Software /
code /
prosody
Annotate
util/sasl/digest-md5.lua @ 9749:9361bd1b9c9b
util.error: Add a function for creating an error object from an error stanza
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 30 Dec 2018 20:30:59 +0100 |
parent | 8555:4f0f5b49bb03 |
rev | line source |
---|---|
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
1 -- sasl.lua v0.4 |
3094
5f625411b463
util.sasl: 2009 -> 2010 in copyright header.
Tobias Markmann <tm@ayena.de>
parents:
3092
diff
changeset
|
2 -- Copyright (C) 2008-2010 Tobias Markmann |
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
3 -- |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
4 -- All rights reserved. |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
5 -- |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
6 -- Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
7 -- |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
8 -- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
9 -- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
10 -- * Neither the name of Tobias Markmann nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
11 -- |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
12 -- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
13 |
2188
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
14 local tostring = tostring; |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
15 local type = type; |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
16 |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
17 local s_gmatch = string.gmatch; |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
18 local s_match = string.match; |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
19 local t_concat = table.concat; |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
20 local t_insert = table.insert; |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
21 local to_byte, to_char = string.byte, string.char; |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
22 |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
23 local md5 = require "util.hashes".md5; |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
24 local log = require "util.logger".init("sasl"); |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
25 local generate_uuid = require "util.uuid".generate; |
5301
6279caf921f1
util.sasl.{plain,scram,digest-md5}: nodeprep username before passing to callbacks, so callbacks don't have to.
Waqas Hussain <waqas20@gmail.com>
parents:
4113
diff
changeset
|
26 local nodeprep = require "util.encodings".stringprep.nodeprep; |
2188
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
27 |
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5301
diff
changeset
|
28 local _ENV = nil; |
8555
4f0f5b49bb03
vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents:
6777
diff
changeset
|
29 -- luacheck: std none |
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
30 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
31 --========================= |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
32 --SASL DIGEST-MD5 according to RFC 2831 |
2188
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
33 |
3092
d32935878661
util.sasl: Moving SASL authentication backends documentation to the mechanism files.
Tobias Markmann <tm@ayena.de>
parents:
2936
diff
changeset
|
34 --[[ |
d32935878661
util.sasl: Moving SASL authentication backends documentation to the mechanism files.
Tobias Markmann <tm@ayena.de>
parents:
2936
diff
changeset
|
35 Supported Authentication Backends |
d32935878661
util.sasl: Moving SASL authentication backends documentation to the mechanism files.
Tobias Markmann <tm@ayena.de>
parents:
2936
diff
changeset
|
36 |
3122
579f17b9f948
util.sasl.*: Adjusting authentication provider names. All '-' replaced with '_'
Tobias Markmann <tm@ayena.de>
parents:
3094
diff
changeset
|
37 digest_md5: |
3092
d32935878661
util.sasl: Moving SASL authentication backends documentation to the mechanism files.
Tobias Markmann <tm@ayena.de>
parents:
2936
diff
changeset
|
38 function(username, domain, realm, encoding) -- domain and realm are usually the same; for some broken |
d32935878661
util.sasl: Moving SASL authentication backends documentation to the mechanism files.
Tobias Markmann <tm@ayena.de>
parents:
2936
diff
changeset
|
39 -- implementations it's not |
d32935878661
util.sasl: Moving SASL authentication backends documentation to the mechanism files.
Tobias Markmann <tm@ayena.de>
parents:
2936
diff
changeset
|
40 return digesthash, state; |
d32935878661
util.sasl: Moving SASL authentication backends documentation to the mechanism files.
Tobias Markmann <tm@ayena.de>
parents:
2936
diff
changeset
|
41 end |
d32935878661
util.sasl: Moving SASL authentication backends documentation to the mechanism files.
Tobias Markmann <tm@ayena.de>
parents:
2936
diff
changeset
|
42 |
3122
579f17b9f948
util.sasl.*: Adjusting authentication provider names. All '-' replaced with '_'
Tobias Markmann <tm@ayena.de>
parents:
3094
diff
changeset
|
43 digest_md5_test: |
3092
d32935878661
util.sasl: Moving SASL authentication backends documentation to the mechanism files.
Tobias Markmann <tm@ayena.de>
parents:
2936
diff
changeset
|
44 function(username, domain, realm, encoding, digesthash) |
d32935878661
util.sasl: Moving SASL authentication backends documentation to the mechanism files.
Tobias Markmann <tm@ayena.de>
parents:
2936
diff
changeset
|
45 return true or false, state; |
d32935878661
util.sasl: Moving SASL authentication backends documentation to the mechanism files.
Tobias Markmann <tm@ayena.de>
parents:
2936
diff
changeset
|
46 end |
d32935878661
util.sasl: Moving SASL authentication backends documentation to the mechanism files.
Tobias Markmann <tm@ayena.de>
parents:
2936
diff
changeset
|
47 ]] |
d32935878661
util.sasl: Moving SASL authentication backends documentation to the mechanism files.
Tobias Markmann <tm@ayena.de>
parents:
2936
diff
changeset
|
48 |
2188
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
49 local function digest(self, message) |
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
50 --TODO complete support for authzid |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
51 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
52 local function serialize(message) |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
53 local data = "" |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
54 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
55 -- testing all possible values |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
56 if message["realm"] then data = data..[[realm="]]..message.realm..[[",]] end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
57 if message["nonce"] then data = data..[[nonce="]]..message.nonce..[[",]] end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
58 if message["qop"] then data = data..[[qop="]]..message.qop..[[",]] end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
59 if message["charset"] then data = data..[[charset=]]..message.charset.."," end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
60 if message["algorithm"] then data = data..[[algorithm=]]..message.algorithm.."," end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
61 if message["rspauth"] then data = data..[[rspauth=]]..message.rspauth.."," end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
62 data = data:gsub(",$", "") |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
63 return data |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
64 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
65 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
66 local function utf8tolatin1ifpossible(passwd) |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
67 local i = 1; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
68 while i <= #passwd do |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
69 local passwd_i = to_byte(passwd:sub(i, i)); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
70 if passwd_i > 0x7F then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
71 if passwd_i < 0xC0 or passwd_i > 0xC3 then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
72 return passwd; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
73 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
74 i = i + 1; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
75 passwd_i = to_byte(passwd:sub(i, i)); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
76 if passwd_i < 0x80 or passwd_i > 0xBF then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
77 return passwd; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
78 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
79 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
80 i = i + 1; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
81 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
82 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
83 local p = {}; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
84 local j = 0; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
85 i = 1; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
86 while (i <= #passwd) do |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
87 local passwd_i = to_byte(passwd:sub(i, i)); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
88 if passwd_i > 0x7F then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
89 i = i + 1; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
90 local passwd_i_1 = to_byte(passwd:sub(i, i)); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
91 t_insert(p, to_char(passwd_i%4*64 + passwd_i_1%64)); -- I'm so clever |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
92 else |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
93 t_insert(p, to_char(passwd_i)); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
94 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
95 i = i + 1; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
96 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
97 return t_concat(p); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
98 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
99 local function latin1toutf8(str) |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
100 local p = {}; |
2188
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
101 for ch in s_gmatch(str, ".") do |
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
102 ch = to_byte(ch); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
103 if (ch < 0x80) then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
104 t_insert(p, to_char(ch)); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
105 elseif (ch < 0xC0) then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
106 t_insert(p, to_char(0xC2, ch)); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
107 else |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
108 t_insert(p, to_char(0xC3, ch - 64)); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
109 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
110 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
111 return t_concat(p); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
112 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
113 local function parse(data) |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
114 local message = {} |
2212 | 115 -- COMPAT: %z in the pattern to work around jwchat bug (sends "charset=utf-8\0") |
2215
4678aa4567c8
SASL: Using locally mapped s_gmatch instead of unavailable gmatch.
Tobias Markmann <tm@ayena.de>
parents:
2212
diff
changeset
|
116 for k, v in s_gmatch(data, [[([%w%-]+)="?([^",%z]*)"?,?]]) do -- FIXME The hacky regex makes me shudder |
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
117 message[k] = v; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
118 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
119 return message; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
120 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
121 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
122 if not self.nonce then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
123 self.nonce = generate_uuid(); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
124 self.step = 0; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
125 self.nonce_count = {}; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
126 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
127 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
128 self.step = self.step + 1; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
129 if (self.step == 1) then |
2188
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
130 local challenge = serialize({ nonce = self.nonce, |
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
131 qop = "auth", |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
132 charset = "utf-8", |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
133 algorithm = "md5-sess", |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
134 realm = self.realm}); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
135 return "challenge", challenge; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
136 elseif (self.step == 2) then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
137 local response = parse(message); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
138 -- check for replay attack |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
139 if response["nc"] then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
140 if self.nonce_count[response["nc"]] then return "failure", "not-authorized" end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
141 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
142 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
143 -- check for username, it's REQUIRED by RFC 2831 |
5301
6279caf921f1
util.sasl.{plain,scram,digest-md5}: nodeprep username before passing to callbacks, so callbacks don't have to.
Waqas Hussain <waqas20@gmail.com>
parents:
4113
diff
changeset
|
144 local username = response["username"]; |
6279caf921f1
util.sasl.{plain,scram,digest-md5}: nodeprep username before passing to callbacks, so callbacks don't have to.
Waqas Hussain <waqas20@gmail.com>
parents:
4113
diff
changeset
|
145 local _nodeprep = self.profile.nodeprep; |
6279caf921f1
util.sasl.{plain,scram,digest-md5}: nodeprep username before passing to callbacks, so callbacks don't have to.
Waqas Hussain <waqas20@gmail.com>
parents:
4113
diff
changeset
|
146 if username and _nodeprep ~= false then |
6279caf921f1
util.sasl.{plain,scram,digest-md5}: nodeprep username before passing to callbacks, so callbacks don't have to.
Waqas Hussain <waqas20@gmail.com>
parents:
4113
diff
changeset
|
147 username = (_nodeprep or nodeprep)(username); -- FIXME charset |
6279caf921f1
util.sasl.{plain,scram,digest-md5}: nodeprep username before passing to callbacks, so callbacks don't have to.
Waqas Hussain <waqas20@gmail.com>
parents:
4113
diff
changeset
|
148 end |
6279caf921f1
util.sasl.{plain,scram,digest-md5}: nodeprep username before passing to callbacks, so callbacks don't have to.
Waqas Hussain <waqas20@gmail.com>
parents:
4113
diff
changeset
|
149 if not username or username == "" then |
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
150 return "failure", "malformed-request"; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
151 end |
5301
6279caf921f1
util.sasl.{plain,scram,digest-md5}: nodeprep username before passing to callbacks, so callbacks don't have to.
Waqas Hussain <waqas20@gmail.com>
parents:
4113
diff
changeset
|
152 self.username = username; |
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
153 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
154 -- check for nonce, ... |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
155 if not response["nonce"] then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
156 return "failure", "malformed-request"; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
157 else |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
158 -- check if it's the right nonce |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
159 if response["nonce"] ~= tostring(self.nonce) then return "failure", "malformed-request" end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
160 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
161 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
162 if not response["cnonce"] then return "failure", "malformed-request", "Missing entry for cnonce in SASL message." end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
163 if not response["qop"] then response["qop"] = "auth" end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
164 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
165 if response["realm"] == nil or response["realm"] == "" then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
166 response["realm"] = ""; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
167 elseif response["realm"] ~= self.realm then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
168 return "failure", "not-authorized", "Incorrect realm value"; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
169 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
170 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
171 local decoder; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
172 if response["charset"] == nil then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
173 decoder = utf8tolatin1ifpossible; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
174 elseif response["charset"] ~= "utf-8" then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
175 return "failure", "incorrect-encoding", "The client's response uses "..response["charset"].." for encoding with isn't supported by sasl.lua. Supported encodings are latin or utf-8."; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
176 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
177 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
178 local domain = ""; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
179 local protocol = ""; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
180 if response["digest-uri"] then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
181 protocol, domain = response["digest-uri"]:match("(%w+)/(.*)$"); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
182 if protocol == nil or domain == nil then return "failure", "malformed-request" end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
183 else |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
184 return "failure", "malformed-request", "Missing entry for digest-uri in SASL message." |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
185 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
186 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
187 --TODO maybe realm support |
2258
e4c5d0d21ac7
util.sasl.digest-md5: Fixing some variable access.
Tobias Markmann <tm@ayena.de>
parents:
2255
diff
changeset
|
188 local Y, state; |
2188
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
189 if self.profile.plain then |
3981
2b0b8fe68df2
util.sasl.*, mod_auth_*, mod_saslauth: Pass SASL handler as first parameter to SASL profile callbacks.
Waqas Hussain <waqas20@gmail.com>
parents:
3124
diff
changeset
|
190 local password, state = self.profile.plain(self, response["username"], self.realm) |
2188
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
191 if state == nil then return "failure", "not-authorized" |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
192 elseif state == false then return "failure", "account-disabled" end |
2189
1182e7ae2964
Broken DIGEST-MD5 client support again.
Tobias Markmann <tm@ayena.de>
parents:
2188
diff
changeset
|
193 Y = md5(response["username"]..":"..response["realm"]..":"..password); |
2188
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
194 elseif self.profile["digest-md5"] then |
3981
2b0b8fe68df2
util.sasl.*, mod_auth_*, mod_saslauth: Pass SASL handler as first parameter to SASL profile callbacks.
Waqas Hussain <waqas20@gmail.com>
parents:
3124
diff
changeset
|
195 Y, state = self.profile["digest-md5"](self, response["username"], self.realm, response["realm"], response["charset"]) |
2191
e79c0ce6cf54
Adding support for digest-md5 profile in DIGEST-MD5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2189
diff
changeset
|
196 if state == nil then return "failure", "not-authorized" |
e79c0ce6cf54
Adding support for digest-md5 profile in DIGEST-MD5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2189
diff
changeset
|
197 elseif state == false then return "failure", "account-disabled" end |
2188
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
198 elseif self.profile["digest-md5-test"] then |
2189
1182e7ae2964
Broken DIGEST-MD5 client support again.
Tobias Markmann <tm@ayena.de>
parents:
2188
diff
changeset
|
199 -- TODO |
2188
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
200 end |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
201 --local password_encoding, Y = self.credentials_handler("DIGEST-MD5", response["username"], self.realm, response["realm"], decoder); |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
202 --if Y == nil then return "failure", "not-authorized" |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
203 --elseif Y == false then return "failure", "account-disabled" end |
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
204 local A1 = ""; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
205 if response.authzid then |
2193 | 206 if response.authzid == self.username or response.authzid == self.username.."@"..self.realm then |
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
207 -- COMPAT |
2193 | 208 log("warn", "Client is violating RFC 3920 (section 6.1, point 7)."); |
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
209 A1 = Y..":"..response["nonce"]..":"..response["cnonce"]..":"..response.authzid; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
210 else |
2193 | 211 return "failure", "invalid-authzid"; |
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
212 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
213 else |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
214 A1 = Y..":"..response["nonce"]..":"..response["cnonce"]; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
215 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
216 local A2 = "AUTHENTICATE:"..protocol.."/"..domain; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
217 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
218 local HA1 = md5(A1, true); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
219 local HA2 = md5(A2, true); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
220 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
221 local KD = HA1..":"..response["nonce"]..":"..response["nc"]..":"..response["cnonce"]..":"..response["qop"]..":"..HA2; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
222 local response_value = md5(KD, true); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
223 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
224 if response_value == response["response"] then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
225 -- calculate rspauth |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
226 A2 = ":"..protocol.."/"..domain; |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
227 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
228 HA1 = md5(A1, true); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
229 HA2 = md5(A2, true); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
230 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
231 KD = HA1..":"..response["nonce"]..":"..response["nc"]..":"..response["cnonce"]..":"..response["qop"]..":"..HA2 |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
232 local rspauth = md5(KD, true); |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
233 self.authenticated = true; |
2568
25e1a544a096
util.sasl.digest-md5: Revert changeset 6094a4e2b6f3 as it breaks some clients, re-visit some time down the line
Matthew Wild <mwild1@gmail.com>
parents:
2211
diff
changeset
|
234 --TODO: considering sending the rspauth in a success node for saving one roundtrip; allowed according to http://tools.ietf.org/html/draft-saintandre-rfc3920bis-09#section-7.3.6 |
25e1a544a096
util.sasl.digest-md5: Revert changeset 6094a4e2b6f3 as it breaks some clients, re-visit some time down the line
Matthew Wild <mwild1@gmail.com>
parents:
2211
diff
changeset
|
235 return "challenge", serialize({rspauth = rspauth}); |
2186
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
236 else |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
237 return "failure", "not-authorized", "The response provided by the client doesn't match the one we calculated." |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
238 end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
239 elseif self.step == 3 then |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
240 if self.authenticated ~= nil then return "success" |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
241 else return "failure", "malformed-request" end |
1112871916eb
Move each mechanism in an own file.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
242 end |
2188
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
243 end |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
244 |
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5301
diff
changeset
|
245 local function init(registerMechanism) |
2188
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
246 registerMechanism("DIGEST-MD5", {"plain"}, digest); |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
247 end |
1fd38975addd
Add support for plain profile in digest-md5 implementation.
Tobias Markmann <tm@ayena.de>
parents:
2186
diff
changeset
|
248 |
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5301
diff
changeset
|
249 return { |
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5301
diff
changeset
|
250 init = init; |
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5301
diff
changeset
|
251 } |