prosody
b2331f3dfeea
plugins/mod_auth_internal_hashed.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_auth_internal_hashed.lua @ 11120:b2331f3dfeea

Merge 0.11->trunk
author Matthew Wild <mwild1@gmail.com>
date Wed, 30 Sep 2020 09:50:33 +0100
parent 10916:c7ed8f754033
child 11560:3bbb1af92514
comparison
equal deleted inserted replaced
11119:68df52bf08d5 11120:b2331f3dfeea
7 -- COPYING file in the source package for more information. 7 -- COPYING file in the source package for more information.
8 -- 8 --
9 9
10 local max = math.max; 10 local max = math.max;
11 11
12 local getAuthenticationDatabaseSHA1 = require "util.sasl.scram".getAuthenticationDatabaseSHA1; 12 local scram_hashers = require "util.sasl.scram".hashers;
13 local usermanager = require "core.usermanager"; 13 local usermanager = require "core.usermanager";
14 local generate_uuid = require "util.uuid".generate; 14 local generate_uuid = require "util.uuid".generate;
15 local new_sasl = require "util.sasl".new; 15 local new_sasl = require "util.sasl".new;
16 local hex = require"util.hex"; 16 local hex = require"util.hex";
17 local to_hex, from_hex = hex.to, hex.from; 17 local to_hex, from_hex = hex.to, hex.from;
20 local log = module._log; 20 local log = module._log;
21 local host = module.host; 21 local host = module.host;
22 22
23 local accounts = module:open_store("accounts"); 23 local accounts = module:open_store("accounts");
24 24
25 25 local hash_name = module:get_option_string("password_hash", "SHA-1");
26 local get_auth_db = assert(scram_hashers[hash_name], "SCRAM-"..hash_name.." not supported by SASL library");
27 local scram_name = "scram_"..hash_name:gsub("%-","_"):lower();
26 28
27 -- Default; can be set per-user 29 -- Default; can be set per-user
28 local default_iteration_count = 4096; 30 local default_iteration_count = 4096;
29 31
30 -- define auth provider 32 -- define auth provider
52 54
53 if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then 55 if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then
54 return nil, "Auth failed. Stored salt and iteration count information is not complete."; 56 return nil, "Auth failed. Stored salt and iteration count information is not complete.";
55 end 57 end
56 58
57 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count); 59 local valid, stored_key, server_key = get_auth_db(password, credentials.salt, credentials.iteration_count);
58 60
59 local stored_key_hex = to_hex(stored_key); 61 local stored_key_hex = to_hex(stored_key);
60 local server_key_hex = to_hex(server_key); 62 local server_key_hex = to_hex(server_key);
61 63
62 if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then 64 if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then
70 log("debug", "set_password for username '%s'", username); 72 log("debug", "set_password for username '%s'", username);
71 local account = accounts:get(username); 73 local account = accounts:get(username);
72 if account then 74 if account then
73 account.salt = generate_uuid(); 75 account.salt = generate_uuid();
74 account.iteration_count = max(account.iteration_count or 0, default_iteration_count); 76 account.iteration_count = max(account.iteration_count or 0, default_iteration_count);
75 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, account.salt, account.iteration_count); 77 local valid, stored_key, server_key = get_auth_db(password, account.salt, account.iteration_count);
76 if not valid then 78 if not valid then
77 return valid, stored_key; 79 return valid, stored_key;
78 end 80 end
79 local stored_key_hex = to_hex(stored_key); 81 local stored_key_hex = to_hex(stored_key);
80 local server_key_hex = to_hex(server_key); 82 local server_key_hex = to_hex(server_key);
104 function provider.create_user(username, password) 106 function provider.create_user(username, password)
105 if password == nil then 107 if password == nil then
106 return accounts:set(username, {}); 108 return accounts:set(username, {});
107 end 109 end
108 local salt = generate_uuid(); 110 local salt = generate_uuid();
109 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, salt, default_iteration_count); 111 local valid, stored_key, server_key = get_auth_db(password, salt, default_iteration_count);
110 if not valid then 112 if not valid then
111 return valid, stored_key; 113 return valid, stored_key;
112 end 114 end
113 local stored_key_hex = to_hex(stored_key); 115 local stored_key_hex = to_hex(stored_key);
114 local server_key_hex = to_hex(server_key); 116 local server_key_hex = to_hex(server_key);
125 function provider.get_sasl_handler() 127 function provider.get_sasl_handler()
126 local testpass_authentication_profile = { 128 local testpass_authentication_profile = {
127 plain_test = function(_, username, password, realm) 129 plain_test = function(_, username, password, realm)
128 return usermanager.test_password(username, realm, password), true; 130 return usermanager.test_password(username, realm, password), true;
129 end, 131 end,
130 scram_sha_1 = function(_, username) 132 [scram_name] = function(_, username)
131 local credentials = accounts:get(username); 133 local credentials = accounts:get(username);
132 if not credentials then return; end 134 if not credentials then return; end
133 if credentials.password then 135 if credentials.password then
134 if provider.set_password(username, credentials.password) == nil then 136 if provider.set_password(username, credentials.password) == nil then
135 return nil, "Auth failed. Could not set hashed password from plaintext."; 137 return nil, "Auth failed. Could not set hashed password from plaintext.";