auth: auth-scram-server - Move key data to separate struct.

diff --git a/src/auth/auth-scram-server.c b/src/auth/auth-scram-server.c
index 67b626d6b8b5c78dc101fb39717646ce366cdad9..41085249a5907ef1af47ca124d7ec77c51fd0126 100644 (file)
--- a/src/auth/auth-scram-server.c
+++ b/src/auth/auth-scram-server.c
@@ -160,9 +160,10 @@ auth_scram_parse_client_first(struct scram_auth_request *server,
 }
 
 static string_t *
-auth_scram_get_server_first(struct scram_auth_request *server,
-                           int iter, const char *salt)
+auth_scram_get_server_first(struct scram_auth_request *server)
 {
+       const struct hash_method *hmethod = server->hash_method;
+       struct auth_scram_key_data *kdata = &server->key_data;
        unsigned char snonce[SCRAM_SERVER_NONCE_LEN+1];
        string_t *str;
        size_t i;
@@ -181,6 +182,10 @@ auth_scram_get_server_first(struct scram_auth_request *server,
                             ;; A positive number.
         */
 
+       i_assert(kdata->hmethod == hmethod);
+       i_assert(kdata->salt != NULL);
+       i_assert(kdata->iter_count != 0);
+
        random_fill(snonce, sizeof(snonce)-1);
 
        /* Make sure snonce is printable and does not contain ',' */
@@ -193,9 +198,9 @@ auth_scram_get_server_first(struct scram_auth_request *server,
        server->snonce = p_strndup(server->pool, snonce, sizeof(snonce));
 
        str = t_str_new(32 + strlen(server->cnonce) + sizeof(snonce) +
-                       strlen(salt));
+                       strlen(kdata->salt));
        str_printfa(str, "r=%s%s,s=%s,i=%d", server->cnonce, server->snonce,
-                   salt, iter);
+                   kdata->salt, kdata->iter_count);
        return str;
 }
 
@@ -203,6 +208,7 @@ static bool
 auth_scram_server_verify_credentials(struct scram_auth_request *server)
 {
        const struct hash_method *hmethod = server->hash_method;
+       struct auth_scram_key_data *kdata = &server->key_data;
        struct hmac_context ctx;
        const char *auth_message;
        unsigned char client_key[hmethod->digest_size];
@@ -210,6 +216,8 @@ auth_scram_server_verify_credentials(struct scram_auth_request *server)
        unsigned char stored_key[hmethod->digest_size];
        size_t i;
 
+       i_assert(kdata->hmethod == hmethod);
+
        /* RFC 5802, Section 3:
 
           AuthMessage     := client-first-message-bare + "," +
@@ -221,7 +229,7 @@ auth_scram_server_verify_credentials(struct scram_auth_request *server)
                        server->server_first_message, ",",
                        server->client_final_message_without_proof, NULL);
 
-       hmac_init(&ctx, server->stored_key, hmethod->digest_size, hmethod);
+       hmac_init(&ctx, kdata->stored_key, hmethod->digest_size, hmethod);
        hmac_update(&ctx, auth_message, strlen(auth_message));
        hmac_final(&ctx, client_signature);
 
@@ -237,7 +245,7 @@ auth_scram_server_verify_credentials(struct scram_auth_request *server)
        safe_memset(client_key, 0, sizeof(client_key));
        safe_memset(client_signature, 0, sizeof(client_signature));
 
-       return mem_equals_timing_safe(stored_key, server->stored_key,
+       return mem_equals_timing_safe(stored_key, kdata->stored_key,
                                      sizeof(stored_key));
 }
 
@@ -328,6 +336,7 @@ static string_t *
 auth_scram_get_server_final(struct scram_auth_request *server)
 {
        const struct hash_method *hmethod = server->hash_method;
+       struct auth_scram_key_data *kdata = &server->key_data;
        struct hmac_context ctx;
        const char *auth_message;
        unsigned char server_signature[hmethod->digest_size];
@@ -344,7 +353,7 @@ auth_scram_get_server_final(struct scram_auth_request *server)
                        server->server_first_message, ",",
                        server->client_final_message_without_proof, NULL);
 
-       hmac_init(&ctx, server->server_key, hmethod->digest_size, hmethod);
+       hmac_init(&ctx, kdata->server_key, hmethod->digest_size, hmethod);
        hmac_update(&ctx, auth_message, strlen(auth_message));
        hmac_final(&ctx, server_signature);
 

diff --git a/src/auth/auth-scram.h b/src/auth/auth-scram.h
index d8ef1029f52a20b10c193bd31e7c59bf74878e92..6956a4777c78fa042120c00824d85d21d989dadc 100644 (file)
--- a/src/auth/auth-scram.h
+++ b/src/auth/auth-scram.h
@@ -1,6 +1,15 @@
 #ifndef AUTH_SCRAM_H
 #define AUTH_SCRAM_H
 
+struct auth_scram_key_data {
+       const struct hash_method *hmethod;
+
+       unsigned int iter_count;
+       const char *salt;
+       unsigned char *stored_key;
+       unsigned char *server_key;
+};
+
 void auth_scram_hi(const struct hash_method *hmethod,
                   const unsigned char *str, size_t str_size,
                   const unsigned char *salt, size_t salt_size, unsigned int i,

diff --git a/src/auth/mech-scram.c b/src/auth/mech-scram.c
index d6823d16cf4dc8b31b8daabf19e438f1ae58d167..58ffb937ec3a627fc0b91b89c03ea4a6500b6716 100644 (file)
--- a/src/auth/mech-scram.c
+++ b/src/auth/mech-scram.c
@@ -18,6 +18,7 @@
 #include "strfuncs.h"
 #include "strnum.h"
 #include "password-scheme.h"
+#include "auth-scram.h"
 #include "mech.h"
 #include "mech-scram.h"
 
@@ -43,9 +44,8 @@ struct scram_auth_request {
        const char *client_final_message_without_proof;
        buffer_t *proof;
 
-       /* stored */
-       unsigned char *stored_key;
-       unsigned char *server_key;
+       /* looked up: */
+       struct auth_scram_key_data key_data;
 };
 
 #include "auth-scram-server.c"
@@ -57,15 +57,17 @@ credentials_callback(enum passdb_result result,
 {
        struct scram_auth_request *request =
                (struct scram_auth_request *)auth_request;
-       const char *salt, *error;
-       unsigned int iter_count;
+       struct auth_scram_key_data *key_data = &request->key_data;
+       const char *error;
 
        switch (result) {
        case PASSDB_RESULT_OK:
-               if (scram_scheme_parse(request->hash_method,
+               if (scram_scheme_parse(key_data->hmethod,
                                       request->password_scheme,
-                                      credentials, size, &iter_count, &salt,
-                                      request->stored_key, request->server_key,
+                                      credentials, size,
+                                      &key_data->iter_count, &key_data->salt,
+                                      key_data->stored_key,
+                                      key_data->server_key,
                                       &error) < 0) {
                        e_info(auth_request->mech_event,
                               "%s", error);
@@ -74,7 +76,7 @@ credentials_callback(enum passdb_result result,
                }
 
                request->server_first_message = p_strdup(request->pool,
-                       str_c(auth_scram_get_server_first(request, iter_count, salt)));
+                       str_c(auth_scram_get_server_first(request)));
 
                auth_request_handler_reply_continue(auth_request,
                                        request->server_first_message,
@@ -145,8 +147,10 @@ mech_scram_auth_new(const struct hash_method *hash_method,
        request->hash_method = hash_method;
        request->password_scheme = password_scheme;
 
-       request->stored_key = p_malloc(pool, hash_method->digest_size);
-       request->server_key = p_malloc(pool, hash_method->digest_size);
+       i_zero(&request->key_data);
+       request->key_data.hmethod = hash_method;
+       request->key_data.stored_key = p_malloc(pool, hash_method->digest_size);
+       request->key_data.server_key = p_malloc(pool, hash_method->digest_size);
 
        request->auth_request.pool = pool;
        return &request->auth_request;