--- sasl.lua v0.1
--- Copyright (C) 2008 Tobias Markmann
+-- sasl.lua v0.4
+-- Copyright (C) 2008-2009 Tobias Markmann
--
-- All rights reserved.
--
return data
end
+ local function utf8tolatin1ifpossible(passwd)
+ local i = 1;
+ while i <= #passwd do
+ local passwd_i = to_byte(passwd:sub(i, i));
+ if passwd_i > 0x7F then
+ if passwd_i < 0xC0 or passwd_i > 0xC3 then
+ return passwd;
+ end
+ i = i + 1;
+ passwd_i = to_byte(passwd:sub(i, i));
+ if passwd_i < 0x80 or passwd_i > 0xBF then
+ return passwd;
+ end
+ end
+ i = i + 1;
+ end
+
+ local p = {};
+ local j = 0;
+ i = 1;
+ while (i <= #passwd) do
+ local passwd_i = to_byte(passwd:sub(i, i));
+ if passwd_i > 0x7F then
+ i = i + 1;
+ local passwd_i_1 = to_byte(passwd:sub(i, i));
+ t_insert(p, to_char(passwd_i%4*64 + passwd_i_1%64)); -- I'm so clever
+ else
+ t_insert(p, to_char(passwd_i));
+ end
+ i = i + 1;
+ end
+ return t_concat(p);
+ end
local function latin1toutf8(str)
local p = {};
for ch in gmatch(str, ".") do
if not response["cnonce"] then return "failure", "malformed-request", "Missing entry for cnonce in SASL message." end
if not response["qop"] then response["qop"] = "auth" end
- if response["realm"] == nil then response["realm"] = "" end
+ if response["realm"] == nil or response["realm"] == "" then
+ response["realm"] = self.realm;
+ elseif response["realm"] ~= self.realm then
+ return "failure", "not-authorized", "Incorrect realm value";
+ end
+ local decoder;
if response["charset"] == nil then
- response["username"] = latin1toutf8(response["username"])
- response["realm"] = latin1toutf8(response["realm"])
+ decoder = utf8tolatin1ifpossible;
elseif response["charset"] ~= "utf-8" then
return "failure", "incorrect-encoding", "The client's response uses "..response["charset"].." for encoding with isn't supported by sasl.lua. Supported encodings are latin or utf-8."
end
--TODO maybe realm support
self.username = response["username"]
- local password_encoding, Y = self.password_handler(response["username"], response["realm"], "DIGEST-MD5")
+ local password_encoding, Y = self.password_handler(response["username"], response["realm"], "DIGEST-MD5", decoder)
if Y == nil then return "failure", "not-authorized"
elseif Y == false then return "failure", "account-disabled" end
local A1 = Y..":"..response["nonce"]..":"..response["cnonce"]--:authzid
- local A2 = "AUTHENTICATE:"..protocol.."/"..idna_ascii(domain)
+ local A2 = "AUTHENTICATE:"..protocol.."/"..domain;
local HA1 = md5(A1, true)
local HA2 = md5(A2, true)
if response_value == response["response"] then
-- calculate rspauth
- A2 = ":"..protocol.."/"..idna_ascii(domain)
+ A2 = ":"..protocol.."/"..domain;
HA1 = md5(A1, true)
HA2 = md5(A2, true)
return object
end
+local function new_anonymous(realm, password_handler)
+ local object = { mechanism = "ANONYMOUS", realm = realm, password_handler = password_handler}
+ function object.feed(self, message)
+ return "success"
+ end
+ --TODO: From XEP-0175 "It is RECOMMENDED for the node identifier to be a UUID as specified in RFC 4122 [5]." So util.uuid() should (or have an option to) behave as specified in RFC 4122.
+ object["username"] = generate_uuid()
+ return object
+end
+
+
function new(mechanism, realm, password_handler)
local object
if mechanism == "PLAIN" then object = new_plain(realm, password_handler)
elseif mechanism == "DIGEST-MD5" then object = new_digest_md5(realm, password_handler)
+ elseif mechanism == "ANONYMOUS" then object = new_anonymous(realm, password_handler)
else
log("debug", "Unsupported SASL mechanism: "..tostring(mechanism));
return nil