You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
262 lines
9.9 KiB
JavaScript
262 lines
9.9 KiB
JavaScript
1 year ago
|
"use strict";
|
||
|
Object.defineProperty(exports, "__esModule", { value: true });
|
||
|
exports.ScramSHA256 = exports.ScramSHA1 = void 0;
|
||
|
const crypto = require("crypto");
|
||
|
const util_1 = require("util");
|
||
|
const bson_1 = require("../../bson");
|
||
|
const deps_1 = require("../../deps");
|
||
|
const error_1 = require("../../error");
|
||
|
const utils_1 = require("../../utils");
|
||
|
const auth_provider_1 = require("./auth_provider");
|
||
|
const providers_1 = require("./providers");
|
||
|
class ScramSHA extends auth_provider_1.AuthProvider {
|
||
|
constructor(cryptoMethod) {
|
||
|
super();
|
||
|
this.cryptoMethod = cryptoMethod || 'sha1';
|
||
|
this.randomBytesAsync = (0, util_1.promisify)(crypto.randomBytes);
|
||
|
}
|
||
|
async prepare(handshakeDoc, authContext) {
|
||
|
const cryptoMethod = this.cryptoMethod;
|
||
|
const credentials = authContext.credentials;
|
||
|
if (!credentials) {
|
||
|
throw new error_1.MongoMissingCredentialsError('AuthContext must provide credentials.');
|
||
|
}
|
||
|
if (cryptoMethod === 'sha256' &&
|
||
|
('kModuleError' in deps_1.saslprep || typeof deps_1.saslprep !== 'function')) {
|
||
|
(0, utils_1.emitWarning)('Warning: no saslprep library specified. Passwords will not be sanitized');
|
||
|
}
|
||
|
const nonce = await this.randomBytesAsync(24);
|
||
|
// store the nonce for later use
|
||
|
authContext.nonce = nonce;
|
||
|
const request = {
|
||
|
...handshakeDoc,
|
||
|
speculativeAuthenticate: {
|
||
|
...makeFirstMessage(cryptoMethod, credentials, nonce),
|
||
|
db: credentials.source
|
||
|
}
|
||
|
};
|
||
|
return request;
|
||
|
}
|
||
|
async auth(authContext) {
|
||
|
const { reauthenticating, response } = authContext;
|
||
|
if (response?.speculativeAuthenticate && !reauthenticating) {
|
||
|
return continueScramConversation(this.cryptoMethod, response.speculativeAuthenticate, authContext);
|
||
|
}
|
||
|
return executeScram(this.cryptoMethod, authContext);
|
||
|
}
|
||
|
}
|
||
|
function cleanUsername(username) {
|
||
|
return username.replace('=', '=3D').replace(',', '=2C');
|
||
|
}
|
||
|
function clientFirstMessageBare(username, nonce) {
|
||
|
// NOTE: This is done b/c Javascript uses UTF-16, but the server is hashing in UTF-8.
|
||
|
// Since the username is not sasl-prep-d, we need to do this here.
|
||
|
return Buffer.concat([
|
||
|
Buffer.from('n=', 'utf8'),
|
||
|
Buffer.from(username, 'utf8'),
|
||
|
Buffer.from(',r=', 'utf8'),
|
||
|
Buffer.from(nonce.toString('base64'), 'utf8')
|
||
|
]);
|
||
|
}
|
||
|
function makeFirstMessage(cryptoMethod, credentials, nonce) {
|
||
|
const username = cleanUsername(credentials.username);
|
||
|
const mechanism = cryptoMethod === 'sha1' ? providers_1.AuthMechanism.MONGODB_SCRAM_SHA1 : providers_1.AuthMechanism.MONGODB_SCRAM_SHA256;
|
||
|
// NOTE: This is done b/c Javascript uses UTF-16, but the server is hashing in UTF-8.
|
||
|
// Since the username is not sasl-prep-d, we need to do this here.
|
||
|
return {
|
||
|
saslStart: 1,
|
||
|
mechanism,
|
||
|
payload: new bson_1.Binary(Buffer.concat([Buffer.from('n,,', 'utf8'), clientFirstMessageBare(username, nonce)])),
|
||
|
autoAuthorize: 1,
|
||
|
options: { skipEmptyExchange: true }
|
||
|
};
|
||
|
}
|
||
|
async function executeScram(cryptoMethod, authContext) {
|
||
|
const { connection, credentials } = authContext;
|
||
|
if (!credentials) {
|
||
|
throw new error_1.MongoMissingCredentialsError('AuthContext must provide credentials.');
|
||
|
}
|
||
|
if (!authContext.nonce) {
|
||
|
throw new error_1.MongoInvalidArgumentError('AuthContext must contain a valid nonce property');
|
||
|
}
|
||
|
const nonce = authContext.nonce;
|
||
|
const db = credentials.source;
|
||
|
const saslStartCmd = makeFirstMessage(cryptoMethod, credentials, nonce);
|
||
|
const response = await connection.commandAsync((0, utils_1.ns)(`${db}.$cmd`), saslStartCmd, undefined);
|
||
|
await continueScramConversation(cryptoMethod, response, authContext);
|
||
|
}
|
||
|
async function continueScramConversation(cryptoMethod, response, authContext) {
|
||
|
const connection = authContext.connection;
|
||
|
const credentials = authContext.credentials;
|
||
|
if (!credentials) {
|
||
|
throw new error_1.MongoMissingCredentialsError('AuthContext must provide credentials.');
|
||
|
}
|
||
|
if (!authContext.nonce) {
|
||
|
throw new error_1.MongoInvalidArgumentError('Unable to continue SCRAM without valid nonce');
|
||
|
}
|
||
|
const nonce = authContext.nonce;
|
||
|
const db = credentials.source;
|
||
|
const username = cleanUsername(credentials.username);
|
||
|
const password = credentials.password;
|
||
|
let processedPassword;
|
||
|
if (cryptoMethod === 'sha256') {
|
||
|
processedPassword =
|
||
|
'kModuleError' in deps_1.saslprep || typeof deps_1.saslprep !== 'function' ? password : (0, deps_1.saslprep)(password);
|
||
|
}
|
||
|
else {
|
||
|
processedPassword = passwordDigest(username, password);
|
||
|
}
|
||
|
const payload = Buffer.isBuffer(response.payload)
|
||
|
? new bson_1.Binary(response.payload)
|
||
|
: response.payload;
|
||
|
const dict = parsePayload(payload.value());
|
||
|
const iterations = parseInt(dict.i, 10);
|
||
|
if (iterations && iterations < 4096) {
|
||
|
// TODO(NODE-3483)
|
||
|
throw new error_1.MongoRuntimeError(`Server returned an invalid iteration count ${iterations}`);
|
||
|
}
|
||
|
const salt = dict.s;
|
||
|
const rnonce = dict.r;
|
||
|
if (rnonce.startsWith('nonce')) {
|
||
|
// TODO(NODE-3483)
|
||
|
throw new error_1.MongoRuntimeError(`Server returned an invalid nonce: ${rnonce}`);
|
||
|
}
|
||
|
// Set up start of proof
|
||
|
const withoutProof = `c=biws,r=${rnonce}`;
|
||
|
const saltedPassword = HI(processedPassword, Buffer.from(salt, 'base64'), iterations, cryptoMethod);
|
||
|
const clientKey = HMAC(cryptoMethod, saltedPassword, 'Client Key');
|
||
|
const serverKey = HMAC(cryptoMethod, saltedPassword, 'Server Key');
|
||
|
const storedKey = H(cryptoMethod, clientKey);
|
||
|
const authMessage = [clientFirstMessageBare(username, nonce), payload.value(), withoutProof].join(',');
|
||
|
const clientSignature = HMAC(cryptoMethod, storedKey, authMessage);
|
||
|
const clientProof = `p=${xor(clientKey, clientSignature)}`;
|
||
|
const clientFinal = [withoutProof, clientProof].join(',');
|
||
|
const serverSignature = HMAC(cryptoMethod, serverKey, authMessage);
|
||
|
const saslContinueCmd = {
|
||
|
saslContinue: 1,
|
||
|
conversationId: response.conversationId,
|
||
|
payload: new bson_1.Binary(Buffer.from(clientFinal))
|
||
|
};
|
||
|
const r = await connection.commandAsync((0, utils_1.ns)(`${db}.$cmd`), saslContinueCmd, undefined);
|
||
|
const parsedResponse = parsePayload(r.payload.value());
|
||
|
if (!compareDigest(Buffer.from(parsedResponse.v, 'base64'), serverSignature)) {
|
||
|
throw new error_1.MongoRuntimeError('Server returned an invalid signature');
|
||
|
}
|
||
|
if (r.done !== false) {
|
||
|
// If the server sends r.done === true we can save one RTT
|
||
|
return;
|
||
|
}
|
||
|
const retrySaslContinueCmd = {
|
||
|
saslContinue: 1,
|
||
|
conversationId: r.conversationId,
|
||
|
payload: Buffer.alloc(0)
|
||
|
};
|
||
|
await connection.commandAsync((0, utils_1.ns)(`${db}.$cmd`), retrySaslContinueCmd, undefined);
|
||
|
}
|
||
|
function parsePayload(payload) {
|
||
|
const dict = {};
|
||
|
const parts = payload.split(',');
|
||
|
for (let i = 0; i < parts.length; i++) {
|
||
|
const valueParts = parts[i].split('=');
|
||
|
dict[valueParts[0]] = valueParts[1];
|
||
|
}
|
||
|
return dict;
|
||
|
}
|
||
|
function passwordDigest(username, password) {
|
||
|
if (typeof username !== 'string') {
|
||
|
throw new error_1.MongoInvalidArgumentError('Username must be a string');
|
||
|
}
|
||
|
if (typeof password !== 'string') {
|
||
|
throw new error_1.MongoInvalidArgumentError('Password must be a string');
|
||
|
}
|
||
|
if (password.length === 0) {
|
||
|
throw new error_1.MongoInvalidArgumentError('Password cannot be empty');
|
||
|
}
|
||
|
let md5;
|
||
|
try {
|
||
|
md5 = crypto.createHash('md5');
|
||
|
}
|
||
|
catch (err) {
|
||
|
if (crypto.getFips()) {
|
||
|
// This error is (slightly) more helpful than what comes from OpenSSL directly, e.g.
|
||
|
// 'Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS'
|
||
|
throw new Error('Auth mechanism SCRAM-SHA-1 is not supported in FIPS mode');
|
||
|
}
|
||
|
throw err;
|
||
|
}
|
||
|
md5.update(`${username}:mongo:${password}`, 'utf8');
|
||
|
return md5.digest('hex');
|
||
|
}
|
||
|
// XOR two buffers
|
||
|
function xor(a, b) {
|
||
|
if (!Buffer.isBuffer(a)) {
|
||
|
a = Buffer.from(a);
|
||
|
}
|
||
|
if (!Buffer.isBuffer(b)) {
|
||
|
b = Buffer.from(b);
|
||
|
}
|
||
|
const length = Math.max(a.length, b.length);
|
||
|
const res = [];
|
||
|
for (let i = 0; i < length; i += 1) {
|
||
|
res.push(a[i] ^ b[i]);
|
||
|
}
|
||
|
return Buffer.from(res).toString('base64');
|
||
|
}
|
||
|
function H(method, text) {
|
||
|
return crypto.createHash(method).update(text).digest();
|
||
|
}
|
||
|
function HMAC(method, key, text) {
|
||
|
return crypto.createHmac(method, key).update(text).digest();
|
||
|
}
|
||
|
let _hiCache = {};
|
||
|
let _hiCacheCount = 0;
|
||
|
function _hiCachePurge() {
|
||
|
_hiCache = {};
|
||
|
_hiCacheCount = 0;
|
||
|
}
|
||
|
const hiLengthMap = {
|
||
|
sha256: 32,
|
||
|
sha1: 20
|
||
|
};
|
||
|
function HI(data, salt, iterations, cryptoMethod) {
|
||
|
// omit the work if already generated
|
||
|
const key = [data, salt.toString('base64'), iterations].join('_');
|
||
|
if (_hiCache[key] != null) {
|
||
|
return _hiCache[key];
|
||
|
}
|
||
|
// generate the salt
|
||
|
const saltedData = crypto.pbkdf2Sync(data, salt, iterations, hiLengthMap[cryptoMethod], cryptoMethod);
|
||
|
// cache a copy to speed up the next lookup, but prevent unbounded cache growth
|
||
|
if (_hiCacheCount >= 200) {
|
||
|
_hiCachePurge();
|
||
|
}
|
||
|
_hiCache[key] = saltedData;
|
||
|
_hiCacheCount += 1;
|
||
|
return saltedData;
|
||
|
}
|
||
|
function compareDigest(lhs, rhs) {
|
||
|
if (lhs.length !== rhs.length) {
|
||
|
return false;
|
||
|
}
|
||
|
if (typeof crypto.timingSafeEqual === 'function') {
|
||
|
return crypto.timingSafeEqual(lhs, rhs);
|
||
|
}
|
||
|
let result = 0;
|
||
|
for (let i = 0; i < lhs.length; i++) {
|
||
|
result |= lhs[i] ^ rhs[i];
|
||
|
}
|
||
|
return result === 0;
|
||
|
}
|
||
|
class ScramSHA1 extends ScramSHA {
|
||
|
constructor() {
|
||
|
super('sha1');
|
||
|
}
|
||
|
}
|
||
|
exports.ScramSHA1 = ScramSHA1;
|
||
|
class ScramSHA256 extends ScramSHA {
|
||
|
constructor() {
|
||
|
super('sha256');
|
||
|
}
|
||
|
}
|
||
|
exports.ScramSHA256 = ScramSHA256;
|
||
|
//# sourceMappingURL=scram.js.map
|