Software /
code /
prosody
Annotate
util/sasl.lua @ 602:a977227aa9e6
Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
author | Waqas Hussain <waqas20@gmail.com> |
---|---|
date | Mon, 08 Dec 2008 03:23:37 +0500 |
parent | 599:30655c5cc531 |
child | 603:423fd24fff54 |
rev | line source |
---|---|
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
1 -- sasl.lua v0.1 |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
2 -- Copyright (C) 2008 Tobias Markmann |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
3 -- |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
4 -- All rights reserved. |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
5 -- |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
6 -- Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
7 -- |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
8 -- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
9 -- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
10 -- * Neither the name of Tobias Markmann nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
11 -- |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
12 -- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
13 |
15
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
14 |
449
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
15 local md5 = require "util.hashes".md5; |
38 | 16 local log = require "util.logger".init("sasl"); |
17 local tostring = tostring; | |
18 local st = require "util.stanza"; | |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
19 local generate_uuid = require "util.uuid".generate; |
504
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
20 local t_insert, t_concat = table.insert, table.concat; |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
21 local to_byte, to_char = string.byte, string.char; |
38 | 22 local s_match = string.match; |
277
00c2fc751f50
Fixing some parsing and some other stuff.
Tobias Markmann <tm@ayena.de>
parents:
276
diff
changeset
|
23 local gmatch = string.gmatch |
280
516f4c901991
Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents:
278
diff
changeset
|
24 local string = string |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
25 local math = require "math" |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
26 local type = type |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
27 local error = error |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
28 local print = print |
476
4744735a0a5e
Apply IDNA to ASCII on hostnames.
Tobias Markmann <tm@ayena.de>
parents:
475
diff
changeset
|
29 local idna_ascii = require "util.encodings".idna.to_ascii |
496
b3251b137d68
idna-to-unicode so password_handler looks for the right domain.
Tobias Markmann <tm@ayena.de>
parents:
495
diff
changeset
|
30 local idna_unicode = require "util.encodings".idna.to_unicode |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
31 |
38 | 32 module "sasl" |
33 | |
285
372d0891e8fd
Made PLAIN method in sasl.lua module follow new interface.
Tobias Markmann <tm@ayena.de>
parents:
280
diff
changeset
|
34 local function new_plain(realm, password_handler) |
372d0891e8fd
Made PLAIN method in sasl.lua module follow new interface.
Tobias Markmann <tm@ayena.de>
parents:
280
diff
changeset
|
35 local object = { mechanism = "PLAIN", realm = realm, password_handler = password_handler} |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
36 function object.feed(self, message) |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
37 |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
38 if message == "" or message == nil then return "failure", "malformed-request" end |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
39 local response = message |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
40 local authorization = s_match(response, "([^&%z]+)") |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
41 local authentication = s_match(response, "%z([^&%z]+)%z") |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
42 local password = s_match(response, "%z[^&%z]+%z([^&%z]+)") |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
43 |
402
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
44 if authentication == nil or password == nil then return "failure", "malformed-request" end |
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
45 |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
46 local password_encoding, correct_password = self.password_handler(authentication, self.realm, "PLAIN") |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
47 |
405 | 48 if correct_password == nil then return "failure", "not-authorized" |
404
4801dbeccc2a
Some changes to report more correct SASL failures. Support for disabled accounts.
Tobias Markmann <tm@ayena.de>
parents:
402
diff
changeset
|
49 elseif correct_password == false then return "failure", "account-disabled" end |
402
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
50 |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
51 local claimed_password = "" |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
52 if password_encoding == nil then claimed_password = password |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
53 else claimed_password = password_encoding(password) end |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
54 |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
55 self.username = authentication |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
56 if claimed_password == correct_password then |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
57 return "success" |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
58 else |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
59 return "failure", "not-authorized" |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
60 end |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
61 end |
15
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
62 return object |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
63 end |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
64 |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
65 local function new_digest_md5(realm, password_handler) |
280
516f4c901991
Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents:
278
diff
changeset
|
66 --TODO maybe support for authzid |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
67 |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
68 local function serialize(message) |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
69 local data = "" |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
70 |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
71 if type(message) ~= "table" then error("serialize needs an argument of type table.") end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
72 |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
73 -- testing all possible values |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
74 if message["nonce"] then data = data..[[nonce="]]..message.nonce..[[",]] end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
75 if message["qop"] then data = data..[[qop="]]..message.qop..[[",]] end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
76 if message["charset"] then data = data..[[charset=]]..message.charset.."," end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
77 if message["algorithm"] then data = data..[[algorithm=]]..message.algorithm.."," end |
280
516f4c901991
Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents:
278
diff
changeset
|
78 if message["realm"] then data = data..[[realm="]]..message.realm..[[",]] end |
516f4c901991
Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents:
278
diff
changeset
|
79 if message["rspauth"] then data = data..[[rspauth=]]..message.rspauth.."," end |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
80 data = data:gsub(",$", "") |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
81 return data |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
82 end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
83 |
595
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
84 local function utf8tolatin1ifpossible(passwd) |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
85 local i = 1; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
86 while i <= #passwd do |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
87 local passwd_i = to_byte(passwd:sub(i, i)); |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
88 if passwd_i > 0x7F then |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
89 if passwd_i < 0xC0 or passwd_i > 0xC3 then |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
90 return passwd; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
91 end |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
92 i = i + 1; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
93 passwd_i = to_byte(passwd:sub(i, i)); |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
94 if passwd_i < 0x80 or passwd_i > 0xBF then |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
95 return passwd; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
96 end |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
97 end |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
98 i = i + 1; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
99 end |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
100 |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
101 local p = {}; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
102 local j = 0; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
103 i = 1; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
104 while (i <= #passwd) do |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
105 local passwd_i = to_byte(passwd:sub(i, i)); |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
106 if passwd_i > 0x7F then |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
107 i = i + 1; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
108 local passwd_i_1 = to_byte(passwd:sub(i, i)); |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
109 t_insert(p, to_char(passwd_i%4*64 + passwd_i_1%64)); -- I'm so clever |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
110 else |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
111 t_insert(p, to_char(passwd_i)); |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
112 end |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
113 i = i + 1; |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
114 end |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
115 return t_concat(p); |
08ed4fa2f89d
Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents:
529
diff
changeset
|
116 end |
504
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
117 local function latin1toutf8(str) |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
118 local p = {}; |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
119 for ch in gmatch(str, ".") do |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
120 ch = to_byte(ch); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
121 if (ch < 0x80) then |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
122 t_insert(p, to_char(ch)); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
123 elseif (ch < 0xC0) then |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
124 t_insert(p, to_char(0xC2, ch)); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
125 else |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
126 t_insert(p, to_char(0xC3, ch - 64)); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
127 end |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
128 end |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
129 return t_concat(p); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
130 end |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
131 local function parse(data) |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
132 message = {} |
458 | 133 for k, v in gmatch(data, [[([%w%-]+)="?([^",]*)"?,?]]) do -- FIXME The hacky regex makes me shudder |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
134 message[k] = v |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
135 end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
136 return message |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
137 end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
138 |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
139 local object = { mechanism = "DIGEST-MD5", realm = realm, password_handler = password_handler} |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
140 |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
141 --TODO: something better than math.random would be nice, maybe OpenSSL's random number generator |
280
516f4c901991
Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents:
278
diff
changeset
|
142 object.nonce = generate_uuid() |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
143 object.step = 0 |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
144 object.nonce_count = {} |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
145 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
146 function object.feed(self, message) |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
147 self.step = self.step + 1 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
148 if (self.step == 1) then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
149 local challenge = serialize({ nonce = object.nonce, |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
150 qop = "auth", |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
151 charset = "utf-8", |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
152 algorithm = "md5-sess", |
505
1b938e00412c
Remove that idn stuff for realm because it's either an ugly hack that the password_handler isn't ready for or something worse.
Tobias Markmann <tm@ayena.de>
parents:
496
diff
changeset
|
153 realm = self.realm}); |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
154 return "challenge", challenge |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
155 elseif (self.step == 2) then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
156 local response = parse(message) |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
157 -- check for replay attack |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
158 if response["nc"] then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
159 if self.nonce_count[response["nc"]] then return "failure", "not-authorized" end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
160 end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
161 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
162 -- check for username, it's REQUIRED by RFC 2831 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
163 if not response["username"] then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
164 return "failure", "malformed-request" |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
165 end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
166 self["username"] = response["username"] |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
167 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
168 -- check for nonce, ... |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
169 if not response["nonce"] then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
170 return "failure", "malformed-request" |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
171 else |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
172 -- check if it's the right nonce |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
173 if response["nonce"] ~= tostring(self.nonce) then return "failure", "malformed-request" end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
174 end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
175 |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
176 if not response["cnonce"] then return "failure", "malformed-request", "Missing entry for cnonce in SASL message." end |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
177 if not response["qop"] then response["qop"] = "auth" end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
178 |
602
a977227aa9e6
Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
Waqas Hussain <waqas20@gmail.com>
parents:
599
diff
changeset
|
179 if response["realm"] == nil then |
a977227aa9e6
Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
Waqas Hussain <waqas20@gmail.com>
parents:
599
diff
changeset
|
180 response["realm"] = "" |
a977227aa9e6
Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
Waqas Hussain <waqas20@gmail.com>
parents:
599
diff
changeset
|
181 elseif response["realm"] ~= self.realm then |
a977227aa9e6
Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
Waqas Hussain <waqas20@gmail.com>
parents:
599
diff
changeset
|
182 return "failure", "not-authorized", "Incorrect realm value"; |
a977227aa9e6
Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
Waqas Hussain <waqas20@gmail.com>
parents:
599
diff
changeset
|
183 end |
599
30655c5cc531
Latin1 support for SASL DIGEST-MD5 (second, and possibly final commit)
Waqas Hussain <waqas20@gmail.com>
parents:
595
diff
changeset
|
184 local decoder; |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
185 |
508
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
186 if response["charset"] == nil then |
599
30655c5cc531
Latin1 support for SASL DIGEST-MD5 (second, and possibly final commit)
Waqas Hussain <waqas20@gmail.com>
parents:
595
diff
changeset
|
187 decoder = utf8tolatin1ifpossible; |
508
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
188 elseif response["charset"] ~= "utf-8" then |
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
189 return "failure", "incorrect-encoding", "The client's response uses "..response["charset"].." for encoding with isn't supported by sasl.lua. Supported encodings are latin or utf-8." |
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
190 end |
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
191 |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
192 local domain = "" |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
193 local protocol = "" |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
194 if response["digest-uri"] then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
195 protocol, domain = response["digest-uri"]:match("(%w+)/(.*)$") |
402
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
196 if protocol == nil or domain == nil then return "failure", "malformed-request" end |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
197 else |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
198 return "failure", "malformed-request", "Missing entry for digest-uri in SASL message." |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
199 end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
200 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
201 --TODO maybe realm support |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
202 self.username = response["username"] |
599
30655c5cc531
Latin1 support for SASL DIGEST-MD5 (second, and possibly final commit)
Waqas Hussain <waqas20@gmail.com>
parents:
595
diff
changeset
|
203 local password_encoding, Y = self.password_handler(response["username"], response["realm"], "DIGEST-MD5", decoder) |
405 | 204 if Y == nil then return "failure", "not-authorized" |
404
4801dbeccc2a
Some changes to report more correct SASL failures. Support for disabled accounts.
Tobias Markmann <tm@ayena.de>
parents:
402
diff
changeset
|
205 elseif Y == false then return "failure", "account-disabled" end |
402
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
206 |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
207 local A1 = Y..":"..response["nonce"]..":"..response["cnonce"]--:authzid |
472
ee45599c0b5d
Do idna_to_ascii when building own response.
Tobias Markmann <tm@ayena.de>
parents:
449
diff
changeset
|
208 local A2 = "AUTHENTICATE:"..protocol.."/"..idna_ascii(domain) |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
209 |
449
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
210 local HA1 = md5(A1, true) |
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
211 local HA2 = md5(A2, true) |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
212 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
213 local KD = HA1..":"..response["nonce"]..":"..response["nc"]..":"..response["cnonce"]..":"..response["qop"]..":"..HA2 |
449
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
214 local response_value = md5(KD, true) |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
215 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
216 if response_value == response["response"] then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
217 -- calculate rspauth |
472
ee45599c0b5d
Do idna_to_ascii when building own response.
Tobias Markmann <tm@ayena.de>
parents:
449
diff
changeset
|
218 A2 = ":"..protocol.."/"..idna_ascii(domain) |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
219 |
449
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
220 HA1 = md5(A1, true) |
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
221 HA2 = md5(A2, true) |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
222 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
223 KD = HA1..":"..response["nonce"]..":"..response["nc"]..":"..response["cnonce"]..":"..response["qop"]..":"..HA2 |
449
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
224 local rspauth = md5(KD, true) |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
225 self.authenticated = true |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
226 return "challenge", serialize({rspauth = rspauth}) |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
227 else |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
228 return "failure", "not-authorized", "The response provided by the client doesn't match the one we calculated." |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
229 end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
230 elseif self.step == 3 then |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
231 if self.authenticated ~= nil then return "success" |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
232 else return "failure", "malformed-request" end |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
233 end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
234 end |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
235 return object |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
236 end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
237 |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
238 function new(mechanism, realm, password_handler) |
15
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
239 local object |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
240 if mechanism == "PLAIN" then object = new_plain(realm, password_handler) |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
241 elseif mechanism == "DIGEST-MD5" then object = new_digest_md5(realm, password_handler) |
38 | 242 else |
243 log("debug", "Unsupported SASL mechanism: "..tostring(mechanism)); | |
285
372d0891e8fd
Made PLAIN method in sasl.lua module follow new interface.
Tobias Markmann <tm@ayena.de>
parents:
280
diff
changeset
|
244 return nil |
15
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
245 end |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
246 return object |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
247 end |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
248 |
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
508
diff
changeset
|
249 return _M; |