RubyGems - libcouchbase - Versions diffs - 1.2.8 → 1.3.0 - Mend

libcouchbase 1.2.8 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (186) hide show

checksums.yaml +4 -4
data/.travis.yml +4 -4
data/README.md +16 -8
data/ext/libcouchbase/CMakeLists.txt +34 -32
data/ext/libcouchbase/RELEASE_NOTES.markdown +277 -6
data/ext/libcouchbase/cmake/Modules/ConfigureDtrace.cmake +14 -0
data/ext/libcouchbase/cmake/Modules/FindCouchbaseLibevent.cmake +2 -0
data/ext/libcouchbase/cmake/Modules/FindCouchbaseLibuv.cmake +2 -1
data/ext/libcouchbase/cmake/Modules/GenerateConfigDotH.cmake +2 -0
data/ext/libcouchbase/cmake/Modules/GetLibcouchbaseFlags.cmake +8 -1
data/ext/libcouchbase/cmake/Modules/GetVersionInfo.cmake +3 -3
data/ext/libcouchbase/cmake/config-cmake.h.in +14 -0
data/ext/libcouchbase/cmake/configure +8 -26
data/ext/libcouchbase/cmake/defs.mk.in +2 -2
data/ext/libcouchbase/cmake/libcouchbase.stp.in +829 -0
data/ext/libcouchbase/cmake/source_files.cmake +11 -2
data/ext/libcouchbase/contrib/cbsasl/CMakeLists.txt +18 -2
data/ext/libcouchbase/contrib/cbsasl/include/cbsasl/cbsasl.h +44 -2
data/ext/libcouchbase/contrib/cbsasl/src/client.c +285 -73
data/ext/libcouchbase/contrib/cbsasl/src/common.c +4 -0
data/ext/libcouchbase/contrib/cbsasl/src/scram-sha/scram_utils.c +500 -0
data/ext/libcouchbase/contrib/cbsasl/src/scram-sha/scram_utils.h +99 -0
data/ext/libcouchbase/contrib/cliopts/CMakeLists.txt +1 -1
data/ext/libcouchbase/contrib/cliopts/cliopts.h +14 -1
data/ext/libcouchbase/contrib/snappy/CMakeLists.txt +2 -3
data/ext/libcouchbase/contrib/snappy/snappy-sinksource.cc +4 -0
data/ext/libcouchbase/contrib/snappy/snappy-stubs-public.h +7 -5
data/ext/libcouchbase/contrib/snappy/snappy.cc +7 -2
data/ext/libcouchbase/example/crypto/.gitignore +2 -0
data/ext/libcouchbase/example/crypto/Makefile +13 -0
data/ext/libcouchbase/example/crypto/common_provider.c +24 -0
data/ext/libcouchbase/example/crypto/common_provider.h +31 -0
data/ext/libcouchbase/example/crypto/openssl_symmetric_decrypt.c +139 -0
data/ext/libcouchbase/example/crypto/openssl_symmetric_encrypt.c +147 -0
data/ext/libcouchbase/example/crypto/openssl_symmetric_provider.c +281 -0
data/ext/libcouchbase/example/crypto/openssl_symmetric_provider.h +29 -0
data/ext/libcouchbase/example/tracing/.gitignore +2 -0
data/ext/libcouchbase/example/tracing/Makefile +8 -0
data/ext/libcouchbase/example/tracing/cJSON.c +1 -0
data/ext/libcouchbase/example/tracing/cJSON.h +1 -0
data/ext/libcouchbase/example/tracing/tracing.c +439 -0
data/ext/libcouchbase/example/tracing/views.c +444 -0
data/ext/libcouchbase/include/libcouchbase/auth.h +56 -4
data/ext/libcouchbase/include/libcouchbase/cbft.h +8 -0
data/ext/libcouchbase/include/libcouchbase/cntl-private.h +55 -1
data/ext/libcouchbase/include/libcouchbase/cntl.h +101 -1
data/ext/libcouchbase/include/libcouchbase/configuration.h.in +6 -0
data/ext/libcouchbase/include/libcouchbase/couchbase.h +109 -6
data/ext/libcouchbase/include/libcouchbase/crypto.h +140 -0
data/ext/libcouchbase/include/libcouchbase/error.h +38 -2
data/ext/libcouchbase/include/libcouchbase/kvbuf.h +6 -1
data/ext/libcouchbase/include/libcouchbase/metrics.h +79 -0
data/ext/libcouchbase/include/libcouchbase/n1ql.h +9 -0
data/ext/libcouchbase/include/libcouchbase/tracing.h +319 -0
data/ext/libcouchbase/include/libcouchbase/vbucket.h +1 -1
data/ext/libcouchbase/include/libcouchbase/views.h +8 -0
data/ext/libcouchbase/include/memcached/protocol_binary.h +40 -10
data/ext/libcouchbase/packaging/rpm/libcouchbase.spec.in +6 -14
data/ext/libcouchbase/plugins/io/libuv/plugin-internal.h +3 -0
data/ext/libcouchbase/plugins/io/libuv/plugin-libuv.c +1 -0
data/ext/libcouchbase/plugins/io/select/plugin-select.c +4 -1
data/ext/libcouchbase/src/auth-priv.h +36 -4
data/ext/libcouchbase/src/auth.cc +66 -27
data/ext/libcouchbase/src/bootstrap.cc +1 -1
data/ext/libcouchbase/src/bucketconfig/bc_cccp.cc +12 -7
data/ext/libcouchbase/src/bucketconfig/bc_http.cc +26 -17
data/ext/libcouchbase/src/bucketconfig/bc_http.h +1 -1
data/ext/libcouchbase/src/bucketconfig/clconfig.h +4 -2
data/ext/libcouchbase/src/bucketconfig/confmon.cc +6 -3
data/ext/libcouchbase/src/cbft.cc +48 -0
data/ext/libcouchbase/src/cntl.cc +138 -2
data/ext/libcouchbase/src/config_static.h +17 -0
data/ext/libcouchbase/src/connspec.cc +54 -6
data/ext/libcouchbase/src/connspec.h +9 -1
data/ext/libcouchbase/src/crypto.cc +386 -0
data/ext/libcouchbase/src/ctx-log-inl.h +23 -6
data/ext/libcouchbase/src/dump.cc +4 -0
data/ext/libcouchbase/src/getconfig.cc +1 -2
data/ext/libcouchbase/src/handler.cc +65 -27
data/ext/libcouchbase/src/hostlist.cc +35 -7
data/ext/libcouchbase/src/hostlist.h +7 -0
data/ext/libcouchbase/src/http/http-priv.h +2 -0
data/ext/libcouchbase/src/http/http.cc +77 -37
data/ext/libcouchbase/src/http/http_io.cc +19 -2
data/ext/libcouchbase/src/instance.cc +90 -17
data/ext/libcouchbase/src/internal.h +5 -0
data/ext/libcouchbase/src/lcbio/connect.cc +39 -4
data/ext/libcouchbase/src/lcbio/connect.h +27 -0
data/ext/libcouchbase/src/lcbio/ctx.c +49 -23
data/ext/libcouchbase/src/lcbio/ioutils.cc +30 -3
data/ext/libcouchbase/src/lcbio/ioutils.h +2 -0
data/ext/libcouchbase/src/lcbio/manager.cc +44 -8
data/ext/libcouchbase/src/lcbio/manager.h +2 -0
data/ext/libcouchbase/src/lcbio/rw-inl.h +1 -0
data/ext/libcouchbase/src/lcbio/ssl.h +3 -5
data/ext/libcouchbase/src/logging.c +1 -1
data/ext/libcouchbase/src/logging.h +2 -0
data/ext/libcouchbase/src/mc/compress.cc +164 -0
data/ext/libcouchbase/src/mc/compress.h +7 -12
data/ext/libcouchbase/src/mc/mcreq-flush-inl.h +5 -1
data/ext/libcouchbase/src/mc/mcreq.c +11 -1
data/ext/libcouchbase/src/mc/mcreq.h +35 -4
data/ext/libcouchbase/src/mcserver/mcserver.cc +30 -7
data/ext/libcouchbase/src/mcserver/mcserver.h +7 -0
data/ext/libcouchbase/src/mcserver/negotiate.cc +103 -57
data/ext/libcouchbase/src/mcserver/negotiate.h +2 -2
data/ext/libcouchbase/src/mctx-helper.h +11 -0
data/ext/libcouchbase/src/metrics.cc +132 -0
data/ext/libcouchbase/src/n1ql/ixmgmt.cc +2 -1
data/ext/libcouchbase/src/n1ql/n1ql.cc +66 -0
data/ext/libcouchbase/src/newconfig.cc +9 -2
data/ext/libcouchbase/src/operations/counter.cc +2 -1
data/ext/libcouchbase/src/operations/durability-cas.cc +11 -0
data/ext/libcouchbase/src/operations/durability-seqno.cc +3 -0
data/ext/libcouchbase/src/operations/durability.cc +24 -2
data/ext/libcouchbase/src/operations/durability_internal.h +19 -0
data/ext/libcouchbase/src/operations/get.cc +4 -2
data/ext/libcouchbase/src/operations/observe-seqno.cc +1 -0
data/ext/libcouchbase/src/operations/observe.cc +113 -62
data/ext/libcouchbase/src/operations/ping.cc +246 -67
data/ext/libcouchbase/src/operations/remove.cc +2 -1
data/ext/libcouchbase/src/operations/store.cc +17 -14
data/ext/libcouchbase/src/operations/touch.cc +3 -0
data/ext/libcouchbase/src/packetutils.h +68 -4
data/ext/libcouchbase/src/probes.d +132 -161
data/ext/libcouchbase/src/rdb/bigalloc.c +1 -1
data/ext/libcouchbase/src/retryq.cc +6 -2
data/ext/libcouchbase/src/rnd.cc +68 -0
data/ext/libcouchbase/src/rnd.h +39 -0
data/ext/libcouchbase/src/settings.c +27 -0
data/ext/libcouchbase/src/settings.h +67 -3
data/ext/libcouchbase/src/ssl/CMakeLists.txt +0 -12
data/ext/libcouchbase/src/ssl/ssl_common.c +23 -4
data/ext/libcouchbase/src/strcodecs/base64.c +141 -16
data/ext/libcouchbase/src/strcodecs/strcodecs.h +16 -1
data/ext/libcouchbase/src/trace.h +68 -61
data/ext/libcouchbase/src/tracing/span.cc +289 -0
data/ext/libcouchbase/src/tracing/threshold_logging_tracer.cc +171 -0
data/ext/libcouchbase/src/tracing/tracer.cc +53 -0
data/ext/libcouchbase/src/tracing/tracing-internal.h +213 -0
data/ext/libcouchbase/src/utilities.c +5 -0
data/ext/libcouchbase/src/vbucket/CMakeLists.txt +2 -2
data/ext/libcouchbase/src/vbucket/vbucket.c +50 -18
data/ext/libcouchbase/src/views/docreq.cc +26 -1
data/ext/libcouchbase/src/views/docreq.h +17 -0
data/ext/libcouchbase/src/views/viewreq.cc +64 -1
data/ext/libcouchbase/src/views/viewreq.h +21 -0
data/ext/libcouchbase/tests/CMakeLists.txt +6 -6
data/ext/libcouchbase/tests/basic/t_base64.cc +34 -6
data/ext/libcouchbase/tests/basic/t_connstr.cc +14 -0
data/ext/libcouchbase/tests/basic/t_creds.cc +10 -10
data/ext/libcouchbase/tests/basic/t_host.cc +22 -2
data/ext/libcouchbase/tests/basic/t_scram.cc +514 -0
data/ext/libcouchbase/tests/check-all.cc +6 -2
data/ext/libcouchbase/tests/iotests/mock-environment.cc +64 -0
data/ext/libcouchbase/tests/iotests/mock-environment.h +27 -1
data/ext/libcouchbase/tests/iotests/t_confmon.cc +2 -2
data/ext/libcouchbase/tests/iotests/t_forward.cc +8 -0
data/ext/libcouchbase/tests/iotests/t_netfail.cc +124 -0
data/ext/libcouchbase/tests/iotests/t_smoke.cc +1 -1
data/ext/libcouchbase/tests/iotests/t_snappy.cc +316 -0
data/ext/libcouchbase/tests/socktests/socktest.cc +2 -2
data/ext/libcouchbase/tests/socktests/t_basic.cc +6 -6
data/ext/libcouchbase/tests/socktests/t_manager.cc +1 -1
data/ext/libcouchbase/tests/socktests/t_ssl.cc +1 -1
data/ext/libcouchbase/tools/CMakeLists.txt +1 -1
data/ext/libcouchbase/tools/cbc-handlers.h +17 -0
data/ext/libcouchbase/tools/cbc-n1qlback.cc +7 -4
data/ext/libcouchbase/tools/cbc-pillowfight.cc +408 -100
data/ext/libcouchbase/tools/cbc-proxy.cc +134 -3
data/ext/libcouchbase/tools/cbc-subdoc.cc +1 -2
data/ext/libcouchbase/tools/cbc.cc +113 -8
data/ext/libcouchbase/tools/common/histogram.cc +1 -0
data/ext/libcouchbase/tools/common/options.cc +28 -1
data/ext/libcouchbase/tools/common/options.h +5 -0
data/ext/libcouchbase/tools/docgen/docgen.h +36 -10
data/ext/libcouchbase/tools/docgen/loc.h +5 -4
data/ext/libcouchbase/tools/docgen/seqgen.h +28 -0
data/lib/libcouchbase/ext/libcouchbase/enums.rb +10 -0
data/lib/libcouchbase/n1ql.rb +6 -1
data/lib/libcouchbase/version.rb +1 -1
data/spec/connection_spec.rb +6 -6
metadata +38 -5
data/ext/libcouchbase/cmake/Modules/FindCouchbaseSnappy.cmake +0 -11
data/ext/libcouchbase/src/mc/compress.c +0 -90
data/ext/libcouchbase/tools/common/my_inttypes.h +0 -22

data/ext/libcouchbase/cmake/source_files.cmake CHANGED Viewed

@@ -21,6 +21,7 @@ FILE(GLOB LCB_OP_SRC src/operations/*.c)
 # memcached packets
 FILE(GLOB LCB_MC_SRC src/mc/*.c)
+FILE(GLOB LCB_MC_CXXSRC src/mc/*.cc)
 # read buffer management
 FILE(GLOB LCB_RDB_SRC src/rdb/*.c)
@@ -40,11 +41,14 @@ SET(LCB_CORE_SRC
     ${LCB_N1QL_SRC}
     src/callbacks.c
     src/legacy.c
-    # src/mcserver/negotiate.c
     src/iofactory.c
     src/settings.c
     src/utilities.c)
+IF (LCB_TRACING)
+  FILE(GLOB LCB_TRACING_SRC src/tracing/*.cc)
+ENDIF()
 SET(LCB_CORE_CXXSRC
     src/instance.cc
     src/auth.cc
@@ -55,6 +59,7 @@ SET(LCB_CORE_CXXSRC
     src/bucketconfig/bc_static.cc
     src/bucketconfig/confmon.cc
     src/connspec.cc
+    src/crypto.cc
     src/dns-srv.cc
     src/dump.cc
     src/errmap.cc
@@ -87,9 +92,13 @@ SET(LCB_CORE_CXXSRC
     src/operations/ping.cc
     src/mcserver/mcserver.cc
     src/mcserver/negotiate.cc
+    src/metrics.cc
     src/retrychk.cc
     src/retryq.cc
+    src/rnd.cc
     src/views/docreq.cc
     src/views/viewreq.cc
     src/cntl.cc
-    src/wait.cc)
+    src/wait.cc
+    ${LCB_TRACING_SRC}
+    )

data/ext/libcouchbase/contrib/cbsasl/CMakeLists.txt CHANGED Viewed

@@ -1,9 +1,25 @@
+INCLUDE (CheckCSourceCompiles)
 INCLUDE_DIRECTORIES(src)
 FILE(GLOB CBSASL_SRC src/*.c)
 FILE(GLOB CRAM_SRC src/cram-md5/*.c)
+FILE(GLOB SCRAM_SRC src/scram-sha/*.c)
-ADD_LIBRARY(cbsasl OBJECT ${CBSASL_SRC} ${CRAM_SRC})
-SET_TARGET_PROPERTIES(cbsasl
+ADD_LIBRARY(cbsasl-lcb OBJECT ${CBSASL_SRC} ${CRAM_SRC} ${SCRAM_SRC})
+SET_TARGET_PROPERTIES(cbsasl-lcb
     PROPERTIES
     POSITION_INDEPENDENT_CODE TRUE
     COMPILE_FLAGS "${LCB_CORE_CFLAGS}")
+IF(OPENSSL_FOUND AND (NOT LCB_NO_SSL))
+    INCLUDE_DIRECTORIES(${OPENSSL_INCLUDE_DIR})
+    ADD_DEFINITIONS(${OPENSSL_DEFINITIONS})
+    # Check if the system have a usable version of PKCS5_PBKDF2_HMAC
+    CMAKE_PUSH_CHECK_STATE(RESET)
+    SET(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} ${OPENSSL_LIBRARIES})
+    SET(CMAKE_REQUIRED_INCLUDES ${CMAKE_REQUIRED_INCLUDES} ${OPENSSL_INCLUDE_DIR})
+    CHECK_C_SOURCE_COMPILES("
+             #include <openssl/evp.h>
+             int main() {
+                 PKCS5_PBKDF2_HMAC(NULL, 0, NULL, 0, 0, NULL, 0, NULL);
+             }" HAVE_PKCS5_PBKDF2_HMAC)
+ENDIF()

data/ext/libcouchbase/contrib/cbsasl/include/cbsasl/cbsasl.h CHANGED Viewed

@@ -22,6 +22,19 @@
 extern "C" {
 #endif
+#define MECH_PLAIN         "PLAIN"
+#define MECH_CRAM_MD5      "CRAM-MD5"
+#define MECH_SCRAM_SHA1    "SCRAM-SHA1"
+#define MECH_SCRAM_SHA256  "SCRAM-SHA256"
+#define MECH_SCRAM_SHA512  "SCRAM-SHA512"
+// size in bytes - to double if the nonce is displayed in hexadecimal
+#define SCRAM_NONCE_SIZE   8
+#define CBSASL_SHA1_DIGEST_SIZE 20
+#define CBSASL_SHA256_DIGEST_SIZE 32
+#define CBSASL_SHA512_DIGEST_SIZE 64
     typedef enum cbsasl_error {
         SASL_OK,
         SASL_CONTINUE,
@@ -33,6 +46,15 @@ extern "C" {
     }
     cbsasl_error_t;
+    typedef enum cbsasl_auth_mechanism {
+        SASL_AUTH_MECH_PLAIN,
+        SASL_AUTH_MECH_CRAM_MD5, // deprecated
+        SASL_AUTH_MECH_SCRAM_SHA1,
+        SASL_AUTH_MECH_SCRAM_SHA256,
+        SASL_AUTH_MECH_SCRAM_SHA512
+    }
+    cbsasl_auth_mechanism_t;
     typedef struct {
         unsigned long len;
         unsigned char data[1];
@@ -60,13 +82,18 @@ extern "C" {
     struct cbsasl_client_conn_t {
         char *userdata;
-        int plain;
+        cbsasl_auth_mechanism_t auth_mech; // authentication mechanism
         int (*get_username)(void *context, int id, const char **result,
                             unsigned int *len);
         void *get_username_ctx;
         int (*get_password)(cbsasl_conn_t *conn, void *context, int id,
                             cbsasl_secret_t **psecret);
         void *get_password_ctx;
+        char *nonce; // client nonce for SCRAM-SHA authentication
+        char *client_first_message_bare; // for SCRAM-SHA authentication
+        unsigned char *saltedpassword; // for SCRAM-SHA authentication
+        unsigned int saltedpasslen; // length of the salted password field
+        char *auth_message; // for SCRAM-SHA authentication
     };
     struct cbsasl_server_conn_t {
@@ -143,6 +170,20 @@ extern "C" {
                                       const char **output,
                                       unsigned *outputlen);
+    /**
+     * Final authentication step, if need to be (depending on the mechanism).
+     *
+     * This is mainly use for SCRAM-SHA authentication family, to verify the
+     * server signature. Even if the server accepted the authentication, if
+     * we can't verify its signature, we must reject the connection.
+     *
+     * @return Whether or not the sasl check was successful
+     */
+    CBSASL_PUBLIC_API
+    cbsasl_error_t cbsasl_client_check(cbsasl_conn_t *conn,
+                                       const char *input,
+                                       unsigned int inputlen);
     /**
      * Frees up funushed sasl connections
      *
@@ -199,7 +240,8 @@ extern "C" {
                                        void **prompt_need,
                                        const char **clientout,
                                        unsigned int *clientoutlen,
-                                       const char **mech);
+                                       const char **mech,
+                                       int allow_scram_sha);
     CBSASL_PUBLIC_API
     cbsasl_error_t cbsasl_client_step(cbsasl_conn_t *conn,

data/ext/libcouchbase/contrib/cbsasl/src/client.c CHANGED Viewed

@@ -14,24 +14,23 @@
  *   limitations under the License.
  */
+#include "config.h"
 #include "cbsasl/cbsasl.h"
 #include "cram-md5/hmac.h"
+#include "scram-sha/scram_utils.h"
 #include "util.h"
 #include <time.h>
 #include <stdlib.h>
 #include <string.h>
+#include <stdio.h>
 CBSASL_PUBLIC_API
-cbsasl_error_t cbsasl_client_new(const char *service,
-                                 const char *serverFQDN,
-                                 const char *iplocalport,
-                                 const char *ipremoteport,
-                                 const cbsasl_callback_t *prompt_supp,
-                                 unsigned flags,
+cbsasl_error_t cbsasl_client_new(const char *service, const char *serverFQDN, const char *iplocalport,
+                                 const char *ipremoteport, const cbsasl_callback_t *prompt_supp, unsigned flags,
                                  cbsasl_conn_t **pconn)
 {
     cbsasl_conn_t *conn;
-    cbsasl_callback_t *callbacks = (cbsasl_callback_t*)prompt_supp;
+    cbsasl_callback_t *callbacks = (cbsasl_callback_t *)prompt_supp;
     int ii;
     if (prompt_supp == NULL) {
@@ -85,63 +84,138 @@ cbsasl_error_t cbsasl_client_new(const char *service,
 }
 CBSASL_PUBLIC_API
-cbsasl_error_t cbsasl_client_start(cbsasl_conn_t *conn,
-                                   const char *mechlist,
-                                   void **prompt_need,
-                                   const char **clientout,
-                                   unsigned int *clientoutlen,
-                                   const char **mech)
+cbsasl_error_t cbsasl_client_start(cbsasl_conn_t *conn, const char *mechlist, void **prompt_need,
+                                   const char **clientout, unsigned int *clientoutlen, const char **mech,
+                                   int allow_scram_sha)
 {
     if (conn->client == 0) {
         return SASL_BADPARAM;
     }
-    if (strstr(mechlist, "CRAM-MD5") == NULL) {
-        if (strstr(mechlist, "PLAIN") == NULL) {
+    *mech = NULL;
+    if (allow_scram_sha) {
+#if !defined(LCB_NO_SSL) && defined(HAVE_PKCS5_PBKDF2_HMAC)
+        // we use SCRAM-SHA only if OpenSSL is linked and has support for PBKDF2_HMAC functions
+        if (strstr(mechlist, MECH_SCRAM_SHA512) != NULL) {
+            *mech = MECH_SCRAM_SHA512;
+            conn->c.client.auth_mech = SASL_AUTH_MECH_SCRAM_SHA512;
+        } else if (strstr(mechlist, MECH_SCRAM_SHA256) != NULL) {
+            *mech = MECH_SCRAM_SHA256;
+            conn->c.client.auth_mech = SASL_AUTH_MECH_SCRAM_SHA256;
+        } else if (strstr(mechlist, MECH_SCRAM_SHA1) != NULL) {
+            *mech = MECH_SCRAM_SHA1;
+            conn->c.client.auth_mech = SASL_AUTH_MECH_SCRAM_SHA1;
+        }
+#endif
+    }
+    if (*mech == NULL) {
+        if (strstr(mechlist, MECH_CRAM_MD5) != NULL) {
+            *mech = MECH_CRAM_MD5;
+            conn->c.client.auth_mech = SASL_AUTH_MECH_CRAM_MD5;
+        } else if (strstr(mechlist, MECH_PLAIN) != NULL) {
+            *mech = MECH_PLAIN;
+            conn->c.client.auth_mech = SASL_AUTH_MECH_PLAIN;
+        } else {
             return SASL_NOMECH;
         }
-        *mech = "PLAIN";
-        conn->c.client.plain = 1;
-    } else {
-        *mech = "CRAM-MD5";
-        conn->c.client.plain = 0;
     }
+    switch (conn->c.client.auth_mech) {
+        case SASL_AUTH_MECH_PLAIN: {
+            const char *usernm = NULL;
+            unsigned int usernmlen;
+            cbsasl_secret_t *pass;
+            cbsasl_error_t ret;
-    if (conn->c.client.plain) {
-        const char *usernm = NULL;
-        unsigned int usernmlen;
-        cbsasl_secret_t *pass;
+            ret = conn->c.client.get_username(conn->c.client.get_username_ctx, CBSASL_CB_USER, &usernm, &usernmlen);
+            if (ret != SASL_OK) {
+                return ret;
+            }
-        cbsasl_error_t ret;
-        ret = conn->c.client.get_username(conn->c.client.get_username_ctx,
-                                          CBSASL_CB_USER,
-                                          &usernm, &usernmlen);
-        if (ret != SASL_OK) {
-            return ret;
-        }
+            ret = conn->c.client.get_password(conn, conn->c.client.get_password_ctx, CBSASL_CB_PASS, &pass);
+            if (ret != SASL_OK) {
+                return ret;
+            }
-        ret = conn->c.client.get_password(conn, conn->c.client.get_password_ctx,
-                                          CBSASL_CB_PASS,
-                                          &pass);
-        if (ret != SASL_OK) {
-            return ret;
-        }
+            conn->c.client.userdata = calloc(usernmlen + 1 + pass->len + 1, 1);
+            if (conn->c.client.userdata == NULL) {
+                return SASL_NOMEM;
+            }
-        conn->c.client.userdata = calloc(usernmlen + 1 + pass->len + 1, 1);
-        if (conn->c.client.userdata == NULL) {
-            return SASL_NOMEM;
+            memcpy(conn->c.client.userdata + 1, usernm, usernmlen);
+            memcpy(conn->c.client.userdata + usernmlen + 2, pass->data, pass->len);
+            *clientout = conn->c.client.userdata;
+            *clientoutlen = (unsigned int)(usernmlen + 2 + pass->len);
+            break;
         }
+        case SASL_AUTH_MECH_SCRAM_SHA1:
+        case SASL_AUTH_MECH_SCRAM_SHA256:
+        case SASL_AUTH_MECH_SCRAM_SHA512: {
+            const char *usernm = NULL;
+            unsigned int usernmlen;
+            int usernmspeccharsnb;
+            char binnonce[SCRAM_NONCE_SIZE]; // binary nonce
+            cbsasl_error_t ret;
+            ret = conn->c.client.get_username(conn->c.client.get_username_ctx, CBSASL_CB_USER, &usernm, &usernmlen);
+            if (ret != SASL_OK) {
+                return ret;
+            }
+            usernmspeccharsnb = compute_special_chars(usernm, usernmlen);
+            if (usernmspeccharsnb < 0) {
+                // invalid characters in the username
+                return SASL_BADPARAM;
+            }
+            generate_nonce(binnonce, SCRAM_NONCE_SIZE);
+            conn->c.client.nonce = calloc(SCRAM_NONCE_SIZE * 2 + 1, 1);
+            if (conn->c.client.nonce == NULL) {
+                return SASL_NOMEM;
+            }
+            // stores binary nonce in hexadecimal format into conn->c.client.nonce array
+            cbsasl_hex_encode(conn->c.client.nonce, binnonce, SCRAM_NONCE_SIZE);
+            conn->c.client.nonce[SCRAM_NONCE_SIZE * 2] = '\0';
-        memcpy(conn->c.client.userdata + 1, usernm, usernmlen);
-        memcpy(conn->c.client.userdata + usernmlen + 2, pass->data, pass->len);
-        *clientout = conn->c.client.userdata;
-        *clientoutlen = (unsigned int)(usernmlen + 2 + pass->len);
-    } else {
-        /* CRAM-MD5 */
-        *clientout = NULL;
-        *clientoutlen = 0;
+#define GS2_HEADER "n,,n=" // "no binding" + start of name attribute
+#define NONCE_ATTR ",r="   // start of nonce attribute
+            conn->c.client.userdata = calloc(
+                strlen(GS2_HEADER) + usernmlen + usernmspeccharsnb * 2 + strlen(NONCE_ATTR) + SCRAM_NONCE_SIZE * 2, 1);
+            if (conn->c.client.userdata == NULL) {
+                return SASL_NOMEM;
+            }
+            memcpy(conn->c.client.userdata, GS2_HEADER, strlen(GS2_HEADER));
+            if (!usernmspeccharsnb) {
+                // no special char, we can do a direct copy
+                memcpy(conn->c.client.userdata + strlen(GS2_HEADER), usernm, usernmlen);
+            } else {
+                // copy with substitution of special characters
+                usernmcpy(conn->c.client.userdata + strlen(GS2_HEADER), usernm, usernmlen);
+            }
+            memcpy(conn->c.client.userdata + strlen(GS2_HEADER) + usernmlen + usernmspeccharsnb * 2, NONCE_ATTR,
+                   strlen(NONCE_ATTR));
+            memcpy(conn->c.client.userdata + strlen(GS2_HEADER) + usernmlen + usernmspeccharsnb * 2 +
+                       strlen(NONCE_ATTR),
+                   conn->c.client.nonce, SCRAM_NONCE_SIZE * 2);
+            *clientout = conn->c.client.userdata;
+            *clientoutlen = (unsigned int)(strlen(GS2_HEADER) + usernmlen + usernmspeccharsnb * 2 + strlen(NONCE_ATTR) +
+                                           SCRAM_NONCE_SIZE * 2);
+            // save the client first message for later step (without the first three characters)
+            conn->c.client.client_first_message_bare = calloc(*clientoutlen - 3 + 1, 1); // +1 for the binary zero
+            if (conn->c.client.client_first_message_bare == NULL) {
+                return SASL_NOMEM;
+            }
+            memcpy(conn->c.client.client_first_message_bare, *clientout + 3, *clientoutlen - 3);
+            // no need to add a final binary zero, as calloc already sets the memory to zero
+            break;
+        }
+        case SASL_AUTH_MECH_CRAM_MD5:
+            // no data in the first CRAM-MD5 message
+            *clientout = NULL;
+            *clientoutlen = 0;
+            break;
     }
     (void)prompt_need;
@@ -149,15 +223,9 @@ cbsasl_error_t cbsasl_client_start(cbsasl_conn_t *conn,
 }
 CBSASL_PUBLIC_API
-cbsasl_error_t cbsasl_client_step(cbsasl_conn_t *conn,
-                                  const char *serverin,
-                                  unsigned int serverinlen,
-                                  void **not_used,
-                                  const char **clientout,
-                                  unsigned int *clientoutlen)
+cbsasl_error_t cbsasl_client_step(cbsasl_conn_t *conn, const char *serverin, unsigned int serverinlen, void **not_used,
+                                  const char **clientout, unsigned int *clientoutlen)
 {
-    unsigned char digest[DIGEST_LENGTH];
-    char md5string[DIGEST_LENGTH * 2];
     const char *usernm = NULL;
     unsigned int usernmlen;
     cbsasl_secret_t *pass;
@@ -169,39 +237,183 @@ cbsasl_error_t cbsasl_client_step(cbsasl_conn_t *conn,
         return SASL_BADPARAM;
     }
-    if (conn->c.client.plain) {
+    if (conn->c.client.auth_mech == SASL_AUTH_MECH_PLAIN) {
         /* Shouldn't be called during plain auth */
         return SASL_BADPARAM;
     }
-    ret = conn->c.client.get_username(conn->c.client.get_username_ctx,
-                                      CBSASL_CB_USER, &usernm, &usernmlen);
+    ret = conn->c.client.get_username(conn->c.client.get_username_ctx, CBSASL_CB_USER, &usernm, &usernmlen);
     if (ret != SASL_OK) {
         return ret;
     }
-    ret = conn->c.client.get_password(conn, conn->c.client.get_password_ctx,
-                                      CBSASL_CB_PASS, &pass);
+    ret = conn->c.client.get_password(conn, conn->c.client.get_password_ctx, CBSASL_CB_PASS, &pass);
     if (ret != SASL_OK) {
         return ret;
     }
     free(conn->c.client.userdata);
-    conn->c.client.userdata = calloc(usernmlen + 1 + sizeof(md5string) + 1, 1);
-    if (conn->c.client.userdata == NULL) {
-        return SASL_NOMEM;
-    }
+    conn->c.client.userdata = NULL;
+    switch (conn->c.client.auth_mech) {
+        case SASL_AUTH_MECH_CRAM_MD5: {
+            unsigned char digest[DIGEST_LENGTH];
+            char md5string[DIGEST_LENGTH * 2];
+            conn->c.client.userdata = calloc(usernmlen + 1 + sizeof(md5string) + 1, 1);
+            if (conn->c.client.userdata == NULL) {
+                return SASL_NOMEM;
+            }
-    cbsasl_hmac_md5((unsigned char*)serverin, serverinlen, pass->data,
-             pass->len, digest);
-    cbsasl_hex_encode(md5string, (char *) digest, DIGEST_LENGTH);
-    memcpy(conn->c.client.userdata, usernm, usernmlen);
-    conn->c.client.userdata[usernmlen] = ' ';
-    memcpy(conn->c.client.userdata + usernmlen + 1, md5string,
-           sizeof(md5string));
+            cbsasl_hmac_md5((unsigned char *)serverin, serverinlen, pass->data, pass->len, digest);
+            cbsasl_hex_encode(md5string, (char *)digest, DIGEST_LENGTH);
+            memcpy(conn->c.client.userdata, usernm, usernmlen);
+            conn->c.client.userdata[usernmlen] = ' ';
+            memcpy(conn->c.client.userdata + usernmlen + 1, md5string, sizeof(md5string));
+            break;
+        }
+        case SASL_AUTH_MECH_SCRAM_SHA1:
+        case SASL_AUTH_MECH_SCRAM_SHA256:
+        case SASL_AUTH_MECH_SCRAM_SHA512: {
+            if (!conn->c.client.auth_message) {
+                const char *combinednonce = NULL; // nonce extracted from server's first reply
+                unsigned int noncelen = 0;
+                const char *salt = NULL; // salt extracted from server's first reply
+                unsigned int saltlen = 0;
+                unsigned int itcount = 0;
+                unsigned char saltedpassword[CBSASL_SHA512_DIGEST_SIZE]; // max digest size
+                unsigned int saltedpasslen = 0;
+                unsigned int prooflen = 0; // proof size in base64
+                ret =
+                    parse_server_challenge(serverin, serverinlen, &combinednonce, &noncelen, &salt, &saltlen, &itcount);
+                if (ret != SASL_OK) {
+                    return ret;
+                }
+                if (!combinednonce || !noncelen || !salt || !saltlen || !itcount) {
+                    // missing or invalid value in server challenge
+                    return SASL_BADPARAM;
+                }
+                if (noncelen < SCRAM_NONCE_SIZE * 2 ||
+                    memcmp(combinednonce, conn->c.client.nonce, SCRAM_NONCE_SIZE * 2)) {
+                    // the combined nonce doesn't start with the client nonce we sent previously
+                    return SASL_BADPARAM;
+                }
+                // ok, now we can compute the client proof
+                ret = generate_salted_password(conn->c.client.auth_mech, pass, salt, saltlen, itcount, saltedpassword,
+                                               &saltedpasslen);
+                if (ret != SASL_OK) {
+                    return ret;
+                }
+                // save salted password for later use
+                conn->c.client.saltedpassword = calloc(saltedpasslen, 1);
+                if (conn->c.client.saltedpassword == NULL) {
+                    return SASL_NOMEM;
+                }
+                memcpy(conn->c.client.saltedpassword, saltedpassword, saltedpasslen);
+                conn->c.client.saltedpasslen = saltedpasslen;
+// before building the client proof, we start building the client final message,
+// as it is used for the computation of the proof
+// The final message starts with the base64-encoded GS2 header from the initial message.
+// As we always use "n,,", we can hardcode directly its base64-counterpart, so "biws".
+#define FINAL_HEADER "c=biws,r="
+#define PROOF_ATTR ",p="
+                switch (conn->c.client.auth_mech) {
+                    case SASL_AUTH_MECH_SCRAM_SHA1:
+                        prooflen = (CBSASL_SHA1_DIGEST_SIZE / 3 + 1) * 4;
+                        break;
+                    case SASL_AUTH_MECH_SCRAM_SHA256:
+                        prooflen = (CBSASL_SHA256_DIGEST_SIZE / 3 + 1) * 4;
+                        break;
+                    case SASL_AUTH_MECH_SCRAM_SHA512:
+                        prooflen = (CBSASL_SHA512_DIGEST_SIZE / 3 + 1) * 4;
+                        break;
+                    default:
+                        break;
+                }
+                conn->c.client.userdata =
+                    calloc(strlen(FINAL_HEADER) + noncelen + strlen(PROOF_ATTR) + prooflen + 1, 1);
+                if (conn->c.client.userdata == NULL) {
+                    return SASL_NOMEM;
+                }
+                memcpy(conn->c.client.userdata, FINAL_HEADER, strlen(FINAL_HEADER));
+                memcpy(conn->c.client.userdata + strlen(FINAL_HEADER), combinednonce, noncelen);
+                memcpy(conn->c.client.userdata + strlen(FINAL_HEADER) + noncelen, PROOF_ATTR, strlen(PROOF_ATTR));
+                ret = compute_client_proof(
+                    conn->c.client.auth_mech, saltedpassword, saltedpasslen, conn->c.client.client_first_message_bare,
+                    strlen(conn->c.client.client_first_message_bare), serverin, serverinlen, conn->c.client.userdata,
+                    strlen(FINAL_HEADER) + noncelen, &(conn->c.client.auth_message),
+                    conn->c.client.userdata + strlen(FINAL_HEADER) + noncelen + strlen(PROOF_ATTR), prooflen + 1);
+                if (ret != SASL_OK) {
+                    return ret;
+                }
+            } else {
+                // auth_message should not be already set
+                return SASL_FAIL;
+            }
+            break;
+        }
+        default:
+            break;
+    }
     *clientout = conn->c.client.userdata;
     *clientoutlen = strlen(conn->c.client.userdata);
     return SASL_CONTINUE;
 }
+cbsasl_error_t cbsasl_client_check(cbsasl_conn_t *conn, const char *serverin, unsigned int serverinlen)
+{
+    switch (conn->c.client.auth_mech) {
+        case SASL_AUTH_MECH_SCRAM_SHA1:
+        case SASL_AUTH_MECH_SCRAM_SHA256:
+        case SASL_AUTH_MECH_SCRAM_SHA512: {
+            if (conn->c.client.auth_message) {
+                char serversign[(CBSASL_SHA512_DIGEST_SIZE / 3 + 1) * 4 + 1]; // max sign len
+                unsigned int serversignlen = 0;
+                cbsasl_error_t ret;
+                // Last step: we have to verify the server's proof.
+                // In case of positive answer from the server, its final reply must start with "v=".
+                if (serverinlen <= 2 || memcmp(serverin, "v=", 2)) {
+                    return SASL_FAIL;
+                }
+                switch (conn->c.client.auth_mech) {
+                    case SASL_AUTH_MECH_SCRAM_SHA1:
+                        serversignlen = (CBSASL_SHA1_DIGEST_SIZE / 3 + 1) * 4;
+                        break;
+                    case SASL_AUTH_MECH_SCRAM_SHA256:
+                        serversignlen = (CBSASL_SHA256_DIGEST_SIZE / 3 + 1) * 4;
+                        break;
+                    case SASL_AUTH_MECH_SCRAM_SHA512:
+                        serversignlen = (CBSASL_SHA512_DIGEST_SIZE / 3 + 1) * 4;
+                        break;
+                    default:
+                        break;
+                }
+                ret = compute_server_signature(conn->c.client.auth_mech, conn->c.client.saltedpassword,
+                                               conn->c.client.saltedpasslen, conn->c.client.auth_message, serversign,
+                                               sizeof(serversign));
+                if (ret != SASL_OK) {
+                    return ret;
+                }
+                // ok, we can now compare the two values
+                if ((serverinlen - 2 < serversignlen) || (memcmp(serverin + 2, serversign, serversignlen))) {
+                    return SASL_FAIL;
+                }
+            } else {
+                // we have an issue: auth_message should not have been cleared
+                return SASL_FAIL;
+            }
+            break;
+        }
+        case SASL_AUTH_MECH_CRAM_MD5:
+        case SASL_AUTH_MECH_PLAIN:
+        default:
+            // nothing to do
+            break;
+    }
+    return SASL_OK;
+}