author | Tobias Markmann <tm@ayena.de> |
Sun, 30 Nov 2008 17:34:47 +0100 | |
changeset 508 | 4fd60ae97535 |
parent 507 | 4d3ccc6b5817 |
child 519 | cccd610a0ef9 |
permissions | -rw-r--r-- |
15
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
1 |
|
449
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
2 |
local md5 = require "util.hashes".md5; |
38 | 3 |
local log = require "util.logger".init("sasl"); |
4 |
local tostring = tostring; |
|
5 |
local st = require "util.stanza"; |
|
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
6 |
local generate_uuid = require "util.uuid".generate; |
504
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
7 |
local t_insert, t_concat = table.insert, table.concat; |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
8 |
local to_byte, to_char = string.byte, string.char; |
38 | 9 |
local s_match = string.match; |
277
00c2fc751f50
Fixing some parsing and some other stuff.
Tobias Markmann <tm@ayena.de>
parents:
276
diff
changeset
|
10 |
local gmatch = string.gmatch |
280
516f4c901991
Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents:
278
diff
changeset
|
11 |
local string = string |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
12 |
local math = require "math" |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
13 |
local type = type |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
14 |
local error = error |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
15 |
local print = print |
476
4744735a0a5e
Apply IDNA to ASCII on hostnames.
Tobias Markmann <tm@ayena.de>
parents:
475
diff
changeset
|
16 |
local idna_ascii = require "util.encodings".idna.to_ascii |
496
b3251b137d68
idna-to-unicode so password_handler looks for the right domain.
Tobias Markmann <tm@ayena.de>
parents:
495
diff
changeset
|
17 |
local idna_unicode = require "util.encodings".idna.to_unicode |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
18 |
|
38 | 19 |
module "sasl" |
20 |
||
285
372d0891e8fd
Made PLAIN method in sasl.lua module follow new interface.
Tobias Markmann <tm@ayena.de>
parents:
280
diff
changeset
|
21 |
local function new_plain(realm, password_handler) |
372d0891e8fd
Made PLAIN method in sasl.lua module follow new interface.
Tobias Markmann <tm@ayena.de>
parents:
280
diff
changeset
|
22 |
local object = { mechanism = "PLAIN", realm = realm, password_handler = password_handler} |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
23 |
function object.feed(self, message) |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
24 |
|
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
25 |
if message == "" or message == nil then return "failure", "malformed-request" end |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
26 |
local response = message |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
27 |
local authorization = s_match(response, "([^&%z]+)") |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
28 |
local authentication = s_match(response, "%z([^&%z]+)%z") |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
29 |
local password = s_match(response, "%z[^&%z]+%z([^&%z]+)") |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
30 |
|
402
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
31 |
if authentication == nil or password == nil then return "failure", "malformed-request" end |
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
32 |
|
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
33 |
local password_encoding, correct_password = self.password_handler(authentication, self.realm, "PLAIN") |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
34 |
|
405 | 35 |
if correct_password == nil then return "failure", "not-authorized" |
404
4801dbeccc2a
Some changes to report more correct SASL failures. Support for disabled accounts.
Tobias Markmann <tm@ayena.de>
parents:
402
diff
changeset
|
36 |
elseif correct_password == false then return "failure", "account-disabled" end |
402
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
37 |
|
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
38 |
local claimed_password = "" |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
39 |
if password_encoding == nil then claimed_password = password |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
40 |
else claimed_password = password_encoding(password) end |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
41 |
|
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
42 |
self.username = authentication |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
43 |
if claimed_password == correct_password then |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
44 |
return "success" |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
45 |
else |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
46 |
return "failure", "not-authorized" |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
47 |
end |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
48 |
end |
15
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
49 |
return object |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
50 |
end |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
51 |
|
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
52 |
local function new_digest_md5(realm, password_handler) |
280
516f4c901991
Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents:
278
diff
changeset
|
53 |
--TODO maybe support for authzid |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
54 |
|
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
55 |
local function serialize(message) |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
56 |
local data = "" |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
57 |
|
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
58 |
if type(message) ~= "table" then error("serialize needs an argument of type table.") end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
59 |
|
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
60 |
-- testing all possible values |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
61 |
if message["nonce"] then data = data..[[nonce="]]..message.nonce..[[",]] end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
62 |
if message["qop"] then data = data..[[qop="]]..message.qop..[[",]] end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
63 |
if message["charset"] then data = data..[[charset=]]..message.charset.."," end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
64 |
if message["algorithm"] then data = data..[[algorithm=]]..message.algorithm.."," end |
280
516f4c901991
Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents:
278
diff
changeset
|
65 |
if message["realm"] then data = data..[[realm="]]..message.realm..[[",]] end |
516f4c901991
Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents:
278
diff
changeset
|
66 |
if message["rspauth"] then data = data..[[rspauth=]]..message.rspauth.."," end |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
67 |
data = data:gsub(",$", "") |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
68 |
return data |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
69 |
end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
70 |
|
504
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
71 |
local function latin1toutf8(str) |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
72 |
local p = {}; |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
73 |
for ch in gmatch(str, ".") do |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
74 |
ch = to_byte(ch); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
75 |
if (ch < 0x80) then |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
76 |
t_insert(p, to_char(ch)); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
77 |
elseif (ch < 0xC0) then |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
78 |
t_insert(p, to_char(0xC2, ch)); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
79 |
else |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
80 |
t_insert(p, to_char(0xC3, ch - 64)); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
81 |
end |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
82 |
end |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
83 |
return t_concat(p); |
efc5184effa1
Added function latin1toutf8 to sasl.lua, for processing non-utf8 responses
Waqas Hussain <waqas20@gmail.com>
parents:
496
diff
changeset
|
84 |
end |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
85 |
local function parse(data) |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
86 |
message = {} |
458 | 87 |
for k, v in gmatch(data, [[([%w%-]+)="?([^",]*)"?,?]]) do -- FIXME The hacky regex makes me shudder |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
88 |
message[k] = v |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
89 |
end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
90 |
return message |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
91 |
end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
92 |
|
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
93 |
local object = { mechanism = "DIGEST-MD5", realm = realm, password_handler = password_handler} |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
94 |
|
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
95 |
--TODO: something better than math.random would be nice, maybe OpenSSL's random number generator |
280
516f4c901991
Rewrote SASL Digest-MD5 responce generating code, fixed some realm related issue and tested it successfully with Psi. Thanks to dwd, remko and jake.
Tobias Markmann <tm@ayena.de>
parents:
278
diff
changeset
|
96 |
object.nonce = generate_uuid() |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
97 |
object.step = 0 |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
98 |
object.nonce_count = {} |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
99 |
|
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
100 |
function object.feed(self, message) |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
101 |
self.step = self.step + 1 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
102 |
if (self.step == 1) then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
103 |
local challenge = serialize({ nonce = object.nonce, |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
104 |
qop = "auth", |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
105 |
charset = "utf-8", |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
106 |
algorithm = "md5-sess", |
505
1b938e00412c
Remove that idn stuff for realm because it's either an ugly hack that the password_handler isn't ready for or something worse.
Tobias Markmann <tm@ayena.de>
parents:
496
diff
changeset
|
107 |
realm = self.realm}); |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
108 |
return "challenge", challenge |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
109 |
elseif (self.step == 2) then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
110 |
local response = parse(message) |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
111 |
-- check for replay attack |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
112 |
if response["nc"] then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
113 |
if self.nonce_count[response["nc"]] then return "failure", "not-authorized" end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
114 |
end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
115 |
|
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
116 |
-- check for username, it's REQUIRED by RFC 2831 |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
117 |
if not response["username"] then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
118 |
return "failure", "malformed-request" |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
119 |
end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
120 |
self["username"] = response["username"] |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
121 |
|
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
122 |
-- check for nonce, ... |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
123 |
if not response["nonce"] then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
124 |
return "failure", "malformed-request" |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
125 |
else |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
126 |
-- check if it's the right nonce |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
127 |
if response["nonce"] ~= tostring(self.nonce) then return "failure", "malformed-request" end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
128 |
end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
129 |
|
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
130 |
if not response["cnonce"] then return "failure", "malformed-request", "Missing entry for cnonce in SASL message." end |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
131 |
if not response["qop"] then response["qop"] = "auth" end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
132 |
|
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
133 |
if response["realm"] == nil then response["realm"] = "" end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
134 |
|
508
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
135 |
if response["charset"] == nil then |
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
136 |
response["username"] = latin1toutf8(response["username"]) |
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
137 |
response["realm"] = latin1toutf8(response["realm"]) |
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
138 |
elseif response["charset"] ~= "utf-8" then |
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
139 |
return "failure", "incorrect-encoding", "The client's response uses "..response["charset"].." for encoding with isn't supported by sasl.lua. Supported encodings are latin or utf-8." |
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
140 |
end |
4fd60ae97535
Converting latin encoded responsed to utf-8 when needed.
Tobias Markmann <tm@ayena.de>
parents:
507
diff
changeset
|
141 |
|
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
142 |
local domain = "" |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
143 |
local protocol = "" |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
144 |
if response["digest-uri"] then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
145 |
protocol, domain = response["digest-uri"]:match("(%w+)/(.*)$") |
402
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
146 |
if protocol == nil or domain == nil then return "failure", "malformed-request" end |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
147 |
else |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
148 |
return "failure", "malformed-request", "Missing entry for digest-uri in SASL message." |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
149 |
end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
150 |
|
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
151 |
--TODO maybe realm support |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
152 |
self.username = response["username"] |
505
1b938e00412c
Remove that idn stuff for realm because it's either an ugly hack that the password_handler isn't ready for or something worse.
Tobias Markmann <tm@ayena.de>
parents:
496
diff
changeset
|
153 |
local password_encoding, Y = self.password_handler(response["username"], response["realm"], "DIGEST-MD5") |
405 | 154 |
if Y == nil then return "failure", "not-authorized" |
404
4801dbeccc2a
Some changes to report more correct SASL failures. Support for disabled accounts.
Tobias Markmann <tm@ayena.de>
parents:
402
diff
changeset
|
155 |
elseif Y == false then return "failure", "account-disabled" end |
402
50f1c09541cd
Checking some variables for nil so no errors occur that'll break the server.
Tobias Markmann <tm@ayena.de>
parents:
401
diff
changeset
|
156 |
|
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
157 |
local A1 = Y..":"..response["nonce"]..":"..response["cnonce"]--:authzid |
472
ee45599c0b5d
Do idna_to_ascii when building own response.
Tobias Markmann <tm@ayena.de>
parents:
449
diff
changeset
|
158 |
local A2 = "AUTHENTICATE:"..protocol.."/"..idna_ascii(domain) |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
159 |
|
449
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
160 |
local HA1 = md5(A1, true) |
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
161 |
local HA2 = md5(A2, true) |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
162 |
|
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
163 |
local KD = HA1..":"..response["nonce"]..":"..response["nc"]..":"..response["cnonce"]..":"..response["qop"]..":"..HA2 |
449
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
164 |
local response_value = md5(KD, true) |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
165 |
|
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
166 |
if response_value == response["response"] then |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
167 |
-- calculate rspauth |
472
ee45599c0b5d
Do idna_to_ascii when building own response.
Tobias Markmann <tm@ayena.de>
parents:
449
diff
changeset
|
168 |
A2 = ":"..protocol.."/"..idna_ascii(domain) |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
169 |
|
449
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
170 |
HA1 = md5(A1, true) |
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
171 |
HA2 = md5(A2, true) |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
172 |
|
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
173 |
KD = HA1..":"..response["nonce"]..":"..response["nc"]..":"..response["cnonce"]..":"..response["qop"]..":"..HA2 |
449
c0a4a1e63d70
Completely switched to new hashes library from the old md5 library
Waqas Hussain <waqas20@gmail.com>
parents:
405
diff
changeset
|
174 |
local rspauth = md5(KD, true) |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
175 |
self.authenticated = true |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
176 |
return "challenge", serialize({rspauth = rspauth}) |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
177 |
else |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
178 |
return "failure", "not-authorized", "The response provided by the client doesn't match the one we calculated." |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
179 |
end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
180 |
elseif self.step == 3 then |
297
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
181 |
if self.authenticated ~= nil then return "success" |
15b375870b40
Providing some human readable error messages and some fixes.
Tobias Markmann <tm@ayena.de>
parents:
294
diff
changeset
|
182 |
else return "failure", "malformed-request" end |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
183 |
end |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
184 |
end |
276
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
185 |
return object |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
186 |
end |
30893439d5d1
Some early attempts on DIGEST-MD5.
Tobias Markmann <tm@ayena.de>
parents:
50
diff
changeset
|
187 |
|
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
188 |
function new(mechanism, realm, password_handler) |
15
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
189 |
local object |
294
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
190 |
if mechanism == "PLAIN" then object = new_plain(realm, password_handler) |
5d861d6e5bbd
Made SASL module fit the new interface.
Tobias Markmann <tm@ayena.de>
parents:
292
diff
changeset
|
191 |
elseif mechanism == "DIGEST-MD5" then object = new_digest_md5(realm, password_handler) |
38 | 192 |
else |
193 |
log("debug", "Unsupported SASL mechanism: "..tostring(mechanism)); |
|
285
372d0891e8fd
Made PLAIN method in sasl.lua module follow new interface.
Tobias Markmann <tm@ayena.de>
parents:
280
diff
changeset
|
194 |
return nil |
15
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
195 |
end |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
196 |
return object |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
197 |
end |
c0d754774db2
adding SASL lib with PLAIN support, not tested yet
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
198 |
|
38 | 199 |
return _M; |