CDRIVER-5634: SCRAM-SHA-256 FIPS compliance (#1684)

Author: Julia-Garland

Diff for: src/libbson/src/bson/bson-compat.h

@@ -36,11 +36,11 @@
 
 
 #ifdef BSON_OS_WIN32
-#if defined(_WIN32_WINNT) && (_WIN32_WINNT < 0x0600)
+#if defined(_WIN32_WINNT) && (_WIN32_WINNT < 0x0601)
 #undef _WIN32_WINNT
 #endif
 #ifndef _WIN32_WINNT
-#define _WIN32_WINNT 0x0600
+#define _WIN32_WINNT 0x0601
 #endif
 #ifndef NOMINMAX
 #define NOMINMAX

Diff for: src/libmongoc/CMakeLists.txt

@@ -532,6 +532,21 @@ else ()
    set (MONGOC_HAVE_SS_FAMILY 1)
 endif ()
 
+# Check if BCryptDeriveKeyPBKDF2 is defined in bcrypt.h
+if (WIN32 AND MONGOC_ENABLE_CRYPTO_CNG)
+   cmake_push_check_state()
+   list(APPEND CMAKE_REQUIRED_DEFINITIONS -D_WIN32_WINNT=0x0601)
+   list(APPEND CMAKE_REQUIRED_LIBRARIES Bcrypt.lib)
+   check_symbol_exists (BCryptDeriveKeyPBKDF2 "windows.h;bcrypt.h" HAVE_BCRYPT_PBKDF2)
+   cmake_pop_check_state()
+endif ()
+
+if (HAVE_BCRYPT_PBKDF2)
+   set (MONGOC_HAVE_BCRYPT_PBKDF2 1)
+else ()
+   set (MONGOC_HAVE_BCRYPT_PBKDF2 0)
+endif ()
+
 
 set (SOURCES ${SOURCES}
    ${PROJECT_SOURCE_DIR}/src/mongoc/mcd-azure.c

Diff for: src/libmongoc/examples/parse_handshake_cfg.py

@@ -40,6 +40,7 @@
     "MONGOC_MD_FLAG_ENABLE_CLIENT_SIDE_ENCRYPTION": 32,
     "MONGOC_MD_FLAG_ENABLE_MONGODB_AWS_AUTH": 33,
     "MONGOC_MD_FLAG_ENABLE_SRV": 34,
+    "MONGOC_MD_FLAG_HAVE_BCRYPT_PBKDF2": 35,
 }
 
 def main():

Diff for: src/libmongoc/src/mongoc/mongoc-config.h.in

@@ -64,6 +64,15 @@
 #  undef MONGOC_ENABLE_CRYPTO_CNG
 #endif
 
+/*
+ * MONGOC_HAVE_BCRYPT_PBKDF2 is set from configure to determine if 
+ * our Bcrypt Windows library supports PBKDF2 
+ */
+#define MONGOC_HAVE_BCRYPT_PBKDF2 @MONGOC_HAVE_BCRYPT_PBKDF2@
+
+#if MONGOC_HAVE_BCRYPT_PBKDF2 != 1
+#  undef MONGOC_HAVE_BCRYPT_PBKDF2
+#endif
 
 /*
  * MONGOC_ENABLE_SSL_SECURE_TRANSPORT is set from configure to determine if we are

Diff for: src/libmongoc/src/mongoc/mongoc-crypto-cng-private.h

@@ -33,6 +33,17 @@ mongoc_crypto_cng_init (void);
 void
 mongoc_crypto_cng_cleanup (void);
 
+bool
+mongoc_crypto_cng_pbkdf2_hmac_sha1 (mongoc_crypto_t *crypto,
+                                    const char *password,
+                                    size_t password_len,
+                                    const uint8_t *salt,
+                                    size_t salt_len,
+                                    uint32_t iterations,
+                                    size_t output_len,
+                                    unsigned char *output);
+
+
 void
 mongoc_crypto_cng_hmac_sha1 (mongoc_crypto_t *crypto,
                              const void *key,
@@ -47,6 +58,16 @@ mongoc_crypto_cng_sha1 (mongoc_crypto_t *crypto,
                         const size_t input_len,
                         unsigned char *hash_out);
 
+bool
+mongoc_crypto_cng_pbkdf2_hmac_sha256 (mongoc_crypto_t *crypto,
+                                      const char *password,
+                                      size_t password_len,
+                                      const uint8_t *salt,
+                                      size_t salt_len,
+                                      uint32_t iterations,
+                                      size_t output_len,
+                                      unsigned char *output);
+
 void
 mongoc_crypto_cng_hmac_sha256 (mongoc_crypto_t *crypto,
                                const void *key,

Diff for: src/libmongoc/src/mongoc/mongoc-crypto-cng.c

@@ -16,6 +16,7 @@
 #include "mongoc-config.h"
 
 #ifdef MONGOC_ENABLE_CRYPTO_CNG
+#include "mongoc-scram-private.h"
 #include "mongoc-crypto-private.h"
 #include "mongoc-crypto-cng-private.h"
 #include "mongoc-log.h"
@@ -24,6 +25,7 @@
 #include <windows.h>
 #include <stdio.h>
 #include <bcrypt.h>
+#include <string.h>
 
 #define NT_SUCCESS(Status) (((NTSTATUS) (Status)) >= 0)
 #define STATUS_UNSUCCESSFUL ((NTSTATUS) 0xC0000001L)
@@ -75,8 +77,8 @@ mongoc_crypto_cng_cleanup (void)
    if (_sha256_hash_algo) {
       BCryptCloseAlgorithmProvider (&_sha256_hash_algo, 0);
    }
-   if (_sha256_hash_algo) {
-      BCryptCloseAlgorithmProvider (&_sha256_hash_algo, 0);
+   if (_sha256_hmac_algo) {
+      BCryptCloseAlgorithmProvider (&_sha256_hmac_algo, 0);
    }
 }
 
@@ -141,6 +143,112 @@ _mongoc_crypto_cng_hmac_or_hash (
    return retval;
 }
 
+static int
+_crypto_hash_size (mongoc_crypto_t *crypto)
+{
+   if (crypto->algorithm == MONGOC_CRYPTO_ALGORITHM_SHA_1) {
+      return MONGOC_SCRAM_SHA_1_HASH_SIZE;
+   } else if (crypto->algorithm == MONGOC_CRYPTO_ALGORITHM_SHA_256) {
+      return MONGOC_SCRAM_SHA_256_HASH_SIZE;
+   } else {
+      BSON_UNREACHABLE ("Unexpected crypto algorithm");
+   }
+}
+
+#if defined(MONGOC_HAVE_BCRYPT_PBKDF2)
+/* Wrapper for BCryptDeriveKeyPBKDF2 */
+static bool
+_bcrypt_derive_key_pbkdf2 (BCRYPT_ALG_HANDLE prf,
+                           const char *password,
+                           size_t password_len,
+                           const uint8_t *salt,
+                           size_t salt_len,
+                           uint32_t iterations,
+                           size_t output_len,
+                           unsigned char *output)
+{
+   // Make non-const versions of password and salt.
+   char *password_copy = bson_strndup (password, password_len);
+   char *salt_copy = bson_strndup (salt, salt_len);
+
+   NTSTATUS status = BCryptDeriveKeyPBKDF2 (prf,
+                                            (unsigned char *) password_copy,
+                                            password_len,
+                                            (unsigned char *) salt_copy,
+                                            salt_len,
+                                            iterations,
+                                            output,
+                                            output_len,
+                                            0);
+   bson_free (password_copy);
+   bson_free (salt_copy);
+
+   if (!NT_SUCCESS (status)) {
+      MONGOC_ERROR ("_bcrypt_derive_key_pbkdf2(): %ld", status);
+      return false;
+   }
+   return true;
+}
+
+#else
+/* Manually salts password if BCryptDeriveKeyPBKDF2 is unavailable */
+static bool
+_bcrypt_derive_key_pbkdf2 (BCRYPT_ALG_HANDLE algorithm,
+                           const char *password,
+                           size_t password_len,
+                           const uint8_t *salt,
+                           size_t salt_len,
+                           uint32_t iterations,
+                           size_t hash_size,
+                           unsigned char *output)
+{
+   uint8_t intermediate_digest[MONGOC_SCRAM_HASH_MAX_SIZE];
+   uint8_t start_key[MONGOC_SCRAM_HASH_MAX_SIZE];
+
+   memcpy (start_key, salt, salt_len);
+   start_key[salt_len] = 0;
+   start_key[salt_len + 1] = 0;
+   start_key[salt_len + 2] = 0;
+   start_key[salt_len + 3] = 1;
+
+   if (!_mongoc_crypto_cng_hmac_or_hash (algorithm, password, password_len, start_key, hash_size, output)) {
+      return false;
+   }
+   memcpy (intermediate_digest, output, hash_size);
+
+   for (uint32_t i = 2u; i <= iterations; i++) {
+      if (!_mongoc_crypto_cng_hmac_or_hash (
+             algorithm, password, password_len, intermediate_digest, hash_size, output)) {
+         return false;
+      }
+
+      for (int k = 0; k < hash_size; k++) {
+         output[k] ^= intermediate_digest[k];
+      }
+   }
+   return true;
+}
+#endif
+
+bool
+mongoc_crypto_cng_pbkdf2_hmac_sha1 (mongoc_crypto_t *crypto,
+                                    const char *password,
+                                    size_t password_len,
+                                    const uint8_t *salt,
+                                    size_t salt_len,
+                                    uint32_t iterations,
+                                    size_t output_len,
+                                    unsigned char *output)
+{
+#if defined(MONGOC_HAVE_BCRYPT_PBKDF2)
+   return _bcrypt_derive_key_pbkdf2 (
+      _sha1_hmac_algo, password, password_len, salt, salt_len, iterations, output_len, output);
+#else
+   return _bcrypt_derive_key_pbkdf2 (
+      _sha1_hmac_algo, password, password_len, salt, salt_len, iterations, _crypto_hash_size (crypto), output);
+#endif
+}
+
 void
 mongoc_crypto_cng_hmac_sha1 (mongoc_crypto_t *crypto,
                              const void *key,
@@ -172,6 +280,25 @@ mongoc_crypto_cng_sha1 (mongoc_crypto_t *crypto,
    return res;
 }
 
+bool
+mongoc_crypto_cng_pbkdf2_hmac_sha256 (mongoc_crypto_t *crypto,
+                                      const char *password,
+                                      size_t password_len,
+                                      const uint8_t *salt,
+                                      size_t salt_len,
+                                      uint32_t iterations,
+                                      size_t output_len,
+                                      unsigned char *output)
+{
+#if defined(MONGOC_HAVE_BCRYPT_PBKDF2)
+   return _bcrypt_derive_key_pbkdf2 (
+      _sha256_hmac_algo, password, password_len, salt, salt_len, iterations, output_len, output);
+#else
+   return _bcrypt_derive_key_pbkdf2 (
+      _sha256_hmac_algo, password, password_len, salt, salt_len, iterations, _crypto_hash_size (crypto), output);
+#endif
+}
+
 void
 mongoc_crypto_cng_hmac_sha256 (mongoc_crypto_t *crypto,
                                const void *key,

Diff for: src/libmongoc/src/mongoc/mongoc-crypto-common-crypto-private.h

@@ -27,6 +27,16 @@
 
 BSON_BEGIN_DECLS
 
+bool
+mongoc_crypto_common_crypto_pbkdf2_hmac_sha1 (mongoc_crypto_t *crypto,
+                                              const char *password,
+                                              size_t password_len,
+                                              const uint8_t *salt,
+                                              size_t salt_len,
+                                              uint32_t iterations,
+                                              size_t output_len,
+                                              unsigned char *output);
+
 void
 mongoc_crypto_common_crypto_hmac_sha1 (mongoc_crypto_t *crypto,
                                        const void *key,
@@ -41,6 +51,16 @@ mongoc_crypto_common_crypto_sha1 (mongoc_crypto_t *crypto,
                                   const size_t input_len,
                                   unsigned char *hash_out);
 
+bool
+mongoc_crypto_common_crypto_pbkdf2_hmac_sha256 (mongoc_crypto_t *crypto,
+                                                const char *password,
+                                                size_t password_len,
+                                                const uint8_t *salt,
+                                                size_t salt_len,
+                                                uint32_t iterations,
+                                                size_t output_len,
+                                                unsigned char *output);
+
 void
 mongoc_crypto_common_crypto_hmac_sha256 (mongoc_crypto_t *crypto,
                                          const void *key,

Diff for: src/libmongoc/src/mongoc/mongoc-crypto-common-crypto.c

@@ -20,7 +20,23 @@
 #include "mongoc-crypto-common-crypto-private.h"
 #include <CommonCrypto/CommonHMAC.h>
 #include <CommonCrypto/CommonDigest.h>
+#include <CommonCrypto/CommonKeyDerivation.h>
+#include <CommonCrypto/CommonCryptoError.h>
 
+bool
+mongoc_crypto_common_crypto_pbkdf2_hmac_sha1 (mongoc_crypto_t *crypto,
+                                              const char *password,
+                                              size_t password_len,
+                                              const uint8_t *salt,
+                                              size_t salt_len,
+                                              uint32_t iterations,
+                                              size_t output_len,
+                                              unsigned char *output)
+{
+   return kCCSuccess ==
+          CCKeyDerivationPBKDF (
+             kCCPBKDF2, password, password_len, salt, salt_len, kCCPRFHmacAlgSHA1, iterations, output, output_len);
+}
 
 void
 mongoc_crypto_common_crypto_hmac_sha1 (mongoc_crypto_t *crypto,
@@ -46,6 +62,21 @@ mongoc_crypto_common_crypto_sha1 (mongoc_crypto_t *crypto,
    return false;
 }
 
+bool
+mongoc_crypto_common_crypto_pbkdf2_hmac_sha256 (mongoc_crypto_t *crypto,
+                                                const char *password,
+                                                size_t password_len,
+                                                const uint8_t *salt,
+                                                size_t salt_len,
+                                                uint32_t iterations,
+                                                size_t output_len,
+                                                unsigned char *output)
+{
+   return kCCSuccess ==
+          CCKeyDerivationPBKDF (
+             kCCPBKDF2, password, password_len, salt, salt_len, kCCPRFHmacAlgSHA256, iterations, output, output_len);
+}
+
 void
 mongoc_crypto_common_crypto_hmac_sha256 (mongoc_crypto_t *crypto,
                                          const void *key,
@@ -68,5 +99,4 @@ mongoc_crypto_common_crypto_sha256 (mongoc_crypto_t *crypto,
    }
    return false;
 }
-
 #endif

Diff for: src/libmongoc/src/mongoc/mongoc-crypto-openssl-private.h

@@ -28,6 +28,16 @@
 
 BSON_BEGIN_DECLS
 
+bool
+mongoc_crypto_openssl_pbkdf2_hmac_sha1 (mongoc_crypto_t *crypto,
+                                        const char *password,
+                                        size_t password_len,
+                                        const uint8_t *salt,
+                                        size_t salt_len,
+                                        uint32_t iterations,
+                                        size_t output_len,
+                                        unsigned char *output);
+
 void
 mongoc_crypto_openssl_hmac_sha1 (mongoc_crypto_t *crypto,
                                  const void *key,
@@ -42,6 +52,16 @@ mongoc_crypto_openssl_sha1 (mongoc_crypto_t *crypto,
                             const size_t input_len,
                             unsigned char *hash_out);
 
+bool
+mongoc_crypto_openssl_pbkdf2_hmac_sha256 (mongoc_crypto_t *crypto,
+                                          const char *password,
+                                          size_t password_len,
+                                          const uint8_t *salt,
+                                          size_t salt_len,
+                                          uint32_t iterations,
+                                          size_t output_len,
+                                          unsigned char *output);
+
 void
 mongoc_crypto_openssl_hmac_sha256 (mongoc_crypto_t *crypto,
                                    const void *key,