Split hash and hmac logic out to their own functions (sasl.scram)

This commit is contained in:
jesopo 2019-02-05 22:53:55 +00:00
parent 5d51a283bb
commit aa7aa17ec1

View file

@ -34,6 +34,11 @@ class SCRAM(object):
data = base64.b64decode(message) data = base64.b64decode(message)
return data, dict(piece.split(b"=", 1) for piece in data.split(b",")) return data, dict(piece.split(b"=", 1) for piece in data.split(b","))
def _hmac(self, key, msg):
return hmac.digest(key, msg, self._algo)
def _hash(self, msg):
return hashlib.new(self._algo, msg).digest()
def client_first(self): def client_first(self):
self.state = SCRAMState.ClientFirst self.state = SCRAMState.ClientFirst
# start SCRAM handshake # start SCRAM handshake
@ -55,15 +60,15 @@ class SCRAM(object):
int(iterations), dklen=None) int(iterations), dklen=None)
self._salted_password = salted_password self._salted_password = salted_password
client_key = hmac.digest(salted_password, b"Client Key", self._algo) client_key = self._hmac(salted_password, b"Client Key")
stored_key = hashlib.new(self._algo, client_key).digest() stored_key = self._hash(client_key)
channel = base64.b64encode(b"n,,") channel = base64.b64encode(b"n,,")
auth_noproof = b"c=%s,r=%s" % (channel, nonce) auth_noproof = b"c=%s,r=%s" % (channel, nonce)
auth_message = b"%s,%s,%s" % (self._client_first, data, auth_noproof) auth_message = b"%s,%s,%s" % (self._client_first, data, auth_noproof)
self._auth_message = auth_message self._auth_message = auth_message
client_signature = hmac.digest(stored_key, auth_message, self._algo) client_signature = self._hmac(stored_key, auth_message)
client_proof = base64.b64encode( client_proof = base64.b64encode(
_scram_xor(client_key, client_signature)) _scram_xor(client_key, client_signature))
@ -74,10 +79,8 @@ class SCRAM(object):
data, pieces = self._get_data(message) data, pieces = self._get_data(message)
verifier = pieces[b"v"] verifier = pieces[b"v"]
server_key = hmac.digest(self._salted_password, b"Server Key", server_key = self._hmac(self._salted_password, b"Server Key")
self._algo) server_signature = self._hmac(server_key, self._auth_message)
server_signature = hmac.digest(server_key, self._auth_message,
self._algo)
if server_signature != base64.b64decode(verifier): if server_signature != base64.b64decode(verifier):
self.state = SCRAMState.VerifyFailed self.state = SCRAMState.VerifyFailed