prosody
e80916ce8d32
util/sasl/scram.lua
Software / code / prosody
Comparison
util/sasl/scram.lua @ 5871:e80916ce8d32
util.sasl.scram: Rename variable for clarity
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 13 Oct 2013 01:43:04 +0200 |
| parent | 5870:61f748d363e1 |
| child | 6786:3deeb38d79ab |
comparison
equal
deleted
inserted
replaced
| 5870:61f748d363e1 | 5871:e80916ce8d32 |
|---|---|
| 111 if not state then | 111 if not state then |
| 112 -- we are processing client_first_message | 112 -- we are processing client_first_message |
| 113 local client_first_message = message; | 113 local client_first_message = message; |
| 114 | 114 |
| 115 -- TODO: fail if authzid is provided, since we don't support them yet | 115 -- TODO: fail if authzid is provided, since we don't support them yet |
| 116 local gs2_header, gs2_cbind_flag, gs2_cbind_name, authzid, client_first_message_bare, name, clientnonce | 116 local gs2_header, gs2_cbind_flag, gs2_cbind_name, authzid, client_first_message_bare, username, clientnonce |
| 117 = s_match(client_first_message, "^(([pny])=?([^,]*),([^,]*),)(m?=?[^,]*,?n=([^,]*),r=([^,]*),?.*)$"); | 117 = s_match(client_first_message, "^(([pny])=?([^,]*),([^,]*),)(m?=?[^,]*,?n=([^,]*),r=([^,]*),?.*)$"); |
| 118 | 118 |
| 119 if not gs2_cbind_flag then | 119 if not gs2_cbind_flag then |
| 120 return "failure", "malformed-request"; | 120 return "failure", "malformed-request"; |
| 121 end | 121 end |
| 139 else | 139 else |
| 140 -- no channel binding, | 140 -- no channel binding, |
| 141 gs2_cbind_name = nil; | 141 gs2_cbind_name = nil; |
| 142 end | 142 end |
| 143 | 143 |
| 144 name = validate_username(name, self.profile.nodeprep); | 144 username = validate_username(username, self.profile.nodeprep); |
| 145 if not name then | 145 if not username then |
| 146 log("debug", "Username violates either SASLprep or contains forbidden character sequences.") | 146 log("debug", "Username violates either SASLprep or contains forbidden character sequences.") |
| 147 return "failure", "malformed-request", "Invalid username."; | 147 return "failure", "malformed-request", "Invalid username."; |
| 148 end | 148 end |
| 149 | 149 |
| 150 -- retreive credentials | 150 -- retreive credentials |
| 151 local stored_key, server_key, salt, iteration_count; | 151 local stored_key, server_key, salt, iteration_count; |
| 152 if self.profile.plain then | 152 if self.profile.plain then |
| 153 local password, state = self.profile.plain(self, name, self.realm) | 153 local password, state = self.profile.plain(self, username, self.realm) |
| 154 if state == nil then return "failure", "not-authorized" | 154 if state == nil then return "failure", "not-authorized" |
| 155 elseif state == false then return "failure", "account-disabled" end | 155 elseif state == false then return "failure", "account-disabled" end |
| 156 | 156 |
| 157 password = saslprep(password); | 157 password = saslprep(password); |
| 158 if not password then | 158 if not password then |
| 169 log("error", "Generating authentication database failed. Reason: %s", stored_key); | 169 log("error", "Generating authentication database failed. Reason: %s", stored_key); |
| 170 return "failure", "temporary-auth-failure"; | 170 return "failure", "temporary-auth-failure"; |
| 171 end | 171 end |
| 172 elseif self.profile[profile_name] then | 172 elseif self.profile[profile_name] then |
| 173 local state; | 173 local state; |
| 174 stored_key, server_key, iteration_count, salt, state = self.profile[profile_name](self, name, self.realm); | 174 stored_key, server_key, iteration_count, salt, state = self.profile[profile_name](self, username, self.realm); |
| 175 if state == nil then return "failure", "not-authorized" | 175 if state == nil then return "failure", "not-authorized" |
| 176 elseif state == false then return "failure", "account-disabled" end | 176 elseif state == false then return "failure", "account-disabled" end |
| 177 end | 177 end |
| 178 | 178 |
| 179 local nonce = clientnonce .. generate_uuid(); | 179 local nonce = clientnonce .. generate_uuid(); |
| 180 local server_first_message = "r="..nonce..",s="..base64.encode(salt)..",i="..iteration_count; | 180 local server_first_message = "r="..nonce..",s="..base64.encode(salt)..",i="..iteration_count; |
| 181 self.state = { | 181 self.state = { |
| 182 gs2_header = gs2_header; | 182 gs2_header = gs2_header; |
| 183 gs2_cbind_name = gs2_cbind_name; | 183 gs2_cbind_name = gs2_cbind_name; |
| 184 name = name; | 184 username = username; |
| 185 nonce = nonce; | 185 nonce = nonce; |
| 186 | 186 |
| 187 server_key = server_key; | 187 server_key = server_key; |
| 188 stored_key = stored_key; | 188 stored_key = stored_key; |
| 189 client_first_message_bare = client_first_message_bare; | 189 client_first_message_bare = client_first_message_bare; |
| 223 local ClientKey = binaryXOR(ClientSignature, base64.decode(proof)) | 223 local ClientKey = binaryXOR(ClientSignature, base64.decode(proof)) |
| 224 local ServerSignature = HMAC_f(ServerKey, AuthMessage) | 224 local ServerSignature = HMAC_f(ServerKey, AuthMessage) |
| 225 | 225 |
| 226 if StoredKey == H_f(ClientKey) then | 226 if StoredKey == H_f(ClientKey) then |
| 227 local server_final_message = "v="..base64.encode(ServerSignature); | 227 local server_final_message = "v="..base64.encode(ServerSignature); |
| 228 self["username"] = state.name; | 228 self["username"] = state.username; |
| 229 return "success", server_final_message; | 229 return "success", server_final_message; |
| 230 else | 230 else |
| 231 return "failure", "not-authorized", "The response provided by the client doesn't match the one we calculated."; | 231 return "failure", "not-authorized", "The response provided by the client doesn't match the one we calculated."; |
| 232 end | 232 end |
| 233 end | 233 end |
