bug#38903: [PATCH] Add SASL SCRAM-SHA-256 support.

bug#38903: [PATCH] Add SASL SCRAM-SHA-256 support.

[Simon Josefsson via Bug reports for GNU Emacs, the Swiss army knife of text editors]

[-- Attachment #1.1: Type: text/plain, Size: 808 bytes --]

Hello.

The attached patch adds support for the SCRAM-SHA-256 SASL mechanism.

I believe I still have commit access to the repository, so please review
it and I will attempt to commit the patch.  It was some time since I
last contributed anything so please be nitty so I will learn something.

Implementation comment: I wanted to put the code in the existing
sasl-scram-rfc.el file, but due to how `sasl-find-mechanism' works, it
isn't possible to have more than one SASL mechanism defined per
non-autoloaded file.  I didn't want to change the logic here, so I added
sasl-scram-sha256.el as a separate file instead.  If someone can figure
out a nicer way, that would be nice -- and might also fix the existing
hack at the end of sasl-scram-rfc.el that appear to be added due the
same reason.

Thanks,
/Simon

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-Add-SASL-SCRAM-SHA-256-support.patch --]
[-- Type: text/x-diff, Size: 5859 bytes --]

From d96af8467636c3477289208a7330609d25092171 Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon@josefsson.org>
Date: Fri, 3 Jan 2020 18:41:03 +0100
Subject: [PATCH] Add SASL SCRAM-SHA-256 support.

* lisp/net/sasl.el (sasl-mechanisms): Add SCRAM-SHA-256.
(sasl-mechanism-alist): Ditto.
* lisp/net/sasl-scram-sha256.el: New file.
* tests/lisp/net/sasl-scram-rfc-tests.el (sasl-scram-sha-256-test):
New function.
---
 lisp/net/sasl-scram-sha256.el         | 59 +++++++++++++++++++++++++++
 lisp/net/sasl.el                      |  7 ++--
 test/lisp/net/sasl-scram-rfc-tests.el | 28 +++++++++++--
 3 files changed, 88 insertions(+), 6 deletions(-)
 create mode 100644 lisp/net/sasl-scram-sha256.el

diff --git a/lisp/net/sasl-scram-sha256.el b/lisp/net/sasl-scram-sha256.el
new file mode 100644
index 0000000000..e50a032c23
--- /dev/null
+++ b/lisp/net/sasl-scram-sha256.el
@@ -0,0 +1,59 @@
+;;; sasl-scram-sha256.el --- SCRAM-SHA-256 module for the SASL client framework  -*- lexical-binding: t; -*-
+
+;; Copyright (C) 2020 Free Software Foundation, Inc.
+
+;; Author: Simon Josefsson <simon@josefsson.org>
+;; Package: sasl
+
+;; This file is part of GNU Emacs.
+
+;; GNU Emacs is free software: you can redistribute it and/or modify
+;; it under the terms of the GNU General Public License as published by
+;; the Free Software Foundation, either version 3 of the License, or
+;; (at your option) any later version.
+
+;; GNU Emacs is distributed in the hope that it will be useful,
+;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;; GNU General Public License for more details.
+
+;; You should have received a copy of the GNU General Public License
+;; along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.
+
+;;; Commentary:
+
+;; Implement the SCRAM-SHA-256 mechanism from RFC 7677.
+
+;;; Code:
+
+(require 'cl-lib)
+(require 'sasl)
+(require 'hex-util)
+(require 'rfc2104)
+(require 'sasl-scram-rfc)
+
+;;; SCRAM-SHA-256
+
+(defconst sasl-scram-sha-256-steps
+  '(sasl-scram-client-first-message
+    sasl-scram-sha-256-client-final-message
+    sasl-scram-sha-256-authenticate-server))
+
+(defun sasl-scram-sha256 (object &optional start end binary)
+  (secure-hash 'sha256 object start end binary))
+
+(defun sasl-scram-sha-256-client-final-message (client step)
+  (sasl-scram--client-final-message
+   ;; HMAC-SHA256 uses block length 64 and hash length 32; see RFC 4634.
+   'sasl-scram-sha256 64 32 client step))
+
+(defun sasl-scram-sha-256-authenticate-server (client step)
+  (sasl-scram--authenticate-server
+   'sasl-scram-sha256 64 32 client step))
+
+(put 'sasl-scram-sha256 'sasl-mechanism
+     (sasl-make-mechanism "SCRAM-SHA-256" sasl-scram-sha-256-steps))
+
+(provide 'sasl-scram-sha256)
+
+;;; sasl-scram-sha256.el ends here
diff --git a/lisp/net/sasl.el b/lisp/net/sasl.el
index e67a5a915f..3cae01c0a9 100644
--- a/lisp/net/sasl.el
+++ b/lisp/net/sasl.el
@@ -1,6 +1,6 @@
 ;;; sasl.el --- SASL client framework
 
-;; Copyright (C) 2000, 2007-2019 Free Software Foundation, Inc.
+;; Copyright (C) 2000, 2007-2020 Free Software Foundation, Inc.
 
 ;; Author: Daiki Ueno <ueno@unixuser.org>
 ;; Keywords: SASL
@@ -35,8 +35,8 @@
 ;;; Code:
 
 (defvar sasl-mechanisms
-  '("SCRAM-SHA-1" "CRAM-MD5" "DIGEST-MD5" "PLAIN" "LOGIN" "ANONYMOUS"
-    "NTLM"))
+  '("SCRAM-SHA-256" "SCRAM-SHA-1" "CRAM-MD5" "DIGEST-MD5" "PLAIN" "LOGIN"
+    "ANONYMOUS" "NTLM"))
 
 (defvar sasl-mechanism-alist
   '(("CRAM-MD5" sasl-cram)
@@ -45,6 +45,7 @@ sasl-mechanism-alist
     ("LOGIN" sasl-login)
     ("ANONYMOUS" sasl-anonymous)
     ("NTLM" sasl-ntlm)
+    ("SCRAM-SHA-256" sasl-scram-sha256)
     ("SCRAM-SHA-1" sasl-scram-rfc)))
 
 (defvar sasl-unique-id-function #'sasl-unique-id-function)
diff --git a/test/lisp/net/sasl-scram-rfc-tests.el b/test/lisp/net/sasl-scram-rfc-tests.el
index af043e9f36..5d53de08ea 100644
--- a/test/lisp/net/sasl-scram-rfc-tests.el
+++ b/test/lisp/net/sasl-scram-rfc-tests.el
@@ -1,6 +1,6 @@
-;;; sasl-scram-rfc-tests.el --- tests for SCRAM-SHA-1       -*- lexical-binding: t; -*-
+;;; sasl-scram-rfc-tests.el --- tests for SCRAM-SHA-*       -*- lexical-binding: t; -*-
 
-;; Copyright (C) 2014-2019 Free Software Foundation, Inc.
+;; Copyright (C) 2014-2020 Free Software Foundation, Inc.
 
 ;; Author: Magnus Henoch <magnus.henoch@gmail.com>
 
@@ -19,7 +19,7 @@
 
 ;;; Commentary:
 
-;; Test cases from RFC 5802.
+;; Test cases from RFC 5802 and RFC 7677.
 
 ;;; Code:
 
@@ -47,4 +47,26 @@
     (sasl-scram-sha-1-authenticate-server client (vector nil "v=rmF9pqV8S7suAoZWja4dJRkFsKQ=
 "))))
 
+(require 'sasl-scram-sha256)
+
+(ert-deftest sasl-scram-sha-256-test ()
+  ;; The following strings are taken from section 3 of RFC 7677.
+  (let ((client
+         (sasl-make-client (sasl-find-mechanism '("SCRAM-SHA-256"))
+                           "user"
+                           "imap"
+                           "localhost"))
+        (data "r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096")
+        (c-nonce "rOprNGfwEbeRWgbNEkqO")
+        (sasl-read-passphrase
+         (lambda (_prompt) (copy-sequence "pencil"))))
+    (sasl-client-set-property client 'c-nonce c-nonce)
+    (should
+     (equal
+      (sasl-scram-sha-256-client-final-message client (vector nil data))
+      "c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ="))
+
+    ;; This should not throw an error:
+    (sasl-scram-sha-256-authenticate-server client (vector nil "v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4="))))
+
 ;;; sasl-scram-rfc-tests.el ends here
-- 
2.20.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

bug#38903: Add SASL SCRAM-SHA-256 support

[Paul Eggert]

Thanks, this patch looks good to me; please install in the master branch.

bug#38903: Add SASL SCRAM-SHA-256 support

[Simon Josefsson via Bug reports for GNU Emacs, the Swiss army knife of text editors]

[-- Attachment #1: Type: text/plain, Size: 154 bytes --]

Paul Eggert <eggert@cs.ucla.edu> writes:

> Thanks, this patch looks good to me; please install in the master branch.

Done.

Thank you for review,
Simon

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]