PostgreSQL Source Code git master
fe-auth-scram.c
Go to the documentation of this file.
1/*-------------------------------------------------------------------------
2 *
3 * fe-auth-scram.c
4 * The front-end (client) implementation of SCRAM authentication.
5 *
6 * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
7 * Portions Copyright (c) 1994, Regents of the University of California
8 *
9 * IDENTIFICATION
10 * src/interfaces/libpq/fe-auth-scram.c
11 *
12 *-------------------------------------------------------------------------
13 */
14
15#include "postgres_fe.h"
16
17#include "common/base64.h"
18#include "common/hmac.h"
19#include "common/saslprep.h"
20#include "common/scram-common.h"
21#include "fe-auth.h"
22
23
24/* The exported SCRAM callback mechanism. */
25static void *scram_init(PGconn *conn, const char *password,
26 const char *sasl_mechanism);
27static SASLStatus scram_exchange(void *opaq, bool final,
28 char *input, int inputlen,
29 char **output, int *outputlen);
30static bool scram_channel_bound(void *opaq);
31static void scram_free(void *opaq);
32
33const pg_fe_sasl_mech pg_scram_mech = {
34 scram_init,
35 scram_exchange,
36 scram_channel_bound,
37 scram_free
38};
39
40/*
41 * Status of exchange messages used for SCRAM authentication via the
42 * SASL protocol.
43 */
44typedef enum
45{
46 FE_SCRAM_INIT,
47 FE_SCRAM_NONCE_SENT,
48 FE_SCRAM_PROOF_SENT,
49 FE_SCRAM_FINISHED,
50} fe_scram_state_enum;
51
52typedef struct
53{
54 fe_scram_state_enum state;
55
56 /* These are supplied by the user */
57 PGconn *conn;
58 char *password;
59 char *sasl_mechanism;
60
61 /* State data depending on the hash type */
62 pg_cryptohash_type hash_type;
63 int key_length;
64
65 /* We construct these */
66 uint8 SaltedPassword[SCRAM_MAX_KEY_LEN];
67 char *client_nonce;
68 char *client_first_message_bare;
69 char *client_final_message_without_proof;
70
71 /* These come from the server-first message */
72 char *server_first_message;
73 char *salt;
74 int saltlen;
75 int iterations;
76 char *nonce;
77
78 /* These come from the server-final message */
79 char *server_final_message;
80 char ServerSignature[SCRAM_MAX_KEY_LEN];
81} fe_scram_state;
82
83static bool read_server_first_message(fe_scram_state *state, char *input);
84static bool read_server_final_message(fe_scram_state *state, char *input);
85static char *build_client_first_message(fe_scram_state *state);
86static char *build_client_final_message(fe_scram_state *state);
87static bool verify_server_signature(fe_scram_state *state, bool *match,
88 const char **errstr);
89static bool calculate_client_proof(fe_scram_state *state,
90 const char *client_final_message_without_proof,
91 uint8 *result, const char **errstr);
92
93/*
94 * Initialize SCRAM exchange status.
95 */
96static void *
97scram_init(PGconn *conn,
98 const char *password,
99 const char *sasl_mechanism)
100{
101 fe_scram_state *state;
102 char *prep_password;
103 pg_saslprep_rc rc;
104
105 Assert(sasl_mechanism != NULL);
106
107 state = (fe_scram_state *) malloc(sizeof(fe_scram_state));
108 if (!state)
109 return NULL;
110 memset(state, 0, sizeof(fe_scram_state));
111 state->conn = conn;
112 state->state = FE_SCRAM_INIT;
113 state->key_length = SCRAM_SHA_256_KEY_LEN;
114 state->hash_type = PG_SHA256;
115
116 state->sasl_mechanism = strdup(sasl_mechanism);
117 if (!state->sasl_mechanism)
118 {
119 free(state);
120 return NULL;
121 }
122
123 if (password)
124 {
125 /* Normalize the password with SASLprep, if possible */
126 rc = pg_saslprep(password, &prep_password);
127 if (rc == SASLPREP_OOM)
128 {
129 free(state->sasl_mechanism);
130 free(state);
131 return NULL;
132 }
133 if (rc != SASLPREP_SUCCESS)
134 {
135 prep_password = strdup(password);
136 if (!prep_password)
137 {
138 free(state->sasl_mechanism);
139 free(state);
140 return NULL;
141 }
142 }
143 state->password = prep_password;
144 }
145
146 return state;
147}
148
149/*
150 * Return true if channel binding was employed and the SCRAM exchange
151 * completed. This should be used after a successful exchange to determine
152 * whether the server authenticated itself to the client.
153 *
154 * Note that the caller must also ensure that the exchange was actually
155 * successful.
156 */
157static bool
158scram_channel_bound(void *opaq)
159{
160 fe_scram_state *state = (fe_scram_state *) opaq;
161
162 /* no SCRAM exchange done */
163 if (state == NULL)
164 return false;
165
166 /* SCRAM exchange not completed */
167 if (state->state != FE_SCRAM_FINISHED)
168 return false;
169
170 /* channel binding mechanism not used */
171 if (strcmp(state->sasl_mechanism, SCRAM_SHA_256_PLUS_NAME) != 0)
172 return false;
173
174 /* all clear! */
175 return true;
176}
177
178/*
179 * Free SCRAM exchange status
180 */
181static void
182scram_free(void *opaq)
183{
184 fe_scram_state *state = (fe_scram_state *) opaq;
185
186 free(state->password);
187 free(state->sasl_mechanism);
188
189 /* client messages */
190 free(state->client_nonce);
191 free(state->client_first_message_bare);
192 free(state->client_final_message_without_proof);
193
194 /* first message from server */
195 free(state->server_first_message);
196 free(state->salt);
197 free(state->nonce);
198
199 /* final message from server */
200 free(state->server_final_message);
201
202 free(state);
203}
204
205/*
206 * Exchange a SCRAM message with backend.
207 */
208static SASLStatus
209scram_exchange(void *opaq, bool final,
210 char *input, int inputlen,
211 char **output, int *outputlen)
212{
213 fe_scram_state *state = (fe_scram_state *) opaq;
214 PGconn *conn = state->conn;
215 const char *errstr = NULL;
216
217 *output = NULL;
218 *outputlen = 0;
219
220 /*
221 * Check that the input length agrees with the string length of the input.
222 * We can ignore inputlen after this.
223 */
224 if (state->state != FE_SCRAM_INIT)
225 {
226 if (inputlen == 0)
227 {
228 libpq_append_conn_error(conn, "malformed SCRAM message (empty message)");
229 return SASL_FAILED;
230 }
231 if (inputlen != strlen(input))
232 {
233 libpq_append_conn_error(conn, "malformed SCRAM message (length mismatch)");
234 return SASL_FAILED;
235 }
236 }
237
238 switch (state->state)
239 {
240 case FE_SCRAM_INIT:
241 /* Begin the SCRAM handshake, by sending client nonce */
242 *output = build_client_first_message(state);
243 if (*output == NULL)
244 return SASL_FAILED;
245
246 *outputlen = strlen(*output);
247 state->state = FE_SCRAM_NONCE_SENT;
248 return SASL_CONTINUE;
249
250 case FE_SCRAM_NONCE_SENT:
251 /* Receive salt and server nonce, send response. */
252 if (!read_server_first_message(state, input))
253 return SASL_FAILED;
254
255 *output = build_client_final_message(state);
256 if (*output == NULL)
257 return SASL_FAILED;
258
259 *outputlen = strlen(*output);
260 state->state = FE_SCRAM_PROOF_SENT;
261 return SASL_CONTINUE;
262
263 case FE_SCRAM_PROOF_SENT:
264 {
265 bool match;
266
267 /* Receive server signature */
268 if (!read_server_final_message(state, input))
269 return SASL_FAILED;
270
271 /*
272 * Verify server signature, to make sure we're talking to the
273 * genuine server.
274 */
275 if (!verify_server_signature(state, &match, &errstr))
276 {
277 libpq_append_conn_error(conn, "could not verify server signature: %s", errstr);
278 return SASL_FAILED;
279 }
280
281 if (!match)
282 {
283 libpq_append_conn_error(conn, "incorrect server signature");
284 }
285 state->state = FE_SCRAM_FINISHED;
286 state->conn->client_finished_auth = true;
287 return match ? SASL_COMPLETE : SASL_FAILED;
288 }
289
290 default:
291 /* shouldn't happen */
292 libpq_append_conn_error(conn, "invalid SCRAM exchange state");
293 break;
294 }
295
296 return SASL_FAILED;
297}
298
299/*
300 * Read value for an attribute part of a SCRAM message.
301 *
302 * The buffer at **input is destructively modified, and *input is
303 * advanced over the "attr=value" string and any following comma.
304 *
305 * On failure, append an error message to *errorMessage and return NULL.
306 */
307static char *
308read_attr_value(char **input, char attr, PQExpBuffer errorMessage)
309{
310 char *begin = *input;
311 char *end;
312
313 if (*begin != attr)
314 {
315 libpq_append_error(errorMessage,
316 "malformed SCRAM message (attribute \"%c\" expected)",
317 attr);
318 return NULL;
319 }
320 begin++;
321
322 if (*begin != '=')
323 {
324 libpq_append_error(errorMessage,
325 "malformed SCRAM message (expected character \"=\" for attribute \"%c\")",
326 attr);
327 return NULL;
328 }
329 begin++;
330
331 end = begin;
332 while (*end && *end != ',')
333 end++;
334
335 if (*end)
336 {
337 *end = '\0';
338 *input = end + 1;
339 }
340 else
341 *input = end;
342
343 return begin;
344}
345
346/*
347 * Build the first exchange message sent by the client.
348 */
349static char *
350build_client_first_message(fe_scram_state *state)
351{
352 PGconn *conn = state->conn;
353 char raw_nonce[SCRAM_RAW_NONCE_LEN + 1];
354 char *result;
355 int channel_info_len;
356 int encoded_len;
357 PQExpBufferData buf;
358
359 /*
360 * Generate a "raw" nonce. This is converted to ASCII-printable form by
361 * base64-encoding it.
362 */
363 if (!pg_strong_random(raw_nonce, SCRAM_RAW_NONCE_LEN))
364 {
365 libpq_append_conn_error(conn, "could not generate nonce");
366 return NULL;
367 }
368
369 encoded_len = pg_b64_enc_len(SCRAM_RAW_NONCE_LEN);
370 /* don't forget the zero-terminator */
371 state->client_nonce = malloc(encoded_len + 1);
372 if (state->client_nonce == NULL)
373 {
374 libpq_append_conn_error(conn, "out of memory");
375 return NULL;
376 }
377 encoded_len = pg_b64_encode(raw_nonce, SCRAM_RAW_NONCE_LEN,
378 state->client_nonce, encoded_len);
379 if (encoded_len < 0)
380 {
381 libpq_append_conn_error(conn, "could not encode nonce");
382 return NULL;
383 }
384 state->client_nonce[encoded_len] = '\0';
385
386 /*
387 * Generate message. The username is left empty as the backend uses the
388 * value provided by the startup packet. Also, as this username is not
389 * prepared with SASLprep, the message parsing would fail if it includes
390 * '=' or ',' characters.
391 */
392
393 initPQExpBuffer(&buf);
394
395 /*
396 * First build the gs2-header with channel binding information.
397 */
398 if (strcmp(state->sasl_mechanism, SCRAM_SHA_256_PLUS_NAME) == 0)
399 {
400 Assert(conn->ssl_in_use);
401 appendPQExpBufferStr(&buf, "p=tls-server-end-point");
402 }
403#ifdef USE_SSL
404 else if (conn->channel_binding[0] != 'd' && /* disable */
405 conn->ssl_in_use)
406 {
407 /*
408 * Client supports channel binding, but thinks the server does not.
409 */
410 appendPQExpBufferChar(&buf, 'y');
411 }
412#endif
413 else
414 {
415 /*
416 * Client does not support channel binding, or has disabled it.
417 */
418 appendPQExpBufferChar(&buf, 'n');
419 }
420
421 if (PQExpBufferDataBroken(buf))
422 goto oom_error;
423
424 channel_info_len = buf.len;
425
426 appendPQExpBuffer(&buf, ",,n=,r=%s", state->client_nonce);
427 if (PQExpBufferDataBroken(buf))
428 goto oom_error;
429
430 /*
431 * The first message content needs to be saved without channel binding
432 * information.
433 */
434 state->client_first_message_bare = strdup(buf.data + channel_info_len + 2);
435 if (!state->client_first_message_bare)
436 goto oom_error;
437
438 result = strdup(buf.data);
439 if (result == NULL)
440 goto oom_error;
441
442 termPQExpBuffer(&buf);
443 return result;
444
445oom_error:
446 termPQExpBuffer(&buf);
447 libpq_append_conn_error(conn, "out of memory");
448 return NULL;
449}
450
451/*
452 * Build the final exchange message sent from the client.
453 */
454static char *
455build_client_final_message(fe_scram_state *state)
456{
457 PQExpBufferData buf;
458 PGconn *conn = state->conn;
459 uint8 client_proof[SCRAM_MAX_KEY_LEN];
460 char *result;
461 int encoded_len;
462 const char *errstr = NULL;
463
464 initPQExpBuffer(&buf);
465
466 /*
467 * Construct client-final-message-without-proof. We need to remember it
468 * for verifying the server proof in the final step of authentication.
469 *
470 * The channel binding flag handling (p/y/n) must be consistent with
471 * build_client_first_message(), because the server will check that it's
472 * the same flag both times.
473 */
474 if (strcmp(state->sasl_mechanism, SCRAM_SHA_256_PLUS_NAME) == 0)
475 {
476#ifdef USE_SSL
477 char *cbind_data = NULL;
478 size_t cbind_data_len = 0;
479 size_t cbind_header_len;
480 char *cbind_input;
481 size_t cbind_input_len;
482 int encoded_cbind_len;
483
484 /* Fetch hash data of server's SSL certificate */
485 cbind_data =
486 pgtls_get_peer_certificate_hash(state->conn,
487 &cbind_data_len);
488 if (cbind_data == NULL)
489 {
490 /* error message is already set on error */
491 termPQExpBuffer(&buf);
492 return NULL;
493 }
494
495 appendPQExpBufferStr(&buf, "c=");
496
497 /* p=type,, */
498 cbind_header_len = strlen("p=tls-server-end-point,,");
499 cbind_input_len = cbind_header_len + cbind_data_len;
500 cbind_input = malloc(cbind_input_len);
501 if (!cbind_input)
502 {
503 free(cbind_data);
504 goto oom_error;
505 }
506 memcpy(cbind_input, "p=tls-server-end-point,,", cbind_header_len);
507 memcpy(cbind_input + cbind_header_len, cbind_data, cbind_data_len);
508
509 encoded_cbind_len = pg_b64_enc_len(cbind_input_len);
510 if (!enlargePQExpBuffer(&buf, encoded_cbind_len))
511 {
512 free(cbind_data);
513 free(cbind_input);
514 goto oom_error;
515 }
516 encoded_cbind_len = pg_b64_encode(cbind_input, cbind_input_len,
517 buf.data + buf.len,
518 encoded_cbind_len);
519 if (encoded_cbind_len < 0)
520 {
521 free(cbind_data);
522 free(cbind_input);
523 termPQExpBuffer(&buf);
524 appendPQExpBufferStr(&conn->errorMessage,
525 "could not encode cbind data for channel binding\n");
526 return NULL;
527 }
528 buf.len += encoded_cbind_len;
529 buf.data[buf.len] = '\0';
530
531 free(cbind_data);
532 free(cbind_input);
533#else
534 /*
535 * Chose channel binding, but the SSL library doesn't support it.
536 * Shouldn't happen.
537 */
538 termPQExpBuffer(&buf);
539 appendPQExpBufferStr(&conn->errorMessage,
540 "channel binding not supported by this build\n");
541 return NULL;
542#endif /* USE_SSL */
543 }
544#ifdef USE_SSL
545 else if (conn->channel_binding[0] != 'd' && /* disable */
546 conn->ssl_in_use)
547 appendPQExpBufferStr(&buf, "c=eSws"); /* base64 of "y,," */
548#endif
549 else
550 appendPQExpBufferStr(&buf, "c=biws"); /* base64 of "n,," */
551
552 if (PQExpBufferDataBroken(buf))
553 goto oom_error;
554
555 appendPQExpBuffer(&buf, ",r=%s", state->nonce);
556 if (PQExpBufferDataBroken(buf))
557 goto oom_error;
558
559 state->client_final_message_without_proof = strdup(buf.data);
560 if (state->client_final_message_without_proof == NULL)
561 goto oom_error;
562
563 /* Append proof to it, to form client-final-message. */
564 if (!calculate_client_proof(state,
565 state->client_final_message_without_proof,
566 client_proof, &errstr))
567 {
568 termPQExpBuffer(&buf);
569 libpq_append_conn_error(conn, "could not calculate client proof: %s", errstr);
570 return NULL;
571 }
572
573 appendPQExpBufferStr(&buf, ",p=");
574 encoded_len = pg_b64_enc_len(state->key_length);
575 if (!enlargePQExpBuffer(&buf, encoded_len))
576 goto oom_error;
577 encoded_len = pg_b64_encode((char *) client_proof,
578 state->key_length,
579 buf.data + buf.len,
580 encoded_len);
581 if (encoded_len < 0)
582 {
583 termPQExpBuffer(&buf);
584 libpq_append_conn_error(conn, "could not encode client proof");
585 return NULL;
586 }
587 buf.len += encoded_len;
588 buf.data[buf.len] = '\0';
589
590 result = strdup(buf.data);
591 if (result == NULL)
592 goto oom_error;
593
594 termPQExpBuffer(&buf);
595 return result;
596
597oom_error:
598 termPQExpBuffer(&buf);
599 libpq_append_conn_error(conn, "out of memory");
600 return NULL;
601}
602
603/*
604 * Read the first exchange message coming from the server.
605 */
606static bool
607read_server_first_message(fe_scram_state *state, char *input)
608{
609 PGconn *conn = state->conn;
610 char *iterations_str;
611 char *endptr;
612 char *encoded_salt;
613 char *nonce;
614 int decoded_salt_len;
615
616 state->server_first_message = strdup(input);
617 if (state->server_first_message == NULL)
618 {
619 libpq_append_conn_error(conn, "out of memory");
620 return false;
621 }
622
623 /* parse the message */
624 nonce = read_attr_value(&input, 'r',
625 &conn->errorMessage);
626 if (nonce == NULL)
627 {
628 /* read_attr_value() has appended an error string */
629 return false;
630 }
631
632 /* Verify immediately that the server used our part of the nonce */
633 if (strlen(nonce) < strlen(state->client_nonce) ||
634 memcmp(nonce, state->client_nonce, strlen(state->client_nonce)) != 0)
635 {
636 libpq_append_conn_error(conn, "invalid SCRAM response (nonce mismatch)");
637 return false;
638 }
639
640 state->nonce = strdup(nonce);
641 if (state->nonce == NULL)
642 {
643 libpq_append_conn_error(conn, "out of memory");
644 return false;
645 }
646
647 encoded_salt = read_attr_value(&input, 's', &conn->errorMessage);
648 if (encoded_salt == NULL)
649 {
650 /* read_attr_value() has appended an error string */
651 return false;
652 }
653 decoded_salt_len = pg_b64_dec_len(strlen(encoded_salt));
654 state->salt = malloc(decoded_salt_len);
655 if (state->salt == NULL)
656 {
657 libpq_append_conn_error(conn, "out of memory");
658 return false;
659 }
660 state->saltlen = pg_b64_decode(encoded_salt,
661 strlen(encoded_salt),
662 state->salt,
663 decoded_salt_len);
664 if (state->saltlen < 0)
665 {
666 libpq_append_conn_error(conn, "malformed SCRAM message (invalid salt)");
667 return false;
668 }
669
670 iterations_str = read_attr_value(&input, 'i', &conn->errorMessage);
671 if (iterations_str == NULL)
672 {
673 /* read_attr_value() has appended an error string */
674 return false;
675 }
676 state->iterations = strtol(iterations_str, &endptr, 10);
677 if (*endptr != '\0' || state->iterations < 1)
678 {
679 libpq_append_conn_error(conn, "malformed SCRAM message (invalid iteration count)");
680 return false;
681 }
682
683 if (*input != '\0')
684 libpq_append_conn_error(conn, "malformed SCRAM message (garbage at end of server-first-message)");
685
686 return true;
687}
688
689/*
690 * Read the final exchange message coming from the server.
691 */
692static bool
693read_server_final_message(fe_scram_state *state, char *input)
694{
695 PGconn *conn = state->conn;
696 char *encoded_server_signature;
697 char *decoded_server_signature;
698 int server_signature_len;
699
700 state->server_final_message = strdup(input);
701 if (!state->server_final_message)
702 {
703 libpq_append_conn_error(conn, "out of memory");
704 return false;
705 }
706
707 /* Check for error result. */
708 if (*input == 'e')
709 {
710 char *errmsg = read_attr_value(&input, 'e',
711 &conn->errorMessage);
712
713 if (errmsg == NULL)
714 {
715 /* read_attr_value() has appended an error message */
716 return false;
717 }
718 libpq_append_conn_error(conn, "error received from server in SCRAM exchange: %s",
719 errmsg);
720 return false;
721 }
722
723 /* Parse the message. */
724 encoded_server_signature = read_attr_value(&input, 'v',
725 &conn->errorMessage);
726 if (encoded_server_signature == NULL)
727 {
728 /* read_attr_value() has appended an error message */
729 return false;
730 }
731
732 if (*input != '\0')
733 libpq_append_conn_error(conn, "malformed SCRAM message (garbage at end of server-final-message)");
734
735 server_signature_len = pg_b64_dec_len(strlen(encoded_server_signature));
736 decoded_server_signature = malloc(server_signature_len);
737 if (!decoded_server_signature)
738 {
739 libpq_append_conn_error(conn, "out of memory");
740 return false;
741 }
742
743 server_signature_len = pg_b64_decode(encoded_server_signature,
744 strlen(encoded_server_signature),
745 decoded_server_signature,
746 server_signature_len);
747 if (server_signature_len != state->key_length)
748 {
749 free(decoded_server_signature);
750 libpq_append_conn_error(conn, "malformed SCRAM message (invalid server signature)");
751 return false;
752 }
753 memcpy(state->ServerSignature, decoded_server_signature,
754 state->key_length);
755 free(decoded_server_signature);
756
757 return true;
758}
759
760/*
761 * Calculate the client proof, part of the final exchange message sent
762 * by the client. Returns true on success, false on failure with *errstr
763 * pointing to a message about the error details.
764 */
765static bool
766calculate_client_proof(fe_scram_state *state,
767 const char *client_final_message_without_proof,
768 uint8 *result, const char **errstr)
769{
770 uint8 StoredKey[SCRAM_MAX_KEY_LEN];
771 uint8 ClientKey[SCRAM_MAX_KEY_LEN];
772 uint8 ClientSignature[SCRAM_MAX_KEY_LEN];
773 int i;
774 pg_hmac_ctx *ctx;
775
776 ctx = pg_hmac_create(state->hash_type);
777 if (ctx == NULL)
778 {
779 *errstr = pg_hmac_error(NULL); /* returns OOM */
780 return false;
781 }
782
783 if (state->conn->scram_client_key_binary)
784 {
785 memcpy(ClientKey, state->conn->scram_client_key_binary, SCRAM_MAX_KEY_LEN);
786 }
787 else
788 {
789 /*
790 * Calculate SaltedPassword, and store it in 'state' so that we can
791 * reuse it later in verify_server_signature.
792 */
793 if (scram_SaltedPassword(state->password, state->hash_type,
794 state->key_length, state->salt, state->saltlen,
795 state->iterations, state->SaltedPassword,
796 errstr) < 0 ||
797 scram_ClientKey(state->SaltedPassword, state->hash_type,
798 state->key_length, ClientKey, errstr) < 0)
799 {
800 /* errstr is already filled here */
801 pg_hmac_free(ctx);
802 return false;
803 }
804 }
805
806 if (scram_H(ClientKey, state->hash_type, state->key_length, StoredKey, errstr) < 0)
807 {
808 pg_hmac_free(ctx);
809 return false;
810 }
811
812 if (pg_hmac_init(ctx, StoredKey, state->key_length) < 0 ||
813 pg_hmac_update(ctx,
814 (uint8 *) state->client_first_message_bare,
815 strlen(state->client_first_message_bare)) < 0 ||
816 pg_hmac_update(ctx, (uint8 *) ",", 1) < 0 ||
817 pg_hmac_update(ctx,
818 (uint8 *) state->server_first_message,
819 strlen(state->server_first_message)) < 0 ||
820 pg_hmac_update(ctx, (uint8 *) ",", 1) < 0 ||
821 pg_hmac_update(ctx,
822 (uint8 *) client_final_message_without_proof,
823 strlen(client_final_message_without_proof)) < 0 ||
824 pg_hmac_final(ctx, ClientSignature, state->key_length) < 0)
825 {
826 *errstr = pg_hmac_error(ctx);
827 pg_hmac_free(ctx);
828 return false;
829 }
830
831 for (i = 0; i < state->key_length; i++)
832 result[i] = ClientKey[i] ^ ClientSignature[i];
833
834 pg_hmac_free(ctx);
835 return true;
836}
837
838/*
839 * Validate the server signature, received as part of the final exchange
840 * message received from the server. *match tracks if the server signature
841 * matched or not. Returns true if the server signature got verified, and
842 * false for a processing error with *errstr pointing to a message about the
843 * error details.
844 */
845static bool
846verify_server_signature(fe_scram_state *state, bool *match,
847 const char **errstr)
848{
849 uint8 expected_ServerSignature[SCRAM_MAX_KEY_LEN];
850 uint8 ServerKey[SCRAM_MAX_KEY_LEN];
851 pg_hmac_ctx *ctx;
852
853 ctx = pg_hmac_create(state->hash_type);
854 if (ctx == NULL)
855 {
856 *errstr = pg_hmac_error(NULL); /* returns OOM */
857 return false;
858 }
859
860 if (state->conn->scram_server_key_binary)
861 {
862 memcpy(ServerKey, state->conn->scram_server_key_binary, SCRAM_MAX_KEY_LEN);
863 }
864 else
865 {
866 if (scram_ServerKey(state->SaltedPassword, state->hash_type,
867 state->key_length, ServerKey, errstr) < 0)
868 {
869 /* errstr is filled already */
870 pg_hmac_free(ctx);
871 return false;
872 }
873 }
874
875 /* calculate ServerSignature */
876 if (pg_hmac_init(ctx, ServerKey, state->key_length) < 0 ||
877 pg_hmac_update(ctx,
878 (uint8 *) state->client_first_message_bare,
879 strlen(state->client_first_message_bare)) < 0 ||
880 pg_hmac_update(ctx, (uint8 *) ",", 1) < 0 ||
881 pg_hmac_update(ctx,
882 (uint8 *) state->server_first_message,
883 strlen(state->server_first_message)) < 0 ||
884 pg_hmac_update(ctx, (uint8 *) ",", 1) < 0 ||
885 pg_hmac_update(ctx,
886 (uint8 *) state->client_final_message_without_proof,
887 strlen(state->client_final_message_without_proof)) < 0 ||
888 pg_hmac_final(ctx, expected_ServerSignature,
889 state->key_length) < 0)
890 {
891 *errstr = pg_hmac_error(ctx);
892 pg_hmac_free(ctx);
893 return false;
894 }
895
896 pg_hmac_free(ctx);
897
898 /* signature processed, so now check after it */
899 if (memcmp(expected_ServerSignature, state->ServerSignature,
900 state->key_length) != 0)
901 *match = false;
902 else
903 *match = true;
904
905 return true;
906}
907
908/*
909 * Build a new SCRAM secret.
910 *
911 * On error, returns NULL and sets *errstr to point to a message about the
912 * error details.
913 */
914char *
915pg_fe_scram_build_secret(const char *password, int iterations, const char **errstr)
916{
917 char *prep_password;
918 pg_saslprep_rc rc;
919 char saltbuf[SCRAM_DEFAULT_SALT_LEN];
920 char *result;
921
922 /*
923 * Normalize the password with SASLprep. If that doesn't work, because
924 * the password isn't valid UTF-8 or contains prohibited characters, just
925 * proceed with the original password. (See comments at the top of
926 * auth-scram.c.)
927 */
928 rc = pg_saslprep(password, &prep_password);
929 if (rc == SASLPREP_OOM)
930 {
931 *errstr = libpq_gettext("out of memory");
932 return NULL;
933 }
934 if (rc == SASLPREP_SUCCESS)
935 password = (const char *) prep_password;
936
937 /* Generate a random salt */
938 if (!pg_strong_random(saltbuf, SCRAM_DEFAULT_SALT_LEN))
939 {
940 *errstr = libpq_gettext("could not generate random salt");
941 free(prep_password);
942 return NULL;
943 }
944
945 result = scram_build_secret(PG_SHA256, SCRAM_SHA_256_KEY_LEN, saltbuf,
946 SCRAM_DEFAULT_SALT_LEN,
947 iterations, password,
948 errstr);
949
950 free(prep_password);
951
952 return result;
953}
pg_b64_decode
int pg_b64_decode(const char *src, int len, char *dst, int dstlen)
Definition: base64.c:116
pg_b64_enc_len
int pg_b64_enc_len(int srclen)
Definition: base64.c:224
pg_b64_encode
int pg_b64_encode(const char *src, int len, char *dst, int dstlen)
Definition: base64.c:49
pg_b64_dec_len
int pg_b64_dec_len(int srclen)
Definition: base64.c:239
uint8
uint8_t uint8
Definition: c.h:500
pg_cryptohash_type
pg_cryptohash_type
Definition: cryptohash.h:20
PG_SHA256
@ PG_SHA256
Definition: cryptohash.h:24
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:1071
SASLStatus
SASLStatus
Definition: fe-auth-sasl.h:29
SASL_CONTINUE
@ SASL_CONTINUE
Definition: fe-auth-sasl.h:32
SASL_COMPLETE
@ SASL_COMPLETE
Definition: fe-auth-sasl.h:30
SASL_FAILED
@ SASL_FAILED
Definition: fe-auth-sasl.h:31
build_client_first_message
static char * build_client_first_message(fe_scram_state *state)
Definition: fe-auth-scram.c:350
pg_scram_mech
const pg_fe_sasl_mech pg_scram_mech
Definition: fe-auth-scram.c:33
verify_server_signature
static bool verify_server_signature(fe_scram_state *state, bool *match, const char **errstr)
Definition: fe-auth-scram.c:846
fe_scram_state_enum
fe_scram_state_enum
Definition: fe-auth-scram.c:45
FE_SCRAM_PROOF_SENT
@ FE_SCRAM_PROOF_SENT
Definition: fe-auth-scram.c:48
FE_SCRAM_NONCE_SENT
@ FE_SCRAM_NONCE_SENT
Definition: fe-auth-scram.c:47
FE_SCRAM_FINISHED
@ FE_SCRAM_FINISHED
Definition: fe-auth-scram.c:49
FE_SCRAM_INIT
@ FE_SCRAM_INIT
Definition: fe-auth-scram.c:46
scram_init
static void * scram_init(PGconn *conn, const char *password, const char *sasl_mechanism)
Definition: fe-auth-scram.c:97
read_attr_value
static char * read_attr_value(char **input, char attr, PQExpBuffer errorMessage)
Definition: fe-auth-scram.c:308
scram_free
static void scram_free(void *opaq)
Definition: fe-auth-scram.c:182
read_server_first_message
static bool read_server_first_message(fe_scram_state *state, char *input)
Definition: fe-auth-scram.c:607
scram_channel_bound
static bool scram_channel_bound(void *opaq)
Definition: fe-auth-scram.c:158
pg_fe_scram_build_secret
char * pg_fe_scram_build_secret(const char *password, int iterations, const char **errstr)
Definition: fe-auth-scram.c:915
calculate_client_proof
static bool calculate_client_proof(fe_scram_state *state, const char *client_final_message_without_proof, uint8 *result, const char **errstr)
Definition: fe-auth-scram.c:766
scram_exchange
static SASLStatus scram_exchange(void *opaq, bool final, char *input, int inputlen, char **output, int *outputlen)
Definition: fe-auth-scram.c:209
build_client_final_message
static char * build_client_final_message(fe_scram_state *state)
Definition: fe-auth-scram.c:455
read_server_final_message
static bool read_server_final_message(fe_scram_state *state, char *input)
Definition: fe-auth-scram.c:693
libpq_append_error
void libpq_append_error(PQExpBuffer errorMessage, const char *fmt,...)
Definition: fe-misc.c:1352
libpq_append_conn_error
void libpq_append_conn_error(PGconn *conn, const char *fmt,...)
Definition: fe-misc.c:1381
pgtls_get_peer_certificate_hash
char * pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
Definition: fe-secure-openssl.c:340
Assert
Assert(PointerIsAligned(start, uint64))
free
#define free(a)
Definition: header.h:65
malloc
#define malloc(a)
Definition: header.h:50
pg_hmac_create
pg_hmac_ctx * pg_hmac_create(pg_cryptohash_type type)
Definition: hmac.c:77
pg_hmac_free
void pg_hmac_free(pg_hmac_ctx *ctx)
Definition: hmac.c:289
pg_hmac_error
const char * pg_hmac_error(pg_hmac_ctx *ctx)
Definition: hmac.c:306
pg_hmac_update
int pg_hmac_update(pg_hmac_ctx *ctx, const uint8 *data, size_t len)
Definition: hmac.c:223
pg_hmac_init
int pg_hmac_init(pg_hmac_ctx *ctx, const uint8 *key, size_t len)
Definition: hmac.c:138
pg_hmac_final
int pg_hmac_final(pg_hmac_ctx *ctx, uint8 *dest, size_t len)
Definition: hmac.c:244
input
FILE * input
output
FILE * output
Definition: pg_test_timing.c:182
i
int i
Definition: isn.c:77
libpq_gettext
#define libpq_gettext(x)
Definition: libpq-int.h:938
buf
static char * buf
Definition: pg_test_fsync.c:72
pg_strong_random
bool pg_strong_random(void *buf, size_t len)
Definition: pg_strong_random.c:150
postgres_fe.h
initPQExpBuffer
void initPQExpBuffer(PQExpBuffer str)
Definition: pqexpbuffer.c:90
enlargePQExpBuffer
int enlargePQExpBuffer(PQExpBuffer str, size_t needed)
Definition: pqexpbuffer.c:172
appendPQExpBuffer
void appendPQExpBuffer(PQExpBuffer str, const char *fmt,...)
Definition: pqexpbuffer.c:265
appendPQExpBufferChar
void appendPQExpBufferChar(PQExpBuffer str, char ch)
Definition: pqexpbuffer.c:378
appendPQExpBufferStr
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
Definition: pqexpbuffer.c:367
termPQExpBuffer
void termPQExpBuffer(PQExpBuffer str)
Definition: pqexpbuffer.c:129
PQExpBufferDataBroken
#define PQExpBufferDataBroken(buf)
Definition: pqexpbuffer.h:67
pg_saslprep
pg_saslprep_rc pg_saslprep(const char *input, char **output)
Definition: saslprep.c:1047
pg_saslprep_rc
pg_saslprep_rc
Definition: saslprep.h:21
SASLPREP_OOM
@ SASLPREP_OOM
Definition: saslprep.h:23
SASLPREP_SUCCESS
@ SASLPREP_SUCCESS
Definition: saslprep.h:22
scram_build_secret
char * scram_build_secret(pg_cryptohash_type hash_type, int key_length, const char *salt, int saltlen, int iterations, const char *password, const char **errstr)
Definition: scram-common.c:209
scram_ServerKey
int scram_ServerKey(const uint8 *salted_password, pg_cryptohash_type hash_type, int key_length, uint8 *result, const char **errstr)
Definition: scram-common.c:172
scram_SaltedPassword
int scram_SaltedPassword(const char *password, pg_cryptohash_type hash_type, int key_length, const char *salt, int saltlen, int iterations, uint8 *result, const char **errstr)
Definition: scram-common.c:38
scram_ClientKey
int scram_ClientKey(const uint8 *salted_password, pg_cryptohash_type hash_type, int key_length, uint8 *result, const char **errstr)
Definition: scram-common.c:142
scram_H
int scram_H(const uint8 *input, pg_cryptohash_type hash_type, int key_length, uint8 *result, const char **errstr)
Definition: scram-common.c:112
SCRAM_SHA_256_PLUS_NAME
#define SCRAM_SHA_256_PLUS_NAME
Definition: scram-common.h:21
SCRAM_RAW_NONCE_LEN
#define SCRAM_RAW_NONCE_LEN
Definition: scram-common.h:37
SCRAM_DEFAULT_SALT_LEN
#define SCRAM_DEFAULT_SALT_LEN
Definition: scram-common.h:44
SCRAM_MAX_KEY_LEN
#define SCRAM_MAX_KEY_LEN
Definition: scram-common.h:30
SCRAM_SHA_256_KEY_LEN
#define SCRAM_SHA_256_KEY_LEN
Definition: scram-common.h:24
password
static char * password
Definition: streamutil.c:51
conn
PGconn * conn
Definition: streamutil.c:52
fe_scram_state
Definition: fe-auth-scram.c:53
fe_scram_state::client_final_message_without_proof
char * client_final_message_without_proof
Definition: fe-auth-scram.c:69
fe_scram_state::iterations
int iterations
Definition: fe-auth-scram.c:75
fe_scram_state::state
fe_scram_state_enum state
Definition: fe-auth-scram.c:54
fe_scram_state::client_first_message_bare
char * client_first_message_bare
Definition: fe-auth-scram.c:68
fe_scram_state::salt
char * salt
Definition: fe-auth-scram.c:73
fe_scram_state::server_final_message
char * server_final_message
Definition: fe-auth-scram.c:79
fe_scram_state::password
char * password
Definition: fe-auth-scram.c:58
fe_scram_state::server_first_message
char * server_first_message
Definition: fe-auth-scram.c:72
fe_scram_state::sasl_mechanism
char * sasl_mechanism
Definition: fe-auth-scram.c:59
fe_scram_state::nonce
char * nonce
Definition: fe-auth-scram.c:76
fe_scram_state::key_length
int key_length
Definition: fe-auth-scram.c:63
fe_scram_state::hash_type
pg_cryptohash_type hash_type
Definition: fe-auth-scram.c:62
fe_scram_state::client_nonce
char * client_nonce
Definition: fe-auth-scram.c:67
fe_scram_state::conn
PGconn * conn
Definition: fe-auth-scram.c:57
fe_scram_state::saltlen
int saltlen
Definition: fe-auth-scram.c:74
pg_conn
Definition: libpq-int.h:371
pg_conn::channel_binding
char * channel_binding
Definition: libpq-int.h:395
pg_conn::errorMessage
PQExpBufferData errorMessage
Definition: libpq-int.h:671
pg_conn::ssl_in_use
bool ssl_in_use
Definition: libpq-int.h:608
pg_fe_sasl_mech
Definition: fe-auth-sasl.h:44
pg_hmac_ctx
Definition: hmac.c:51
state
Definition: regguts.h:323
iterations
int iterations
Definition: thread-thread.c:39