mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-18 08:39:47 +01:00
208 lines
5.9 KiB
Go
208 lines
5.9 KiB
Go
|
// @author Couchbase <info@couchbase.com>
|
||
|
// @copyright 2018 Couchbase, Inc.
|
||
|
//
|
||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
// you may not use this file except in compliance with the License.
|
||
|
// You may obtain a copy of the License at
|
||
|
//
|
||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||
|
//
|
||
|
// Unless required by applicable law or agreed to in writing, software
|
||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
// See the License for the specific language governing permissions and
|
||
|
// limitations under the License.
|
||
|
|
||
|
// Package scramsha provides implementation of client side SCRAM-SHA
|
||
|
// according to https://tools.ietf.org/html/rfc5802
|
||
|
package scramsha
|
||
|
|
||
|
import (
|
||
|
"crypto/hmac"
|
||
|
"crypto/rand"
|
||
|
"crypto/sha1"
|
||
|
"crypto/sha256"
|
||
|
"crypto/sha512"
|
||
|
"encoding/base64"
|
||
|
"fmt"
|
||
|
"github.com/pkg/errors"
|
||
|
"golang.org/x/crypto/pbkdf2"
|
||
|
"hash"
|
||
|
"strconv"
|
||
|
"strings"
|
||
|
)
|
||
|
|
||
|
func hmacHash(message []byte, secret []byte, hashFunc func() hash.Hash) []byte {
|
||
|
h := hmac.New(hashFunc, secret)
|
||
|
h.Write(message)
|
||
|
return h.Sum(nil)
|
||
|
}
|
||
|
|
||
|
func shaHash(message []byte, hashFunc func() hash.Hash) []byte {
|
||
|
h := hashFunc()
|
||
|
h.Write(message)
|
||
|
return h.Sum(nil)
|
||
|
}
|
||
|
|
||
|
func generateClientNonce(size int) (string, error) {
|
||
|
randomBytes := make([]byte, size)
|
||
|
_, err := rand.Read(randomBytes)
|
||
|
if err != nil {
|
||
|
return "", errors.Wrap(err, "Unable to generate nonce")
|
||
|
}
|
||
|
return base64.StdEncoding.EncodeToString(randomBytes), nil
|
||
|
}
|
||
|
|
||
|
// ScramSha provides context for SCRAM-SHA handling
|
||
|
type ScramSha struct {
|
||
|
hashSize int
|
||
|
hashFunc func() hash.Hash
|
||
|
clientNonce string
|
||
|
serverNonce string
|
||
|
salt []byte
|
||
|
i int
|
||
|
saltedPassword []byte
|
||
|
authMessage string
|
||
|
}
|
||
|
|
||
|
var knownMethods = []string{"SCRAM-SHA512", "SCRAM-SHA256", "SCRAM-SHA1"}
|
||
|
|
||
|
// BestMethod returns SCRAM-SHA method we consider the best out of suggested
|
||
|
// by server
|
||
|
func BestMethod(methods string) (string, error) {
|
||
|
for _, m := range knownMethods {
|
||
|
if strings.Index(methods, m) != -1 {
|
||
|
return m, nil
|
||
|
}
|
||
|
}
|
||
|
return "", errors.Errorf(
|
||
|
"None of the server suggested methods [%s] are supported",
|
||
|
methods)
|
||
|
}
|
||
|
|
||
|
// NewScramSha creates context for SCRAM-SHA handling
|
||
|
func NewScramSha(method string) (*ScramSha, error) {
|
||
|
s := &ScramSha{}
|
||
|
|
||
|
if method == knownMethods[0] {
|
||
|
s.hashFunc = sha512.New
|
||
|
s.hashSize = 64
|
||
|
} else if method == knownMethods[1] {
|
||
|
s.hashFunc = sha256.New
|
||
|
s.hashSize = 32
|
||
|
} else if method == knownMethods[2] {
|
||
|
s.hashFunc = sha1.New
|
||
|
s.hashSize = 20
|
||
|
} else {
|
||
|
return nil, errors.Errorf("Unsupported method %s", method)
|
||
|
}
|
||
|
return s, nil
|
||
|
}
|
||
|
|
||
|
// GetStartRequest builds start SCRAM-SHA request to be sent to server
|
||
|
func (s *ScramSha) GetStartRequest(user string) (string, error) {
|
||
|
var err error
|
||
|
s.clientNonce, err = generateClientNonce(24)
|
||
|
if err != nil {
|
||
|
return "", errors.Wrapf(err, "Unable to generate SCRAM-SHA "+
|
||
|
"start request for user %s", user)
|
||
|
}
|
||
|
|
||
|
message := fmt.Sprintf("n,,n=%s,r=%s", user, s.clientNonce)
|
||
|
s.authMessage = message[3:]
|
||
|
return message, nil
|
||
|
}
|
||
|
|
||
|
// HandleStartResponse handles server response on start SCRAM-SHA request
|
||
|
func (s *ScramSha) HandleStartResponse(response string) error {
|
||
|
parts := strings.Split(response, ",")
|
||
|
if len(parts) != 3 {
|
||
|
return errors.Errorf("expected 3 fields in first SCRAM-SHA-1 "+
|
||
|
"server message %s", response)
|
||
|
}
|
||
|
if !strings.HasPrefix(parts[0], "r=") || len(parts[0]) < 3 {
|
||
|
return errors.Errorf("Server sent an invalid nonce %s",
|
||
|
parts[0])
|
||
|
}
|
||
|
if !strings.HasPrefix(parts[1], "s=") || len(parts[1]) < 3 {
|
||
|
return errors.Errorf("Server sent an invalid salt %s", parts[1])
|
||
|
}
|
||
|
if !strings.HasPrefix(parts[2], "i=") || len(parts[2]) < 3 {
|
||
|
return errors.Errorf("Server sent an invalid iteration count %s",
|
||
|
parts[2])
|
||
|
}
|
||
|
|
||
|
s.serverNonce = parts[0][2:]
|
||
|
encodedSalt := parts[1][2:]
|
||
|
var err error
|
||
|
s.i, err = strconv.Atoi(parts[2][2:])
|
||
|
if err != nil {
|
||
|
return errors.Errorf("Iteration count %s must be integer.",
|
||
|
parts[2][2:])
|
||
|
}
|
||
|
|
||
|
if s.i < 1 {
|
||
|
return errors.New("Iteration count should be positive")
|
||
|
}
|
||
|
|
||
|
if !strings.HasPrefix(s.serverNonce, s.clientNonce) {
|
||
|
return errors.Errorf("Server nonce %s doesn't contain client"+
|
||
|
" nonce %s", s.serverNonce, s.clientNonce)
|
||
|
}
|
||
|
|
||
|
s.salt, err = base64.StdEncoding.DecodeString(encodedSalt)
|
||
|
if err != nil {
|
||
|
return errors.Wrapf(err, "Unable to decode salt %s",
|
||
|
encodedSalt)
|
||
|
}
|
||
|
|
||
|
s.authMessage = s.authMessage + "," + response
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
// GetFinalRequest builds final SCRAM-SHA request to be sent to server
|
||
|
func (s *ScramSha) GetFinalRequest(pass string) string {
|
||
|
clientFinalMessageBare := "c=biws,r=" + s.serverNonce
|
||
|
s.authMessage = s.authMessage + "," + clientFinalMessageBare
|
||
|
|
||
|
s.saltedPassword = pbkdf2.Key([]byte(pass), s.salt, s.i,
|
||
|
s.hashSize, s.hashFunc)
|
||
|
|
||
|
clientKey := hmacHash([]byte("Client Key"), s.saltedPassword, s.hashFunc)
|
||
|
storedKey := shaHash(clientKey, s.hashFunc)
|
||
|
clientSignature := hmacHash([]byte(s.authMessage), storedKey, s.hashFunc)
|
||
|
|
||
|
clientProof := make([]byte, len(clientSignature))
|
||
|
for i := 0; i < len(clientSignature); i++ {
|
||
|
clientProof[i] = clientKey[i] ^ clientSignature[i]
|
||
|
}
|
||
|
|
||
|
return clientFinalMessageBare + ",p=" +
|
||
|
base64.StdEncoding.EncodeToString(clientProof)
|
||
|
}
|
||
|
|
||
|
// HandleFinalResponse handles server's response on final SCRAM-SHA request
|
||
|
func (s *ScramSha) HandleFinalResponse(response string) error {
|
||
|
if strings.Contains(response, ",") ||
|
||
|
!strings.HasPrefix(response, "v=") {
|
||
|
return errors.Errorf("Server sent an invalid final message %s",
|
||
|
response)
|
||
|
}
|
||
|
|
||
|
decodedMessage, err := base64.StdEncoding.DecodeString(response[2:])
|
||
|
if err != nil {
|
||
|
return errors.Wrapf(err, "Unable to decode server message %s",
|
||
|
response[2:])
|
||
|
}
|
||
|
serverKey := hmacHash([]byte("Server Key"), s.saltedPassword,
|
||
|
s.hashFunc)
|
||
|
serverSignature := hmacHash([]byte(s.authMessage), serverKey,
|
||
|
s.hashFunc)
|
||
|
if string(decodedMessage) != string(serverSignature) {
|
||
|
return errors.Errorf("Server proof %s doesn't match "+
|
||
|
"the expected: %s",
|
||
|
string(decodedMessage), string(serverSignature))
|
||
|
}
|
||
|
return nil
|
||
|
}
|