1// Package scram implements the SCRAM-SHA-* SASL authentication mechanism, RFC 7677 and RFC 5802.
3// SCRAM-SHA-256 and SCRAM-SHA-1 allow a client to authenticate to a server using a
4// password without handing plaintext password over to the server. The client also
5// verifies the server knows (a derivative of) the password.
8// todo: test with messages that contains extensions
9// todo: some tests for the parser
10// todo: figure out how invalid parameters etc should be handled. just abort? perhaps mostly a problem for imap.
15 cryptorand "crypto/rand"
22 "golang.org/x/crypto/pbkdf2"
23 "golang.org/x/text/unicode/norm"
26// Errors at scram protocol level. Can be exchanged between client and server.
28 ErrInvalidEncoding Error = "invalid-encoding"
29 ErrExtensionsNotSupported Error = "extensions-not-supported"
30 ErrInvalidProof Error = "invalid-proof"
31 ErrChannelBindingsDontMatch Error = "channel-bindings-dont-match"
32 ErrServerDoesSupportChannelBinding Error = "server-does-support-channel-binding"
33 ErrChannelBindingNotSupported Error = "channel-binding-not-supported"
34 ErrUnsupportedChannelBindingType Error = "unsupported-channel-binding-type"
35 ErrUnknownUser Error = "unknown-user"
36 ErrNoResources Error = "no-resources"
37 ErrOtherError Error = "other-error"
40var scramErrors = makeErrors()
42func makeErrors() map[string]Error {
45 ErrExtensionsNotSupported,
47 ErrChannelBindingsDontMatch,
48 ErrServerDoesSupportChannelBinding,
49 ErrChannelBindingNotSupported,
50 ErrUnsupportedChannelBindingType,
55 m := map[string]Error{}
63 ErrNorm = errors.New("parameter not unicode normalized") // E.g. if client sends non-normalized username or authzid.
64 ErrUnsafe = errors.New("unsafe parameter") // E.g. salt, nonce too short, or too few iterations.
65 ErrProtocol = errors.New("protocol error") // E.g. server responded with a nonce not prefixed by the client nonce.
70func (e Error) Error() string {
74// MakeRandom returns a cryptographically random buffer for use as salt or as
76func MakeRandom() []byte {
77 buf := make([]byte, 12)
78 _, err := cryptorand.Read(buf)
80 panic("generate random")
85// SaltPassword returns a salted password.
86func SaltPassword(h func() hash.Hash, password string, salt []byte, iterations int) []byte {
87 password = norm.NFC.String(password)
88 return pbkdf2.Key([]byte(password), salt, iterations, h().Size(), h)
91// HMAC returns the hmac with key over msg.
92func HMAC(h func() hash.Hash, key []byte, msg string) []byte {
93 mac := hmac.New(h, key)
94 mac.Write([]byte(msg))
98func xor(a, b []byte) {
104// Server represents the server-side of a SCRAM-SHA-* authentication.
106 Authentication string // Username for authentication, "authc". Always set and non-empty.
107 Authorization string // If set, role of user to assume after authentication, "authz".
109 h func() hash.Hash // sha1.New or sha256.New
111 // Messages used in hash calculations.
112 clientFirstBare string
114 clientFinalWithoutProof string
117 clientNonce string // Client-part of the nonce.
118 serverNonceOverride string // If set, server does not generate random nonce, but uses this. For tests with the test vector.
119 nonce string // Full client + server nonce.
122// NewServer returns a server given the first SCRAM message from a client.
124// The sequence for data and calls on a server:
126// - Read initial data from client, call NewServer (this call), then ServerFirst and write to the client.
127// - Read response from client, call Finish or FinishFinal and write the resulting string.
128func NewServer(h func() hash.Hash, clientFirst []byte) (server *Server, rerr error) {
129 p := newParser(clientFirst)
130 defer p.recover(&rerr)
132 server = &Server{h: h}
135 gs2cbindFlag := p.xbyte()
136 switch gs2cbindFlag {
139 p.xerrorf("gs2 header with p: %w", ErrChannelBindingNotSupported)
143 server.Authorization = p.xauthzid()
144 if norm.NFC.String(server.Authorization) != server.Authorization {
145 return nil, fmt.Errorf("%w: authzid", ErrNorm)
149 server.gs2header = p.s[:p.o]
150 server.clientFirstBare = p.s[p.o:]
154 p.xerrorf("unexpected mandatory extension: %w", ErrExtensionsNotSupported)
156 server.Authentication = p.xusername()
157 if norm.NFC.String(server.Authentication) != server.Authentication {
158 return nil, fmt.Errorf("%w: username", ErrNorm)
161 server.clientNonce = p.xnonce()
162 if len(server.clientNonce) < 8 {
163 return nil, fmt.Errorf("%w: client nonce too short", ErrUnsafe)
165 // Extensions, we don't recognize them.
173// ServerFirst returns the string to send back to the client. To be called after NewServer.
174func (s *Server) ServerFirst(iterations int, salt []byte) (string, error) {
176 serverNonce := s.serverNonceOverride
177 if serverNonce == "" {
178 serverNonce = base64.StdEncoding.EncodeToString(MakeRandom())
180 s.nonce = s.clientNonce + serverNonce
181 s.serverFirst = fmt.Sprintf("r=%s,s=%s,i=%d", s.nonce, base64.StdEncoding.EncodeToString(salt), iterations)
182 return s.serverFirst, nil
185// Finish takes the final client message, and the salted password (probably
186// from server storage), verifies the client, and returns a message to return
187// to the client. If err is nil, authentication was successful. If the
188// authorization requested is not acceptable, the server should call
189// FinishError instead.
190func (s *Server) Finish(clientFinal []byte, saltedPassword []byte) (serverFinal string, rerr error) {
191 p := newParser(clientFinal)
192 defer p.recover(&rerr)
194 cbind := p.xchannelBinding()
195 if cbind != s.gs2header {
196 return "e=" + string(ErrChannelBindingsDontMatch), ErrChannelBindingsDontMatch
200 if nonce != s.nonce {
201 return "e=" + string(ErrInvalidProof), ErrInvalidProof
205 p.xattrval() // Ignored.
207 s.clientFinalWithoutProof = p.s[:p.o]
212 msg := s.clientFirstBare + "," + s.serverFirst + "," + s.clientFinalWithoutProof
214 clientKey := HMAC(s.h, saltedPassword, "Client Key")
217 storedKey := h.Sum(nil)
219 clientSig := HMAC(s.h, storedKey, msg)
220 xor(clientSig, clientKey) // Now clientProof.
221 if !bytes.Equal(clientSig, proof) {
222 return "e=" + string(ErrInvalidProof), ErrInvalidProof
225 serverKey := HMAC(s.h, saltedPassword, "Server Key")
226 serverSig := HMAC(s.h, serverKey, msg)
227 return fmt.Sprintf("v=%s", base64.StdEncoding.EncodeToString(serverSig)), nil
230// FinishError returns an error message to write to the client for the final
232func (s *Server) FinishError(err Error) string {
233 return "e=" + string(err)
236// Client represents the client-side of a SCRAM-SHA-* authentication.
241 h func() hash.Hash // sha1.New or sha256.New
243 // Messages used in hash calculations.
244 clientFirstBare string
246 clientFinalWithoutProof string
251 nonce string // Full client + server nonce.
252 saltedPassword []byte
255// NewClient returns a client for authentication authc, optionally for
256// authorization with role authz, for the hash (sha1.New or sha256.New).
258// The sequence for data and calls on a client:
260// - ClientFirst, write result to server.
261// - Read response from server, feed to ServerFirst, write response to server.
262// - Read response from server, feed to ServerFinal.
263func NewClient(h func() hash.Hash, authc, authz string) *Client {
264 authc = norm.NFC.String(authc)
265 authz = norm.NFC.String(authz)
266 return &Client{authc: authc, authz: authz, h: h}
269// ClientFirst returns the first client message to write to the server.
270// No channel binding is done/supported.
271// A random nonce is generated.
272func (c *Client) ClientFirst() (clientFirst string, rerr error) {
273 c.gs2header = fmt.Sprintf("n,%s,", saslname(c.authz))
274 if c.clientNonce == "" {
275 c.clientNonce = base64.StdEncoding.EncodeToString(MakeRandom())
277 c.clientFirstBare = fmt.Sprintf("n=%s,r=%s", saslname(c.authc), c.clientNonce)
278 return c.gs2header + c.clientFirstBare, nil
281// ServerFirst processes the first response message from the server. The
282// provided nonce, salt and iterations are checked. If valid, a final client
283// message is calculated and returned. This message must be written to the
284// server. It includes proof that the client knows the password.
285func (c *Client) ServerFirst(serverFirst []byte, password string) (clientFinal string, rerr error) {
286 c.serverFirst = string(serverFirst)
287 p := newParser(serverFirst)
288 defer p.recover(&rerr)
292 p.xerrorf("unsupported mandatory extension: %w", ErrExtensionsNotSupported)
299 iterations := p.xiterations()
300 // We ignore extensions that we don't know about.
306 if !strings.HasPrefix(c.nonce, c.clientNonce) {
307 return "", fmt.Errorf("%w: server dropped our nonce", ErrProtocol)
309 if len(c.nonce)-len(c.clientNonce) < 8 {
310 return "", fmt.Errorf("%w: server nonce too short", ErrUnsafe)
313 return "", fmt.Errorf("%w: salt too short", ErrUnsafe)
315 if iterations < 2048 {
316 return "", fmt.Errorf("%w: too few iterations", ErrUnsafe)
319 c.clientFinalWithoutProof = fmt.Sprintf("c=%s,r=%s", base64.StdEncoding.EncodeToString([]byte(c.gs2header)), c.nonce)
321 c.authMessage = c.clientFirstBare + "," + c.serverFirst + "," + c.clientFinalWithoutProof
323 c.saltedPassword = SaltPassword(c.h, password, salt, iterations)
324 clientKey := HMAC(c.h, c.saltedPassword, "Client Key")
327 storedKey := h.Sum(nil)
328 clientSig := HMAC(c.h, storedKey, c.authMessage)
329 xor(clientSig, clientKey) // Now clientProof.
330 clientProof := clientSig
332 r := c.clientFinalWithoutProof + ",p=" + base64.StdEncoding.EncodeToString(clientProof)
336// ServerFinal processes the final message from the server, verifying that the
337// server knows the password.
338func (c *Client) ServerFinal(serverFinal []byte) (rerr error) {
339 p := newParser(serverFinal)
340 defer p.recover(&rerr)
344 var err error = scramErrors[errstr]
345 if err == Error("") {
346 err = errors.New(errstr)
348 return fmt.Errorf("error from server: %w", err)
351 verifier := p.xbase64()
353 serverKey := HMAC(c.h, c.saltedPassword, "Server Key")
354 serverSig := HMAC(c.h, serverKey, c.authMessage)
355 if !bytes.Equal(verifier, serverSig) {
356 return fmt.Errorf("incorrect server signature")
361// Convert "," to =2C and "=" to =3D.
362func saslname(s string) string {
364 for _, c := range s {