Mercurial Mercurial > prosody > prosody / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1
authorKim Alvefur <zash@zash.se>
Sun, 13 Jan 2019 14:02:56 +0100
changeset 10222 e458578ddfd3
parent 10221 60b445183d84
child 10223 d58925bb74ca
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1 This will currently require a hard reset of all passwords back to plain. This will be least painful on new deployments.
CHANGES file | annotate | diff | comparison | revisions
plugins/mod_auth_internal_hashed.lua file | annotate | diff | comparison | revisions 
--- a/CHANGES	Sun Jan 13 14:02:29 2019 +0100
+++ b/CHANGES	Sun Jan 13 14:02:56 2019 +0100
@@ -9,6 +9,7 @@
 -   Archive quotas
 -   mod\_mimicking
 -   Rewritten migrator
+-   SCRAM-SHA-256
 
 0.11.0
 ======
--- a/plugins/mod_auth_internal_hashed.lua	Sun Jan 13 14:02:29 2019 +0100
+++ b/plugins/mod_auth_internal_hashed.lua	Sun Jan 13 14:02:56 2019 +0100
@@ -9,7 +9,7 @@
 
 local max = math.max;
 
-local getAuthenticationDatabaseSHA1 = require "util.sasl.scram".getAuthenticationDatabaseSHA1;
+local scram_hashers = require "util.sasl.scram".hashers;
 local usermanager = require "core.usermanager";
 local generate_uuid = require "util.uuid".generate;
 local new_sasl = require "util.sasl".new;
@@ -21,7 +21,8 @@
 
 local accounts = module:open_store("accounts");
 
-
+local hash_name = module:get_option_string("password_hash", "SHA-1");
+local get_auth_db = assert(scram_hashers[hash_name], "SCRAM-"..hash_name.." not supported by SASL library");
 
 -- Default; can be set per-user
 local default_iteration_count = 4096;
@@ -49,7 +50,7 @@
 		return nil, "Auth failed. Stored salt and iteration count information is not complete.";
 	end
 
-	local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count);
+	local valid, stored_key, server_key = get_auth_db(password, credentials.salt, credentials.iteration_count);
 
 	local stored_key_hex = to_hex(stored_key);
 	local server_key_hex = to_hex(server_key);
@@ -67,7 +68,7 @@
 	if account then
 		account.salt = generate_uuid();
 		account.iteration_count = max(account.iteration_count or 0, default_iteration_count);
-		local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, account.salt, account.iteration_count);
+		local valid, stored_key, server_key = get_auth_db(password, account.salt, account.iteration_count);
 		local stored_key_hex = to_hex(stored_key);
 		local server_key_hex = to_hex(server_key);
 
@@ -98,7 +99,7 @@
 		return accounts:set(username, {});
 	end
 	local salt = generate_uuid();
-	local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, salt, default_iteration_count);
+	local valid, stored_key, server_key = get_auth_db(password, salt, default_iteration_count);
 	local stored_key_hex = to_hex(stored_key);
 	local server_key_hex = to_hex(server_key);
 	return accounts:set(username, {
@@ -116,7 +117,7 @@
 		plain_test = function(_, username, password, realm)
 			return usermanager.test_password(username, realm, password), true;
 		end,
-		scram_sha_1 = function(_, username)
+		["scram_"..hash_name:gsub("%-","_"):lower()] = function(_, username)
 			local credentials = accounts:get(username);
 			if not credentials then return; end
 			if credentials.password then
prosody