PHP的SCRAM-SHA-1 auth

时间:2015-09-23 00:27:56

标签: php xmpp sasl sasl-scram

请帮助我在手册中实现有关XMPP服务器中SCRAM-SHA-1授权的语义代码。所以,我们得到了:

clientFinalMessageBare = "c=biws,r=" .. serverNonce
saltedPassword = PBKDF2-SHA-1(normalizedPassword, salt, i)
clientKey = HMAC-SHA-1(saltedPassword, "Client Key")
storedKey = SHA-1(clientKey)
authMessage = initialMessage .. "," .. serverFirstMessage .. "," .. clientFinalMessageBare
clientSignature = HMAC-SHA-1(storedKey, authMessage)
clientProof = clientKey XOR clientSignature
clientFinalMessage = clientFinalMessageBare .. ",p=" .. base64(clientProof)

我的PHP代码:

$cfmb = 'c=biws,r='.$salt;     
$saltpass = hash_pbkdf2('sha1', 'IDoMdGuFE9S0', $ps, $iter);        
//hash_pbkdf2('sha1', 'IDoMdGuFE9S0', $salt, $iter, 0, true); maybe like that???
$ckey = hash_hmac('sha1', $saltpass, 'Client Key');
$sckey = sha1($ckey);
$authmsg = $im.','.$chal.','.$cfmb;
$csign = hash_hmac('sha1', $sckey, $authmsg);
$cproof = bin2hex(pack('H*',$ckey) ^ pack('H*',$csign));
$cfm = $cfmb.',p='.base64_encode($cproof);

某处错误(可能是所有大错误;))我非常需要你的帮助来纠正我的代码,也许我使用错误的函数,或者错误的位置参数?因为结果 - 失败,服务器发给我:

"客户提供的回复与我们计算的回复不符。"

PS:抱歉我的英语不好;)

1 个答案:

答案 0 :(得分:1)

首先,对于serverNonce使用$salt而对salt使用$ps非常困惑。

但更重要的是,您应该注意跟踪您使用的函数是返回二进制数据还是十六进制编码字符串。 hash_pbkdf2sha1hash_hmac默认返回十六进制编码的字符串。您致电pack('H*', ...)$cproof解码,但不是在计算$ckey$csign时。

更简单的方法是直接计算二进制数据,总是传递$raw_data = TRUE

$cfmb = 'c=biws,r='.$salt;     
$saltpass = hash_pbkdf2('sha1', 'IDoMdGuFE9S0', $ps, $iter, 0, TRUE);        
$ckey = hash_hmac('sha1', 'Client Key', $saltpass, TRUE);
$sckey = sha1($ckey, TRUE);
$authmsg = $im.','.$chal.','.$cfmb;
$csign = hash_hmac('sha1', $authmsg, $sckey, TRUE);
$cproof = $ckey ^ $csign;
$cfm = $cfmb.',p='.base64_encode($cproof);

此外,您的hash_hmac来电是错误的:首先是数据,然后是密钥。