + g_free (verifier); + g_free (server_key); + g_free (server_signature); + return SCRAM_SUCCESS; + } + else + { + g_free (verifier); + g_free (server_key); + g_free (server_signature); + return SCRAM_ERROR; + } +} + +scram_status +scram_process (scram_session *session, const char *input, char **output, size_t *output_len) +{ + scram_status status; + + switch (session->step) + { + case 0: + status = process_client_first (session, output, output_len); + break; + case 1: + status = process_server_first (session, input, output, output_len); + break; + case 2: + status = process_server_final (session, input); + break; + default: + *output = NULL; + *output_len = 0; + status = SCRAM_ERROR; + break; + } + + return status; +} + +#endif \ No newline at end of file -- cgit 1.4.1