You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

287 lines
8.3 KiB

// Copyright 2016 The Mellium Contributors.
// Use of this source code is governed by the BSD 2-clause
// license that can be found in the LICENSE file.
package sasl
import (
const (
exporterLen = 32
exporterLabel = "EXPORTER-Channel-Binding"
gs2HeaderCBSupportUnique = "p=tls-unique,"
gs2HeaderCBSupportExporter = "p=tls-exporter,"
gs2HeaderNoServerCBSupport = "y,"
gs2HeaderNoCBSupport = "n,"
var (
clientKeyInput = []byte("Client Key")
serverKeyInput = []byte("Server Key")
// The number of random bytes to generate for a nonce.
const noncerandlen = 16
func getGS2Header(name string, n *Negotiator) (gs2Header []byte) {
_, _, identity := n.Credentials()
tlsState := n.TLSState()
switch {
case tlsState == nil || !strings.HasSuffix(name, "-PLUS"):
// We do not support channel binding
gs2Header = []byte(gs2HeaderNoCBSupport)
case n.State()&RemoteCB == RemoteCB:
// We support channel binding and the server does too
if tlsState.Version >= tls.VersionTLS13 {
gs2Header = []byte(gs2HeaderCBSupportExporter)
} else {
gs2Header = []byte(gs2HeaderCBSupportUnique)
case n.State()&RemoteCB != RemoteCB:
// We support channel binding but the server does not
gs2Header = []byte(gs2HeaderNoServerCBSupport)
if len(identity) > 0 {
gs2Header = append(gs2Header, []byte(`a=`)...)
gs2Header = append(gs2Header, identity...)
gs2Header = append(gs2Header, ',')
func scram(name string, fn func() hash.Hash) Mechanism {
// BUG(ssw): We need a way to cache the SCRAM client and server key
// calculations.
return Mechanism{
Name: name,
Start: func(m *Negotiator) (bool, []byte, interface{}, error) {
user, _, _ := m.Credentials()
// Escape "=" and ",". This is mostly the same as bytes.Replace but
// faster because we can do both replacements in a single pass.
n := bytes.Count(user, []byte{'='}) + bytes.Count(user, []byte{','})
username := make([]byte, len(user)+(n*2))
w := 0
start := 0
for i := 0; i < n; i++ {
j := start
j += bytes.IndexAny(user[start:], "=,")
w += copy(username[w:], user[start:j])
switch user[j] {
case '=':
w += copy(username[w:], "=3D")
case ',':
w += copy(username[w:], "=2C")
start = j + 1
copy(username[w:], user[start:])
clientFirstMessage := make([]byte, 5+len(m.Nonce())+len(username))
copy(clientFirstMessage, "n=")
copy(clientFirstMessage[2:], username)
copy(clientFirstMessage[2+len(username):], ",r=")
copy(clientFirstMessage[5+len(username):], m.Nonce())
return true, append(getGS2Header(name, m), clientFirstMessage...), clientFirstMessage, nil
Next: func(m *Negotiator, challenge []byte, data interface{}) (more bool, resp []byte, cache interface{}, err error) {
if len(challenge) == 0 {
return more, resp, cache, ErrInvalidChallenge
if m.State()&Receiving == Receiving {
panic("not yet implemented")
return scramClientNext(name, fn, m, challenge, data)
func scramClientNext(name string, fn func() hash.Hash, m *Negotiator, challenge []byte, data interface{}) (more bool, resp []byte, cache interface{}, err error) {
_, password, _ := m.Credentials()
state := m.State()
switch state & StepMask {
case AuthTextSent:
iter := -1
var salt, nonce []byte
remain := challenge
for {
var field []byte
field, remain = nextParam(remain)
if len(field) < 3 || (len(field) >= 2 && field[1] != '=') {
switch field[0] {
case 'i':
ival := string(bytes.TrimRight(field[2:], "\x00"))
if iter, err = strconv.Atoi(ival); err != nil {
case 's':
salt = make([]byte, base64.StdEncoding.DecodedLen(len(field)-2))
var n int
n, err = base64.StdEncoding.Decode(salt, field[2:])
salt = salt[:n]
if err != nil {
case 'r':
nonce = field[2:]
case 'm':
// RFC 5802:
// m: This attribute is reserved for future extensibility. In this
// version of SCRAM, its presence in a client or a server message
// MUST cause authentication failure when the attribute is parsed by
// the other end.
err = errors.New("server sent reserved attribute `m'")
if remain == nil {
switch {
case iter < 0:
err = errors.New("iteration count is invalid")
case nonce == nil || !bytes.HasPrefix(nonce, m.Nonce()):
err = errors.New("server nonce does not match client nonce")
case salt == nil:
err = errors.New("server sent empty salt")
gs2Header := getGS2Header(name, m)
tlsState := m.TLSState()
var channelBinding []byte
switch plus := strings.HasSuffix(name, "-PLUS"); {
case plus && tlsState == nil:
err = errors.New("sasl: SCRAM with channel binding requires a TLS connection")
case bytes.Contains(gs2Header, []byte(gs2HeaderCBSupportExporter)):
keying, err := tlsState.ExportKeyingMaterial(exporterLabel, nil, exporterLen)
if err != nil {
return false, nil, nil, err
if len(keying) == 0 {
err = errors.New("sasl: SCRAM with channel binding requires valid TLS keying material")
return false, nil, nil, err
channelBinding = make([]byte, 2+base64.StdEncoding.EncodedLen(len(gs2Header)+len(keying)))
channelBinding[0] = 'c'
channelBinding[1] = '='
base64.StdEncoding.Encode(channelBinding[2:], append(gs2Header, keying...))
case bytes.Contains(gs2Header, []byte(gs2HeaderCBSupportUnique)):
//lint:ignore SA1019 TLS unique must be supported by SCRAM
if len(tlsState.TLSUnique) == 0 {
err = errors.New("sasl: SCRAM with channel binding requires valid tls-unique data")
return false, nil, nil, err
channelBinding = make(
//lint:ignore SA1019 TLS unique must be supported by SCRAM
channelBinding[0] = 'c'
channelBinding[1] = '='
//lint:ignore SA1019 TLS unique must be supported by SCRAM
base64.StdEncoding.Encode(channelBinding[2:], append(gs2Header, tlsState.TLSUnique...))
channelBinding = make(
channelBinding[0] = 'c'
channelBinding[1] = '='
base64.StdEncoding.Encode(channelBinding[2:], gs2Header)
clientFinalMessageWithoutProof := append(channelBinding, []byte(",r=")...)
clientFinalMessageWithoutProof = append(clientFinalMessageWithoutProof, nonce...)
clientFirstMessage := data.([]byte)
authMessage := append(clientFirstMessage, ',')
authMessage = append(authMessage, challenge...)
authMessage = append(authMessage, ',')
authMessage = append(authMessage, clientFinalMessageWithoutProof...)
saltedPassword := pbkdf2.Key(password, salt, iter, fn().Size(), fn)
h := hmac.New(fn, saltedPassword)
_, err = h.Write(serverKeyInput)
if err != nil {
serverKey := h.Sum(nil)
_, err = h.Write(clientKeyInput)
if err != nil {
clientKey := h.Sum(nil)
h = hmac.New(fn, serverKey)
_, err = h.Write(authMessage)
if err != nil {
serverSignature := h.Sum(nil)
h = fn()
_, err = h.Write(clientKey)
if err != nil {
storedKey := h.Sum(nil)
h = hmac.New(fn, storedKey)
_, err = h.Write(authMessage)
if err != nil {
clientSignature := h.Sum(nil)
clientProof := make([]byte, len(clientKey))
xorBytes(clientProof, clientKey, clientSignature)
encodedClientProof := make([]byte, base64.StdEncoding.EncodedLen(len(clientProof)))
base64.StdEncoding.Encode(encodedClientProof, clientProof)
clientFinalMessage := append(clientFinalMessageWithoutProof, []byte(",p=")...)
clientFinalMessage = append(clientFinalMessage, encodedClientProof...)
return true, clientFinalMessage, serverSignature, nil
case ResponseSent:
clientCalculatedServerFinalMessage := "v=" + base64.StdEncoding.EncodeToString(data.([]byte))
if clientCalculatedServerFinalMessage != string(challenge) {
err = ErrAuthn
// Success!
return false, nil, nil, nil
err = ErrInvalidState
func nextParam(params []byte) ([]byte, []byte) {
idx := bytes.IndexByte(params, ',')
if idx == -1 {
return params, nil
return params[:idx], params[idx+1:]