Line data Source code
1 : //! Implementation of the SCRAM authentication algorithm.
2 :
3 : use super::messages::{
4 : ClientFinalMessage, ClientFirstMessage, OwnedServerFirstMessage, SCRAM_RAW_NONCE_LEN,
5 : };
6 : use super::secret::ServerSecret;
7 : use super::signature::SignatureBuilder;
8 : use crate::sasl::{self, ChannelBinding, Error as SaslError};
9 :
10 : /// The only channel binding mode we currently support.
11 : struct TlsServerEndPoint;
12 :
13 : impl std::fmt::Display for TlsServerEndPoint {
14 0 : fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
15 0 : write!(f, "tls-server-end-point")
16 0 : }
17 : }
18 :
19 : impl std::str::FromStr for TlsServerEndPoint {
20 : type Err = sasl::Error;
21 :
22 0 : fn from_str(s: &str) -> Result<Self, Self::Err> {
23 0 : match s {
24 0 : "tls-server-end-point" => Ok(TlsServerEndPoint),
25 0 : _ => Err(sasl::Error::ChannelBindingBadMethod(s.into())),
26 : }
27 0 : }
28 : }
29 :
30 : enum ExchangeState {
31 : /// Waiting for [`ClientFirstMessage`].
32 : Initial,
33 : /// Waiting for [`ClientFinalMessage`].
34 : SaltSent {
35 : cbind_flag: ChannelBinding<TlsServerEndPoint>,
36 : client_first_message_bare: String,
37 : server_first_message: OwnedServerFirstMessage,
38 : },
39 : }
40 :
41 : /// Server's side of SCRAM auth algorithm.
42 : pub struct Exchange<'a> {
43 : state: ExchangeState,
44 : secret: &'a ServerSecret,
45 : nonce: fn() -> [u8; SCRAM_RAW_NONCE_LEN],
46 : cert_digest: Option<&'a [u8]>,
47 : }
48 :
49 : impl<'a> Exchange<'a> {
50 30 : pub fn new(
51 30 : secret: &'a ServerSecret,
52 30 : nonce: fn() -> [u8; SCRAM_RAW_NONCE_LEN],
53 30 : cert_digest: Option<&'a [u8]>,
54 30 : ) -> Self {
55 30 : Self {
56 30 : state: ExchangeState::Initial,
57 30 : secret,
58 30 : nonce,
59 30 : cert_digest,
60 30 : }
61 30 : }
62 : }
63 :
64 : impl sasl::Mechanism for Exchange<'_> {
65 : type Output = super::ScramKey;
66 :
67 60 : fn exchange(mut self, input: &str) -> sasl::Result<sasl::Step<Self, Self::Output>> {
68 60 : use {sasl::Step::*, ExchangeState::*};
69 60 : match &self.state {
70 : Initial => {
71 30 : let client_first_message = ClientFirstMessage::parse(input)
72 30 : .ok_or(SaslError::BadClientMessage("invalid client-first-message"))?;
73 :
74 30 : let server_first_message = client_first_message.build_server_first_message(
75 30 : &(self.nonce)(),
76 30 : &self.secret.salt_base64,
77 30 : self.secret.iterations,
78 30 : );
79 30 : let msg = server_first_message.as_str().to_owned();
80 :
81 30 : self.state = SaltSent {
82 30 : cbind_flag: client_first_message.cbind_flag.and_then(str::parse)?,
83 30 : client_first_message_bare: client_first_message.bare.to_owned(),
84 30 : server_first_message,
85 30 : };
86 30 :
87 30 : Ok(Continue(self, msg))
88 : }
89 : SaltSent {
90 30 : cbind_flag,
91 30 : client_first_message_bare,
92 30 : server_first_message,
93 : } => {
94 30 : let client_final_message = ClientFinalMessage::parse(input)
95 30 : .ok_or(SaslError::BadClientMessage("invalid client-final-message"))?;
96 :
97 30 : let channel_binding = cbind_flag.encode(|_| {
98 0 : self.cert_digest
99 0 : .map(base64::encode)
100 0 : .ok_or(SaslError::ChannelBindingFailed("no cert digest provided"))
101 30 : })?;
102 :
103 : // This might've been caused by a MITM attack
104 30 : if client_final_message.channel_binding != channel_binding {
105 0 : return Err(SaslError::ChannelBindingFailed("data mismatch"));
106 30 : }
107 30 :
108 30 : if client_final_message.nonce != server_first_message.nonce() {
109 0 : return Err(SaslError::BadClientMessage("combined nonce doesn't match"));
110 30 : }
111 30 :
112 30 : let signature_builder = SignatureBuilder {
113 30 : client_first_message_bare,
114 30 : server_first_message: server_first_message.as_str(),
115 30 : client_final_message_without_proof: client_final_message.without_proof,
116 30 : };
117 30 :
118 30 : let client_key = signature_builder
119 30 : .build(&self.secret.stored_key)
120 30 : .derive_client_key(&client_final_message.proof);
121 30 :
122 30 : // Auth fails either if keys don't match or it's pre-determined to fail.
123 30 : if client_key.sha256() != self.secret.stored_key || self.secret.doomed {
124 4 : return Ok(Failure("password doesn't match"));
125 26 : }
126 26 :
127 26 : let msg = client_final_message
128 26 : .build_server_final_message(signature_builder, &self.secret.server_key);
129 26 :
130 26 : Ok(Success(client_key, msg))
131 : }
132 : }
133 60 : }
134 : }
|
