prosody
e8db377a2983
plugins/mod_auth_internal_hashed.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_auth_internal_hashed.lua @ 10563:e8db377a2983

Merge 0.11->trunk
author Kim Alvefur <zash@zash.se>
date Tue, 24 Dec 2019 00:39:45 +0100
parent 10522:b1ca849b8e3a
parent 10219:d58925bb74ca
child 10916:c7ed8f754033
comparison
equal deleted inserted replaced
10562:670afc079f68 10563:e8db377a2983
7 -- COPYING file in the source package for more information. 7 -- COPYING file in the source package for more information.
8 -- 8 --
9 9
10 local max = math.max; 10 local max = math.max;
11 11
12 local getAuthenticationDatabaseSHA1 = require "util.sasl.scram".getAuthenticationDatabaseSHA1; 12 local scram_hashers = require "util.sasl.scram".hashers;
13 local usermanager = require "core.usermanager"; 13 local usermanager = require "core.usermanager";
14 local generate_uuid = require "util.uuid".generate; 14 local generate_uuid = require "util.uuid".generate;
15 local new_sasl = require "util.sasl".new; 15 local new_sasl = require "util.sasl".new;
16 local hex = require"util.hex"; 16 local hex = require"util.hex";
17 local to_hex, from_hex = hex.to, hex.from; 17 local to_hex, from_hex = hex.to, hex.from;
19 local log = module._log; 19 local log = module._log;
20 local host = module.host; 20 local host = module.host;
21 21
22 local accounts = module:open_store("accounts"); 22 local accounts = module:open_store("accounts");
23 23
24 24 local hash_name = module:get_option_string("password_hash", "SHA-1");
25 local get_auth_db = assert(scram_hashers[hash_name], "SCRAM-"..hash_name.." not supported by SASL library");
26 local scram_name = "scram_"..hash_name:gsub("%-","_"):lower();
25 27
26 -- Default; can be set per-user 28 -- Default; can be set per-user
27 local default_iteration_count = 4096; 29 local default_iteration_count = 4096;
28 30
29 -- define auth provider 31 -- define auth provider
47 49
48 if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then 50 if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then
49 return nil, "Auth failed. Stored salt and iteration count information is not complete."; 51 return nil, "Auth failed. Stored salt and iteration count information is not complete.";
50 end 52 end
51 53
52 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count); 54 local valid, stored_key, server_key = get_auth_db(password, credentials.salt, credentials.iteration_count);
53 55
54 local stored_key_hex = to_hex(stored_key); 56 local stored_key_hex = to_hex(stored_key);
55 local server_key_hex = to_hex(server_key); 57 local server_key_hex = to_hex(server_key);
56 58
57 if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then 59 if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then
65 log("debug", "set_password for username '%s'", username); 67 log("debug", "set_password for username '%s'", username);
66 local account = accounts:get(username); 68 local account = accounts:get(username);
67 if account then 69 if account then
68 account.salt = generate_uuid(); 70 account.salt = generate_uuid();
69 account.iteration_count = max(account.iteration_count or 0, default_iteration_count); 71 account.iteration_count = max(account.iteration_count or 0, default_iteration_count);
70 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, account.salt, account.iteration_count); 72 local valid, stored_key, server_key = get_auth_db(password, account.salt, account.iteration_count);
71 if not valid then 73 if not valid then
72 return valid, stored_key; 74 return valid, stored_key;
73 end 75 end
74 local stored_key_hex = to_hex(stored_key); 76 local stored_key_hex = to_hex(stored_key);
75 local server_key_hex = to_hex(server_key); 77 local server_key_hex = to_hex(server_key);
99 function provider.create_user(username, password) 101 function provider.create_user(username, password)
100 if password == nil then 102 if password == nil then
101 return accounts:set(username, {}); 103 return accounts:set(username, {});
102 end 104 end
103 local salt = generate_uuid(); 105 local salt = generate_uuid();
104 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, salt, default_iteration_count); 106 local valid, stored_key, server_key = get_auth_db(password, salt, default_iteration_count);
105 if not valid then 107 if not valid then
106 return valid, stored_key; 108 return valid, stored_key;
107 end 109 end
108 local stored_key_hex = to_hex(stored_key); 110 local stored_key_hex = to_hex(stored_key);
109 local server_key_hex = to_hex(server_key); 111 local server_key_hex = to_hex(server_key);
120 function provider.get_sasl_handler() 122 function provider.get_sasl_handler()
121 local testpass_authentication_profile = { 123 local testpass_authentication_profile = {
122 plain_test = function(_, username, password, realm) 124 plain_test = function(_, username, password, realm)
123 return usermanager.test_password(username, realm, password), true; 125 return usermanager.test_password(username, realm, password), true;
124 end, 126 end,
125 scram_sha_1 = function(_, username) 127 [scram_name] = function(_, username)
126 local credentials = accounts:get(username); 128 local credentials = accounts:get(username);
127 if not credentials then return; end 129 if not credentials then return; end
128 if credentials.password then 130 if credentials.password then
129 if provider.set_password(username, credentials.password) == nil then 131 if provider.set_password(username, credentials.password) == nil then
130 return nil, "Auth failed. Could not set hashed password from plaintext."; 132 return nil, "Auth failed. Could not set hashed password from plaintext.";