Mercurial Mercurial > prosody > prosody / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
util/sasl/scram.lua
changeset 10778 207691ad98fe
parent 10503 79c568d4146c
child 10920 c7ed8f754033
equal deleted inserted replaced
10777:3e1046b39484 10778:207691ad98fe 
   110 		local server_key = HMAC(salted_password, "Server Key");
 
   110 		local server_key = HMAC(salted_password, "Server Key");
 
   111 		return true, stored_key, server_key
 
   111 		return true, stored_key, server_key
 
   112 	end
 
   112 	end
 
   113 end
 
   113 end
 
   114 
   114 
   115 local function scram_gen(hash_name, H_f, HMAC_f, get_auth_db)
 
   115 local function scram_gen(hash_name, H_f, HMAC_f, get_auth_db, expect_cb)
 
   116 	local profile_name = "scram_" .. hashprep(hash_name);
 
   116 	local profile_name = "scram_" .. hashprep(hash_name);
 
   117 	local function scram_hash(self, message)
 
   117 	local function scram_hash(self, message)
 
   118 		local support_channel_binding = false;
 
   118 		local support_channel_binding = false;
 
   119 		if self.profile.cb then support_channel_binding = true; end
 
   119 		if self.profile.cb then support_channel_binding = true; end
 
   120 
   120 
   139 					return "failure", "malformed-request";
 
   139 					return "failure", "malformed-request";
 
   140 				end
 
   140 				end
 
   141 
   141 
   142 			if gs2_cbind_flag == "n" then
 
   142 			if gs2_cbind_flag == "n" then
 
   143 				-- "n" -> client doesn't support channel binding.
 
   143 				-- "n" -> client doesn't support channel binding.
 
       
   144 				if expect_cb then
 
       
   145 					log("debug", "Client unexpectedly doesn't support channel binding");
 
       
   146 					-- XXX Is it sensible to abort if the client starts -PLUS but doesn't use channel binding?
 
       
   147 				end
 
   144 				support_channel_binding = false;
 
   148 				support_channel_binding = false;
 
   145 			end
 
   149 			end
 
   146 
   150 
   147 			if support_channel_binding and gs2_cbind_flag == "p" then
 
   151 			if support_channel_binding and gs2_cbind_flag == "p" then
 
   148 				-- check whether we support the proposed channel binding type
 
   152 				-- check whether we support the proposed channel binding type
 
   258 			scram_gen(hash_name:lower(), hash, hmac_hash, get_auth_db));
 
   262 			scram_gen(hash_name:lower(), hash, hmac_hash, get_auth_db));
 
   259 
   263 
   260 		-- register channel binding equivalent
 
   264 		-- register channel binding equivalent
 
   261 		registerMechanism("SCRAM-"..hash_name.."-PLUS",
 
   265 		registerMechanism("SCRAM-"..hash_name.."-PLUS",
 
   262 			{"plain", "scram_"..(hashprep(hash_name))},
 
   266 			{"plain", "scram_"..(hashprep(hash_name))},
 
   263 			scram_gen(hash_name:lower(), hash, hmac_hash, get_auth_db), {"tls-unique"});
 
   267 			scram_gen(hash_name:lower(), hash, hmac_hash, get_auth_db, true), {"tls-unique"});
 
   264 	end
 
   268 	end
 
   265 
   269 
   266 	registerSCRAMMechanism("SHA-1", hashes.sha1, hashes.hmac_sha1, hashes.pbkdf2_hmac_sha1);
 
   270 	registerSCRAMMechanism("SHA-1", hashes.sha1, hashes.hmac_sha1, hashes.pbkdf2_hmac_sha1);
 
   267 	registerSCRAMMechanism("SHA-256", hashes.sha256, hashes.hmac_sha256, hashes.pbkdf2_hmac_sha256);
 
   271 	registerSCRAMMechanism("SHA-256", hashes.sha256, hashes.hmac_sha256, hashes.pbkdf2_hmac_sha256);
 
   268 end
 
   272 end
prosody