local char = string.char;
local byte = string.byte;
-module "scram"
+module "sasl.scram"
--=========================
---SASL SCRAM-SHA-1 according to draft-ietf-sasl-scram-10
+--SASL SCRAM-SHA-1 according to RFC 5802
--[[
Supported Authentication Backends
end
-- hash algorithm independent Hi(PBKDF2) implementation
-local function Hi(hmac, str, salt, i)
+function Hi(hmac, str, salt, i)
local Ust = hmac(str, salt.."\0\0\0\1");
- local res = Ust;
+ local res = Ust;
for n=1,i-1 do
local Und = hmac(str, Ust)
res = binaryXOR(res, Und)
local function validate_username(username)
-- check for forbidden char sequences
for eq in username:gmatch("=(.?.?)") do
- if eq ~= "2D" and eq ~= "3D" then
- return false
- end
+ if eq ~= "2C" and eq ~= "3D" then
+ return false
+ end
end
- -- replace =2D with , and =3D with =
- username = username:gsub("=2D", ",");
+ -- replace =2C with , and =3D with =
+ username = username:gsub("=2C", ",");
username = username:gsub("=3D", "=");
-- apply SASLprep
username = saslprep(username);
- return username;
+ return username and #username>0 and username;
end
local function hashprep(hashname)
-- retreive credentials
if self.profile.plain then
- local password, state = self.profile.plain(self.state.name, self.realm)
+ local password, state = self.profile.plain(self, self.state.name, self.realm)
if state == nil then return "failure", "not-authorized"
elseif state == false then return "failure", "account-disabled" end
return "failure", "temporary-auth-failure";
end
elseif self.profile["scram_"..hashprep(hash_name)] then
- local stored_key, server_key, iteration_count, salt, state = self.profile["scram_"..hashprep(hash_name)](self.state.name, self.realm);
+ local stored_key, server_key, iteration_count, salt, state = self.profile["scram_"..hashprep(hash_name)](self, self.state.name, self.realm);
if state == nil then return "failure", "not-authorized"
elseif state == false then return "failure", "account-disabled" end