Software /
code /
prosody
Annotate
util/sasl.lua @ 1217:844ef764ef0e
mod_saslauth: Don't offer bind/session when they aren't authenticated yet :) [thanks albert, again...]
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Fri, 29 May 2009 18:03:48 +0100 |
parent | 1161:5bc2b7b5b81d |
child | 1305:37657578ea85 |
rev | line source |
---|---|
896 | 1 -- sasl.lua v0.4 |
760
90ce865eebd8
Update copyright notices for 2009
Matthew Wild <mwild1@gmail.com>
parents:
702
diff
changeset
|
2 -- Copyright (C) 2008-2009 Tobias Markmann |
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
3 -- |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
4 -- All rights reserved. |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
5 -- |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
6 -- Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
7 -- |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
8 -- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
9 -- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
10 -- * Neither the name of Tobias Markmann nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
11 -- |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
12 -- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
13 |
15
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
14 |
449
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
15 local md5 = require "util.hashes".md5; |
38 | 16 local log = require "util.logger".init("sasl"); |
17 local tostring = tostring; | |
18 local st = require "util.stanza"; | |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
19 local generate_uuid = require "util.uuid".generate; |
504
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
20 local t_insert, t_concat = table.insert, table.concat; |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
21 local to_byte, to_char = string.byte, string.char; |
38 | 22 local s_match = string.match; |
277
00c2fc751f50
Fixing some parsing and some other stuff.
Tobias Markmann <tm@ayena.de>
parents:
276
diff
changeset
|
23 local gmatch = string.gmatch |
280
516f4c901991
Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents:
278
diff
changeset
|
24 local string = string |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
25 local math = require "math" |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
26 local type = type |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
27 local error = error |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
28 local print = print |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
29 |
38 | 30 module "sasl" |
31 | |
285
372d0891e8fd
Made PLAIN method in sasl.lua module follow new interface.
Tobias Markmann <tm@ayena.de>
parents:
280
diff
changeset
|
32 local function new_plain(realm, password_handler) |
372d0891e8fd
Made PLAIN method in sasl.lua module follow new interface.
Tobias Markmann <tm@ayena.de>
parents:
280
diff
changeset
|
33 local object = { mechanism = "PLAIN", realm = realm, password_handler = password_handler} |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
34 function object.feed(self, message) |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
35 |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
36 if message == "" or message == nil then return "failure", "malformed-request" end |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
37 local response = message |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
38 local authorization = s_match(response, "([^&%z]+)") |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
39 local authentication = s_match(response, "%z([^&%z]+)%z") |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
40 local password = s_match(response, "%z[^&%z]+%z([^&%z]+)") |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
41 |
402
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
42 if authentication == nil or password == nil then return "failure", "malformed-request" end |
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
43 |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
44 local password_encoding, correct_password = self.password_handler(authentication, self.realm, "PLAIN") |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
45 |
405 | 46 if correct_password == nil then return "failure", "not-authorized" |
404
4801dbeccc2a
Some changes to report more correct SASL failures. Support for disabled accounts.
Tobias Markmann <tm@ayena.de>
parents:
402
diff
changeset
|
47 elseif correct_password == false then return "failure", "account-disabled" end |
402
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
48 |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
49 local claimed_password = "" |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
50 if password_encoding == nil then claimed_password = password |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
51 else claimed_password = password_encoding(password) end |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
52 |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
53 self.username = authentication |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
54 if claimed_password == correct_password then |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
55 return "success" |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
56 else |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
57 return "failure", "not-authorized" |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
58 end |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
59 end |
15
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
60 return object |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
61 end |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
62 |
1158 | 63 |
64 -- implementing RFC 2831 | |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
65 local function new_digest_md5(realm, password_handler) |
1158 | 66 --TODO complete support for authzid |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
67 |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
68 local function serialize(message) |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
69 local data = "" |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
70 |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
71 if type(message) ~= "table" then error("serialize needs an argument of type table.") end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
72 |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
73 -- testing all possible values |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
74 if message["nonce"] then data = data..[[nonce="]]..message.nonce..[[",]] end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
75 if message["qop"] then data = data..[[qop="]]..message.qop..[[",]] end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
76 if message["charset"] then data = data..[[charset=]]..message.charset.."," end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
77 if message["algorithm"] then data = data..[[algorithm=]]..message.algorithm.."," end |
280
516f4c901991
Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents:
278
diff
changeset
|
78 if message["realm"] then data = data..[[realm="]]..message.realm..[[",]] end |
516f4c901991
Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents:
278
diff
changeset
|
79 if message["rspauth"] then data = data..[[rspauth=]]..message.rspauth.."," end |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
80 data = data:gsub(",$", "") |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
81 return data |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
82 end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
83 |
595
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
84 local function utf8tolatin1ifpossible(passwd) |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
85 local i = 1; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
86 while i <= #passwd do |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
87 local passwd_i = to_byte(passwd:sub(i, i)); |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
88 if passwd_i > 0x7F then |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
89 if passwd_i < 0xC0 or passwd_i > 0xC3 then |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
90 return passwd; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
91 end |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
92 i = i + 1; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
93 passwd_i = to_byte(passwd:sub(i, i)); |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
94 if passwd_i < 0x80 or passwd_i > 0xBF then |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
95 return passwd; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
96 end |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
97 end |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
98 i = i + 1; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
99 end |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
100 |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
101 local p = {}; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
102 local j = 0; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
103 i = 1; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
104 while (i <= #passwd) do |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
105 local passwd_i = to_byte(passwd:sub(i, i)); |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
106 if passwd_i > 0x7F then |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
107 i = i + 1; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
108 local passwd_i_1 = to_byte(passwd:sub(i, i)); |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
109 t_insert(p, to_char(passwd_i%4*64 + passwd_i_1%64)); -- I'm so clever |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
110 else |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
111 t_insert(p, to_char(passwd_i)); |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
112 end |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
113 i = i + 1; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
114 end |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
115 return t_concat(p); |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
116 end |
504
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
117 local function latin1toutf8(str) |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
118 local p = {}; |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
119 for ch in gmatch(str, ".") do |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
120 ch = to_byte(ch); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
121 if (ch < 0x80) then |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
122 t_insert(p, to_char(ch)); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
123 elseif (ch < 0xC0) then |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
124 t_insert(p, to_char(0xC2, ch)); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
125 else |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
126 t_insert(p, to_char(0xC3, ch - 64)); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
127 end |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
128 end |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
129 return t_concat(p); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
130 end |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
131 local function parse(data) |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
132 message = {} |
458 | 133 for k, v in gmatch(data, [[([%w%-]+)="?([^",]*)"?,?]]) do -- FIXME The hacky regex makes me shudder |
1160 | 134 message[k] = v; |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
135 end |
1160 | 136 return message; |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
137 end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
138 |
1160 | 139 local object = { mechanism = "DIGEST-MD5", realm = realm, password_handler = password_handler}; |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
140 |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
141 --TODO: something better than math.random would be nice, maybe OpenSSL's random number generator |
1160 | 142 object.nonce = generate_uuid(); |
143 object.step = 0; | |
144 object.nonce_count = {}; | |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
145 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
146 function object.feed(self, message) |
1160 | 147 self.step = self.step + 1; |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
148 if (self.step == 1) then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
149 local challenge = serialize({ nonce = object.nonce, |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
150 qop = "auth", |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
151 charset = "utf-8", |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
152 algorithm = "md5-sess", |
505
1b938e00412c
Remove that idn stuff for realm because it's either an ugly hack that the password_handler isn't ready for or something worse.
Tobias Markmann <tm@ayena.de>
parents:
496
diff
changeset
|
153 realm = self.realm}); |
1160 | 154 return "challenge", challenge; |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
155 elseif (self.step == 2) then |
1160 | 156 local response = parse(message); |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
157 -- check for replay attack |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
158 if response["nc"] then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
159 if self.nonce_count[response["nc"]] then return "failure", "not-authorized" end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
160 end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
161 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
162 -- check for username, it's REQUIRED by RFC 2831 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
163 if not response["username"] then |
1160 | 164 return "failure", "malformed-request"; |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
165 end |
1160 | 166 self["username"] = response["username"]; |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
167 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
168 -- check for nonce, ... |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
169 if not response["nonce"] then |
1160 | 170 return "failure", "malformed-request"; |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
171 else |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
172 -- check if it's the right nonce |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
173 if response["nonce"] ~= tostring(self.nonce) then return "failure", "malformed-request" end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
174 end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
175 |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
176 if not response["cnonce"] then return "failure", "malformed-request", "Missing entry for cnonce in SASL message." end |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
177 if not response["qop"] then response["qop"] = "auth" end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
178 |
702
d344860fdada
sasl: Set realm to be the current realm when the client didn't send a realm, or sent an empty one
Waqas Hussain <waqas20@gmail.com>
parents:
685
diff
changeset
|
179 if response["realm"] == nil or response["realm"] == "" then |
d344860fdada
sasl: Set realm to be the current realm when the client didn't send a realm, or sent an empty one
Waqas Hussain <waqas20@gmail.com>
parents:
685
diff
changeset
|
180 response["realm"] = self.realm; |
d344860fdada
sasl: Set realm to be the current realm when the client didn't send a realm, or sent an empty one
Waqas Hussain <waqas20@gmail.com>
parents:
685
diff
changeset
|
181 elseif response["realm"] ~= self.realm then |
602
a977227aa9e6
Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
Waqas Hussain <waqas20@gmail.com>
parents:
599
diff
changeset
|
182 return "failure", "not-authorized", "Incorrect realm value"; |
a977227aa9e6
Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
Waqas Hussain <waqas20@gmail.com>
parents:
599
diff
changeset
|
183 end |
685
55d1bc45acf1
sasl: Don't fail for realm=""
Waqas Hussain <waqas20@gmail.com>
parents:
615
diff
changeset
|
184 |
599
30655c5cc531
Latin1 support for SASL DIGEST-MD5 (second, and possibly final commit)
Waqas Hussain <waqas20@gmail.com>
parents:
595
diff
changeset
|
185 local decoder; |
508
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
186 if response["charset"] == nil then |
599
30655c5cc531
Latin1 support for SASL DIGEST-MD5 (second, and possibly final commit)
Waqas Hussain <waqas20@gmail.com>
parents:
595
diff
changeset
|
187 decoder = utf8tolatin1ifpossible; |
508
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
188 elseif response["charset"] ~= "utf-8" then |
1160 | 189 return "failure", "incorrect-encoding", "The client's response uses "..response["charset"].." for encoding with isn't supported by sasl.lua. Supported encodings are latin or utf-8."; |
508
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
190 end |
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
191 |
1160 | 192 local domain = ""; |
193 local protocol = ""; | |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
194 if response["digest-uri"] then |
1160 | 195 protocol, domain = response["digest-uri"]:match("(%w+)/(.*)$"); |
402
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
196 if protocol == nil or domain == nil then return "failure", "malformed-request" end |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
197 else |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
198 return "failure", "malformed-request", "Missing entry for digest-uri in SASL message." |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
199 end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
200 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
201 --TODO maybe realm support |
1160 | 202 self.username = response["username"]; |
599
30655c5cc531
Latin1 support for SASL DIGEST-MD5 (second, and possibly final commit)
Waqas Hussain <waqas20@gmail.com>
parents:
595
diff
changeset
|
203 local password_encoding, Y = self.password_handler(response["username"], response["realm"], "DIGEST-MD5", decoder) |
405 | 204 if Y == nil then return "failure", "not-authorized" |
404
4801dbeccc2a
Some changes to report more correct SASL failures. Support for disabled accounts.
Tobias Markmann <tm@ayena.de>
parents:
402
diff
changeset
|
205 elseif Y == false then return "failure", "account-disabled" end |
1159
f81c8cec0e71
Adding minimal support for authorization identities to workaround buggy SASL implementations.
Tobias Markmann <tm@ayena.de>
parents:
1158
diff
changeset
|
206 local A1 = ""; |
f81c8cec0e71
Adding minimal support for authorization identities to workaround buggy SASL implementations.
Tobias Markmann <tm@ayena.de>
parents:
1158
diff
changeset
|
207 if response.authzid then |
f81c8cec0e71
Adding minimal support for authorization identities to workaround buggy SASL implementations.
Tobias Markmann <tm@ayena.de>
parents:
1158
diff
changeset
|
208 if response.authzid == self.username.."@"..self.realm then |
1161 | 209 log("warn", "Client is violating XMPP RFC. See section 6.1 of RFC 3920."); |
1159
f81c8cec0e71
Adding minimal support for authorization identities to workaround buggy SASL implementations.
Tobias Markmann <tm@ayena.de>
parents:
1158
diff
changeset
|
210 A1 = Y..":"..response["nonce"]..":"..response["cnonce"]..":"..response.authzid; |
f81c8cec0e71
Adding minimal support for authorization identities to workaround buggy SASL implementations.
Tobias Markmann <tm@ayena.de>
parents:
1158
diff
changeset
|
211 else |
f81c8cec0e71
Adding minimal support for authorization identities to workaround buggy SASL implementations.
Tobias Markmann <tm@ayena.de>
parents:
1158
diff
changeset
|
212 A1 = "?"; |
f81c8cec0e71
Adding minimal support for authorization identities to workaround buggy SASL implementations.
Tobias Markmann <tm@ayena.de>
parents:
1158
diff
changeset
|
213 end |
f81c8cec0e71
Adding minimal support for authorization identities to workaround buggy SASL implementations.
Tobias Markmann <tm@ayena.de>
parents:
1158
diff
changeset
|
214 else |
f81c8cec0e71
Adding minimal support for authorization identities to workaround buggy SASL implementations.
Tobias Markmann <tm@ayena.de>
parents:
1158
diff
changeset
|
215 A1 = Y..":"..response["nonce"]..":"..response["cnonce"]; |
f81c8cec0e71
Adding minimal support for authorization identities to workaround buggy SASL implementations.
Tobias Markmann <tm@ayena.de>
parents:
1158
diff
changeset
|
216 end |
603
423fd24fff54
Removed the unnecessary idna.to_ascii applied to the DIGEST-MD5 disgest-uri response values, which was causing auth failures with some clients.
Waqas Hussain <waqas20@gmail.com>
parents:
602
diff
changeset
|
217 local A2 = "AUTHENTICATE:"..protocol.."/"..domain; |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
218 |
1160 | 219 local HA1 = md5(A1, true); |
220 local HA2 = md5(A2, true); | |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
221 |
1160 | 222 local KD = HA1..":"..response["nonce"]..":"..response["nc"]..":"..response["cnonce"]..":"..response["qop"]..":"..HA2; |
223 local response_value = md5(KD, true); | |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
224 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
225 if response_value == response["response"] then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
226 -- calculate rspauth |
603
423fd24fff54
Removed the unnecessary idna.to_ascii applied to the DIGEST-MD5 disgest-uri response values, which was causing auth failures with some clients.
Waqas Hussain <waqas20@gmail.com>
parents:
602
diff
changeset
|
227 A2 = ":"..protocol.."/"..domain; |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
228 |
1160 | 229 HA1 = md5(A1, true); |
230 HA2 = md5(A2, true); | |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
231 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
232 KD = HA1..":"..response["nonce"]..":"..response["nc"]..":"..response["cnonce"]..":"..response["qop"]..":"..HA2 |
1160 | 233 local rspauth = md5(KD, true); |
234 self.authenticated = true; | |
235 return "challenge", serialize({rspauth = rspauth}); | |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
236 else |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
237 return "failure", "not-authorized", "The response provided by the client doesn't match the one we calculated." |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
238 end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
239 elseif self.step == 3 then |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
240 if self.authenticated ~= nil then return "success" |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
241 else return "failure", "malformed-request" end |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
242 end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
243 end |
1160 | 244 return object; |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
245 end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
246 |
799
b7ea802f3527
Adding inital support for ANONYMOUS mechanism in SASL.
Tobias Markmann <tm@ayena.de>
parents:
760
diff
changeset
|
247 local function new_anonymous(realm, password_handler) |
b7ea802f3527
Adding inital support for ANONYMOUS mechanism in SASL.
Tobias Markmann <tm@ayena.de>
parents:
760
diff
changeset
|
248 local object = { mechanism = "ANONYMOUS", realm = realm, password_handler = password_handler} |
b7ea802f3527
Adding inital support for ANONYMOUS mechanism in SASL.
Tobias Markmann <tm@ayena.de>
parents:
760
diff
changeset
|
249 function object.feed(self, message) |
b7ea802f3527
Adding inital support for ANONYMOUS mechanism in SASL.
Tobias Markmann <tm@ayena.de>
parents:
760
diff
changeset
|
250 return "success" |
b7ea802f3527
Adding inital support for ANONYMOUS mechanism in SASL.
Tobias Markmann <tm@ayena.de>
parents:
760
diff
changeset
|
251 end |
801
d29febc977fc
Adding TODO notice on UUIDs for usage with SASL ANONYMOUS.
Tobias Markmann <tm@ayena.de>
parents:
799
diff
changeset
|
252 --TODO: From XEP-0175 "It is RECOMMENDED for the node identifier to be a UUID as specified in RFC 4122 [5]." So util.uuid() should (or have an option to) behave as specified in RFC 4122. |
799
b7ea802f3527
Adding inital support for ANONYMOUS mechanism in SASL.
Tobias Markmann <tm@ayena.de>
parents:
760
diff
changeset
|
253 object["username"] = generate_uuid() |
b7ea802f3527
Adding inital support for ANONYMOUS mechanism in SASL.
Tobias Markmann <tm@ayena.de>
parents:
760
diff
changeset
|
254 return object |
b7ea802f3527
Adding inital support for ANONYMOUS mechanism in SASL.
Tobias Markmann <tm@ayena.de>
parents:
760
diff
changeset
|
255 end |
b7ea802f3527
Adding inital support for ANONYMOUS mechanism in SASL.
Tobias Markmann <tm@ayena.de>
parents:
760
diff
changeset
|
256 |
b7ea802f3527
Adding inital support for ANONYMOUS mechanism in SASL.
Tobias Markmann <tm@ayena.de>
parents:
760
diff
changeset
|
257 |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
258 function new(mechanism, realm, password_handler) |
15
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
259 local object |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
260 if mechanism == "PLAIN" then object = new_plain(realm, password_handler) |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
261 elseif mechanism == "DIGEST-MD5" then object = new_digest_md5(realm, password_handler) |
799
b7ea802f3527
Adding inital support for ANONYMOUS mechanism in SASL.
Tobias Markmann <tm@ayena.de>
parents:
760
diff
changeset
|
262 elseif mechanism == "ANONYMOUS" then object = new_anonymous(realm, password_handler) |
38 | 263 else |
264 log("debug", "Unsupported SASL mechanism: "..tostring(mechanism)); | |
285
372d0891e8fd
Made PLAIN method in sasl.lua module follow new interface.
Tobias Markmann <tm@ayena.de>
parents:
280
diff
changeset
|
265 return nil |
15
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
266 end |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
267 return object |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
268 end |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
269 |
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
270 return _M; |