martimm / auth-scram Goto Github PK

View Code? Open in Web Editor NEW

0.0 4.0 2.0 1011 KB

authentication using scram

License: Artistic License 2.0

Raku 100.00%

auth-scram's Introduction

Salted Challenge Response Authentication Mechanism (SCRAM)

This package implements secure authentication mechanism.

Synopsis

# Example from rfc (C = client, s = server)
# C: n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL
# S: r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096
# C: c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,
#    p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=
# S: v=rmF9pqV8S7suAoZWja4dJRkFsKQ=
#
class MyClient {

  # Send client first message to server and return server response
  method client-first ( Str:D $client-first-message --> Str ) {

    # Send $client-first-message to server;

    # Get server response, this is the server first message
    'r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096';
  }

  # Send client final message to server and return server response
  method client-final ( Str:D $client-final-message --> Str ) {

    # Send $client-final-message to server.

    # Server response is server final message
    'v=rmF9pqV8S7suAoZWja4dJRkFsKQ=';
  }

  method error ( Str:D $message --> Str ) {
    # Errors? nah ... (Famous last words!)
  }
}

my Auth::SCRAM $sc .= new(
  :username<user>,
  :password<pencil>,
  :client-side(MyClient.new),
);

$sc.c-nonce-size = 24;
$sc.c-nonce = 'fyko+d2lbbFgONRv9qkxdawL';

my $error = $sc.start-scram;

Documentation

Change log

Release notes

Bugs, todo and known limitations

Bugs, todo

Installing

Use zef to install the package like so.

$ zef install Auth-SCRAM

Versions of Raku using moarvm

This project is tested with latest Rakudo built on MoarVM implementing Perl v6.d.

Authors

Marcel Timmerman (MARTIMM on github)

auth-scram's People

Contributors

Watchers

Forkers

samcv zoffixznet

auth-scram's Issues

Mext and extensions

Some parts of the communication process are not yet looked at

missing docs

review of client docs and add new server side docs

error return

server side implementation does not return errors yet

usernam and password not prepped

strings must be prepared and converted or checked for unicode errors. Must write a new module for it

RFC 9266: Channel Bindings for TLS 1.3 support

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

https://datatracker.ietf.org/doc/html/rfc9266

Little details, to know easily:

tls-unique for TLS =< 1.2
tls-exporter for TLS = 1.3

Thanks in advance.

Linked to:

SCRAM-SHA-1-PLUS + SCRAM-SHA-224(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-384(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports

After:

SCRAM-SHA-1

Can you add supports of :

SCRAM-SHA-1-PLUS
SCRAM-SHA-224
SCRAM-SHA-224-PLUS
SCRAM-SHA-256
SCRAM-SHA-256-PLUS
SCRAM-SHA-384
SCRAM-SHA-384-PLUS
SCRAM-SHA-512
SCRAM-SHA-512-PLUS
SCRAM-SHA3-512
SCRAM-SHA3-512-PLUS

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

SCRAM-SHA-1(-PLUS):
-- https://tools.ietf.org/html/rfc5802
-- https://tools.ietf.org/html/rfc6120
SCRAM-SHA-256(-PLUS):
-- https://tools.ietf.org/html/rfc7677 since 2015-11-02
-- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA
SCRAM-SHA-512(-PLUS):
-- https://tools.ietf.org/html/draft-melnikov-scram-sha-512
SCRAM-SHA3-512(-PLUS):
-- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

https://xmpp.org/extensions/inbox/hash-recommendations.html

-PLUS variants:

RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
RFC 9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

LDAP:

RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804

2FA:

Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-melnikov-scram-2fa

IANA:

Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml