Software /
code /
prosody
Diff
plugins/mod_auth_internal_hashed.lua @ 10218:e458578ddfd3
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1
This will currently require a hard reset of all passwords back to plain.
This will be least painful on new deployments.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 13 Jan 2019 14:02:56 +0100 |
parent | 8192:4354f556c5db |
child | 10219:d58925bb74ca |
line wrap: on
line diff
--- a/plugins/mod_auth_internal_hashed.lua Sun Jan 13 14:02:29 2019 +0100 +++ b/plugins/mod_auth_internal_hashed.lua Sun Jan 13 14:02:56 2019 +0100 @@ -9,7 +9,7 @@ local max = math.max; -local getAuthenticationDatabaseSHA1 = require "util.sasl.scram".getAuthenticationDatabaseSHA1; +local scram_hashers = require "util.sasl.scram".hashers; local usermanager = require "core.usermanager"; local generate_uuid = require "util.uuid".generate; local new_sasl = require "util.sasl".new; @@ -21,7 +21,8 @@ local accounts = module:open_store("accounts"); - +local hash_name = module:get_option_string("password_hash", "SHA-1"); +local get_auth_db = assert(scram_hashers[hash_name], "SCRAM-"..hash_name.." not supported by SASL library"); -- Default; can be set per-user local default_iteration_count = 4096; @@ -49,7 +50,7 @@ return nil, "Auth failed. Stored salt and iteration count information is not complete."; end - local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count); + local valid, stored_key, server_key = get_auth_db(password, credentials.salt, credentials.iteration_count); local stored_key_hex = to_hex(stored_key); local server_key_hex = to_hex(server_key); @@ -67,7 +68,7 @@ if account then account.salt = generate_uuid(); account.iteration_count = max(account.iteration_count or 0, default_iteration_count); - local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, account.salt, account.iteration_count); + local valid, stored_key, server_key = get_auth_db(password, account.salt, account.iteration_count); local stored_key_hex = to_hex(stored_key); local server_key_hex = to_hex(server_key); @@ -98,7 +99,7 @@ return accounts:set(username, {}); end local salt = generate_uuid(); - local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, salt, default_iteration_count); + local valid, stored_key, server_key = get_auth_db(password, salt, default_iteration_count); local stored_key_hex = to_hex(stored_key); local server_key_hex = to_hex(server_key); return accounts:set(username, { @@ -116,7 +117,7 @@ plain_test = function(_, username, password, realm) return usermanager.test_password(username, realm, password), true; end, - scram_sha_1 = function(_, username) + ["scram_"..hash_name:gsub("%-","_"):lower()] = function(_, username) local credentials = accounts:get(username); if not credentials then return; end if credentials.password then