Annotate

util/sasl.lua @ 602:a977227aa9e6

Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
author Waqas Hussain <waqas20@gmail.com>
date Mon, 08 Dec 2008 03:23:37 +0500
parent 599:30655c5cc531
child 603:423fd24fff54
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
1 -- sasl.lua v0.1
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
2 -- Copyright (C) 2008 Tobias Markmann
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
3 --
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
4 -- All rights reserved.
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
5 --
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
6 -- Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
7 --
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
8 -- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
9 -- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
10 -- * Neither the name of Tobias Markmann nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
11 --
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
12 -- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
13
15
c0d754774db2 adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff changeset
14
449
c0a4a1e63d70 Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents: 405
diff changeset
15 local md5 = require "util.hashes".md5;
38
Matthew Wild <mwild1@gmail.com>
parents: 32
diff changeset
16 local log = require "util.logger".init("sasl");
Matthew Wild <mwild1@gmail.com>
parents: 32
diff changeset
17 local tostring = tostring;
Matthew Wild <mwild1@gmail.com>
parents: 32
diff changeset
18 local st = require "util.stanza";
276
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
19 local generate_uuid = require "util.uuid".generate;
504
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
20 local t_insert, t_concat = table.insert, table.concat;
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
21 local to_byte, to_char = string.byte, string.char;
38
Matthew Wild <mwild1@gmail.com>
parents: 32
diff changeset
22 local s_match = string.match;
277
00c2fc751f50 Fixing some parsing and some other stuff.
Tobias Markmann <tm@ayena.de>
parents: 276
diff changeset
23 local gmatch = string.gmatch
280
516f4c901991 Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents: 278
diff changeset
24 local string = string
276
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
25 local math = require "math"
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
26 local type = type
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
27 local error = error
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
28 local print = print
476
4744735a0a5e Apply IDNA to ASCII on hostnames.
Tobias Markmann <tm@ayena.de>
parents: 475
diff changeset
29 local idna_ascii = require "util.encodings".idna.to_ascii
496
b3251b137d68 idna-to-unicode so password_handler looks for the right domain.
Tobias Markmann <tm@ayena.de>
parents: 495
diff changeset
30 local idna_unicode = require "util.encodings".idna.to_unicode
276
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
31
38
Matthew Wild <mwild1@gmail.com>
parents: 32
diff changeset
32 module "sasl"
Matthew Wild <mwild1@gmail.com>
parents: 32
diff changeset
33
285
372d0891e8fd Made PLAIN method in sasl.lua module follow new interface.
Tobias Markmann <tm@ayena.de>
parents: 280
diff changeset
34 local function new_plain(realm, password_handler)
372d0891e8fd Made PLAIN method in sasl.lua module follow new interface.
Tobias Markmann <tm@ayena.de>
parents: 280
diff changeset
35 local object = { mechanism = "PLAIN", realm = realm, password_handler = password_handler}
297
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
36 function object.feed(self, message)
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
37
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
38 if message == "" or message == nil then return "failure", "malformed-request" end
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
39 local response = message
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
40 local authorization = s_match(response, "([^&%z]+)")
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
41 local authentication = s_match(response, "%z([^&%z]+)%z")
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
42 local password = s_match(response, "%z[^&%z]+%z([^&%z]+)")
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
43
402
50f1c09541cd Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents: 401
diff changeset
44 if authentication == nil or password == nil then return "failure", "malformed-request" end
50f1c09541cd Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents: 401
diff changeset
45
297
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
46 local password_encoding, correct_password = self.password_handler(authentication, self.realm, "PLAIN")
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
47
405
62706c4e04cf Some ends too much.
Tobias Markmann <tm@ayena.de>
parents: 404
diff changeset
48 if correct_password == nil then return "failure", "not-authorized"
404
4801dbeccc2a Some changes to report more correct SASL failures. Support for disabled accounts.
Tobias Markmann <tm@ayena.de>
parents: 402
diff changeset
49 elseif correct_password == false then return "failure", "account-disabled" end
402
50f1c09541cd Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents: 401
diff changeset
50
297
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
51 local claimed_password = ""
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
52 if password_encoding == nil then claimed_password = password
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
53 else claimed_password = password_encoding(password) end
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
54
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
55 self.username = authentication
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
56 if claimed_password == correct_password then
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
57 return "success"
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
58 else
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
59 return "failure", "not-authorized"
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
60 end
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
61 end
15
c0d754774db2 adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff changeset
62 return object
c0d754774db2 adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff changeset
63 end
c0d754774db2 adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff changeset
64
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
65 local function new_digest_md5(realm, password_handler)
280
516f4c901991 Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents: 278
diff changeset
66 --TODO maybe support for authzid
276
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
67
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
68 local function serialize(message)
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
69 local data = ""
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
70
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
71 if type(message) ~= "table" then error("serialize needs an argument of type table.") end
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
72
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
73 -- testing all possible values
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
74 if message["nonce"] then data = data..[[nonce="]]..message.nonce..[[",]] end
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
75 if message["qop"] then data = data..[[qop="]]..message.qop..[[",]] end
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
76 if message["charset"] then data = data..[[charset=]]..message.charset.."," end
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
77 if message["algorithm"] then data = data..[[algorithm=]]..message.algorithm.."," end
280
516f4c901991 Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents: 278
diff changeset
78 if message["realm"] then data = data..[[realm="]]..message.realm..[[",]] end
516f4c901991 Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents: 278
diff changeset
79 if message["rspauth"] then data = data..[[rspauth=]]..message.rspauth.."," end
276
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
80 data = data:gsub(",$", "")
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
81 return data
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
82 end
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
83
595
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
84 local function utf8tolatin1ifpossible(passwd)
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
85 local i = 1;
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
86 while i <= #passwd do
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
87 local passwd_i = to_byte(passwd:sub(i, i));
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
88 if passwd_i > 0x7F then
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
89 if passwd_i < 0xC0 or passwd_i > 0xC3 then
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
90 return passwd;
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
91 end
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
92 i = i + 1;
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
93 passwd_i = to_byte(passwd:sub(i, i));
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
94 if passwd_i < 0x80 or passwd_i > 0xBF then
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
95 return passwd;
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
96 end
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
97 end
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
98 i = i + 1;
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
99 end
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
100
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
101 local p = {};
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
102 local j = 0;
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
103 i = 1;
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
104 while (i <= #passwd) do
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
105 local passwd_i = to_byte(passwd:sub(i, i));
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
106 if passwd_i > 0x7F then
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
107 i = i + 1;
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
108 local passwd_i_1 = to_byte(passwd:sub(i, i));
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
109 t_insert(p, to_char(passwd_i%4*64 + passwd_i_1%64)); -- I'm so clever
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
110 else
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
111 t_insert(p, to_char(passwd_i));
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
112 end
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
113 i = i + 1;
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
114 end
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
115 return t_concat(p);
08ed4fa2f89d Latin1 support for SASL DIGEST-MD5 (initial commit)
Waqas Hussain <waqas20@gmail.com>
parents: 529
diff changeset
116 end
504
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
117 local function latin1toutf8(str)
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
118 local p = {};
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
119 for ch in gmatch(str, ".") do
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
120 ch = to_byte(ch);
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
121 if (ch < 0x80) then
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
122 t_insert(p, to_char(ch));
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
123 elseif (ch < 0xC0) then
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
124 t_insert(p, to_char(0xC2, ch));
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
125 else
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
126 t_insert(p, to_char(0xC3, ch - 64));
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
127 end
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
128 end
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
129 return t_concat(p);
efc5184effa1 Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents: 496
diff changeset
130 end
276
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
131 local function parse(data)
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
132 message = {}
458
ac17926c3282 Added a FIXME
Waqas Hussain <waqas20@gmail.com>
parents: 457
diff changeset
133 for k, v in gmatch(data, [[([%w%-]+)="?([^",]*)"?,?]]) do -- FIXME The hacky regex makes me shudder
276
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
134 message[k] = v
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
135 end
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
136 return message
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
137 end
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
138
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
139 local object = { mechanism = "DIGEST-MD5", realm = realm, password_handler = password_handler}
276
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
140
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
141 --TODO: something better than math.random would be nice, maybe OpenSSL's random number generator
280
516f4c901991 Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents: 278
diff changeset
142 object.nonce = generate_uuid()
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
143 object.step = 0
276
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
144 object.nonce_count = {}
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
145
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
146 function object.feed(self, message)
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
147 self.step = self.step + 1
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
148 if (self.step == 1) then
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
149 local challenge = serialize({ nonce = object.nonce,
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
150 qop = "auth",
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
151 charset = "utf-8",
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
152 algorithm = "md5-sess",
505
1b938e00412c Remove that idn stuff for realm because it's either an ugly hack that the password_handler isn't ready for or something worse.
Tobias Markmann <tm@ayena.de>
parents: 496
diff changeset
153 realm = self.realm});
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
154 return "challenge", challenge
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
155 elseif (self.step == 2) then
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
156 local response = parse(message)
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
157 -- check for replay attack
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
158 if response["nc"] then
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
159 if self.nonce_count[response["nc"]] then return "failure", "not-authorized" end
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
160 end
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
161
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
162 -- check for username, it's REQUIRED by RFC 2831
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
163 if not response["username"] then
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
164 return "failure", "malformed-request"
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
165 end
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
166 self["username"] = response["username"]
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
167
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
168 -- check for nonce, ...
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
169 if not response["nonce"] then
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
170 return "failure", "malformed-request"
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
171 else
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
172 -- check if it's the right nonce
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
173 if response["nonce"] ~= tostring(self.nonce) then return "failure", "malformed-request" end
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
174 end
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
175
297
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
176 if not response["cnonce"] then return "failure", "malformed-request", "Missing entry for cnonce in SASL message." end
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
177 if not response["qop"] then response["qop"] = "auth" end
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
178
602
a977227aa9e6 Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
Waqas Hussain <waqas20@gmail.com>
parents: 599
diff changeset
179 if response["realm"] == nil then
a977227aa9e6 Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
Waqas Hussain <waqas20@gmail.com>
parents: 599
diff changeset
180 response["realm"] = ""
a977227aa9e6 Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
Waqas Hussain <waqas20@gmail.com>
parents: 599
diff changeset
181 elseif response["realm"] ~= self.realm then
a977227aa9e6 Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
Waqas Hussain <waqas20@gmail.com>
parents: 599
diff changeset
182 return "failure", "not-authorized", "Incorrect realm value";
a977227aa9e6 Return error when the given realm value does not match the sent realm value. Prevents impersonation of an account on one virtual host, but a user with the same username on another host.
Waqas Hussain <waqas20@gmail.com>
parents: 599
diff changeset
183 end
599
30655c5cc531 Latin1 support for SASL DIGEST-MD5 (second, and possibly final commit)
Waqas Hussain <waqas20@gmail.com>
parents: 595
diff changeset
184 local decoder;
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
185
508
4fd60ae97535 Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents: 507
diff changeset
186 if response["charset"] == nil then
599
30655c5cc531 Latin1 support for SASL DIGEST-MD5 (second, and possibly final commit)
Waqas Hussain <waqas20@gmail.com>
parents: 595
diff changeset
187 decoder = utf8tolatin1ifpossible;
508
4fd60ae97535 Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents: 507
diff changeset
188 elseif response["charset"] ~= "utf-8" then
4fd60ae97535 Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents: 507
diff changeset
189 return "failure", "incorrect-encoding", "The client's response uses "..response["charset"].." for encoding with isn't supported by sasl.lua. Supported encodings are latin or utf-8."
4fd60ae97535 Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents: 507
diff changeset
190 end
4fd60ae97535 Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents: 507
diff changeset
191
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
192 local domain = ""
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
193 local protocol = ""
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
194 if response["digest-uri"] then
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
195 protocol, domain = response["digest-uri"]:match("(%w+)/(.*)$")
402
50f1c09541cd Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents: 401
diff changeset
196 if protocol == nil or domain == nil then return "failure", "malformed-request" end
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
197 else
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
198 return "failure", "malformed-request", "Missing entry for digest-uri in SASL message."
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
199 end
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
200
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
201 --TODO maybe realm support
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
202 self.username = response["username"]
599
30655c5cc531 Latin1 support for SASL DIGEST-MD5 (second, and possibly final commit)
Waqas Hussain <waqas20@gmail.com>
parents: 595
diff changeset
203 local password_encoding, Y = self.password_handler(response["username"], response["realm"], "DIGEST-MD5", decoder)
405
62706c4e04cf Some ends too much.
Tobias Markmann <tm@ayena.de>
parents: 404
diff changeset
204 if Y == nil then return "failure", "not-authorized"
404
4801dbeccc2a Some changes to report more correct SASL failures. Support for disabled accounts.
Tobias Markmann <tm@ayena.de>
parents: 402
diff changeset
205 elseif Y == false then return "failure", "account-disabled" end
402
50f1c09541cd Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents: 401
diff changeset
206
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
207 local A1 = Y..":"..response["nonce"]..":"..response["cnonce"]--:authzid
472
ee45599c0b5d Do idna_to_ascii when building own response.
Tobias Markmann <tm@ayena.de>
parents: 449
diff changeset
208 local A2 = "AUTHENTICATE:"..protocol.."/"..idna_ascii(domain)
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
209
449
c0a4a1e63d70 Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents: 405
diff changeset
210 local HA1 = md5(A1, true)
c0a4a1e63d70 Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents: 405
diff changeset
211 local HA2 = md5(A2, true)
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
212
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
213 local KD = HA1..":"..response["nonce"]..":"..response["nc"]..":"..response["cnonce"]..":"..response["qop"]..":"..HA2
449
c0a4a1e63d70 Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents: 405
diff changeset
214 local response_value = md5(KD, true)
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
215
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
216 if response_value == response["response"] then
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
217 -- calculate rspauth
472
ee45599c0b5d Do idna_to_ascii when building own response.
Tobias Markmann <tm@ayena.de>
parents: 449
diff changeset
218 A2 = ":"..protocol.."/"..idna_ascii(domain)
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
219
449
c0a4a1e63d70 Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents: 405
diff changeset
220 HA1 = md5(A1, true)
c0a4a1e63d70 Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents: 405
diff changeset
221 HA2 = md5(A2, true)
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
222
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
223 KD = HA1..":"..response["nonce"]..":"..response["nc"]..":"..response["cnonce"]..":"..response["qop"]..":"..HA2
449
c0a4a1e63d70 Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents: 405
diff changeset
224 local rspauth = md5(KD, true)
297
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
225 self.authenticated = true
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
226 return "challenge", serialize({rspauth = rspauth})
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
227 else
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
228 return "failure", "not-authorized", "The response provided by the client doesn't match the one we calculated."
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
229 end
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
230 elseif self.step == 3 then
297
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
231 if self.authenticated ~= nil then return "success"
15b375870b40 Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents: 294
diff changeset
232 else return "failure", "malformed-request" end
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
233 end
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
234 end
276
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
235 return object
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
236 end
30893439d5d1 Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents: 50
diff changeset
237
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
238 function new(mechanism, realm, password_handler)
15
c0d754774db2 adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff changeset
239 local object
294
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
240 if mechanism == "PLAIN" then object = new_plain(realm, password_handler)
5d861d6e5bbd Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents: 292
diff changeset
241 elseif mechanism == "DIGEST-MD5" then object = new_digest_md5(realm, password_handler)
38
Matthew Wild <mwild1@gmail.com>
parents: 32
diff changeset
242 else
Matthew Wild <mwild1@gmail.com>
parents: 32
diff changeset
243 log("debug", "Unsupported SASL mechanism: "..tostring(mechanism));
285
372d0891e8fd Made PLAIN method in sasl.lua module follow new interface.
Tobias Markmann <tm@ayena.de>
parents: 280
diff changeset
244 return nil
15
c0d754774db2 adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff changeset
245 end
c0d754774db2 adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff changeset
246 return object
c0d754774db2 adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff changeset
247 end
c0d754774db2 adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff changeset
248
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 508
diff changeset
249 return _M;