X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=plugins%2Fmod_auth_internal_hashed.lua;h=ee810426694a8980c10b0d0d72c1e823071401ac;hb=9219b5b35c5be9687eafac1f840246c10352905e;hp=81dfe688f901a39cfb25c34c4fab81d992142661;hpb=2f8b2cb02d0bfb097132fe8ac7ca1c8a9425f3da;p=prosody.git diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua index 81dfe688..ee810426 100644 --- a/plugins/mod_auth_internal_hashed.lua +++ b/plugins/mod_auth_internal_hashed.lua @@ -8,7 +8,7 @@ -- local datamanager = require "util.datamanager"; -local log = require "util.logger".init("usermanager"); +local log = require "util.logger".init("auth_internal_hashed"); local type = type; local error = error; local ipairs = ipairs; @@ -22,10 +22,31 @@ local new_sasl = require "util.sasl".new; local nodeprep = require "util.encodings".stringprep.nodeprep; local hosts = hosts; --- TODO: remove these two lines in near future +-- COMPAT w/old trunk: remove these two lines before 0.8 release local hmac_sha1 = require "util.hmac".sha1; local sha1 = require "util.hashes".sha1; +local to_hex; +do + local function replace_byte_with_hex(byte) + return ("%02x"):format(byte:byte()); + end + function to_hex(binary_string) + return binary_string:gsub(".", replace_byte_with_hex); + end +end + +local from_hex; +do + local function replace_hex_with_byte(hex) + return string.char(tonumber(hex, 16)); + end + function from_hex(hex_string) + return hex_string:gsub("..", replace_hex_with_byte); + end +end + + local prosody = _G.prosody; -- Default; can be set per-user @@ -55,19 +76,19 @@ function new_hashpass_provider(host) end -- convert hexpass to stored_key and server_key - -- TODO: remove this in near future + -- COMPAT w/old trunk: remove before 0.8 release if credentials.hashpass then - local salted_password = credentials.hashpass:gsub("..", function(x) return string.char(tonumber(x, 16)); end); - credentials.stored_key = sha1(hmac_sha1(salted_password, "Client Key")):gsub(".", function (c) return ("%02x"):format(c:byte()); end); - credentials.server_key = hmac_sha1(salted_password, "Server Key"):gsub(".", function (c) return ("%02x"):format(c:byte()); end); + local salted_password = from_hex(credentials.hashpass); + credentials.stored_key = sha1(hmac_sha1(salted_password, "Client Key"), true); + credentials.server_key = to_hex(hmac_sha1(salted_password, "Server Key")); credentials.hashpass = nil datamanager.store(username, host, "accounts", credentials); end local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count); - local stored_key_hex = stored_key:gsub(".", function (c) return ("%02x"):format(c:byte()); end); - local server_key_hex = server_key:gsub(".", function (c) return ("%02x"):format(c:byte()); end); + local stored_key_hex = to_hex(stored_key); + local server_key_hex = to_hex(server_key); if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then return true; @@ -82,8 +103,8 @@ function new_hashpass_provider(host) account.salt = account.salt or generate_uuid(); account.iteration_count = account.iteration_count or iteration_count; local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, account.salt, account.iteration_count); - local stored_key_hex = stored_key:gsub(".", function (c) return ("%02x"):format(c:byte()); end); - local server_key_hex = server_key:gsub(".", function (c) return ("%02x"):format(c:byte()); end); + local stored_key_hex = to_hex(stored_key); + local server_key_hex = to_hex(server_key); account.stored_key = stored_key_hex account.server_key = server_key_hex @@ -100,67 +121,62 @@ function new_hashpass_provider(host) log("debug", "account not found for username '%s' at host '%s'", username, module.host); return nil, "Auth failed. Invalid username"; end - --[[if (account.hashpass == nil or string.len(account.hashpass) == 0) and (account.password == nil or string.len(account.password) == 0) then - log("debug", "account password not set or zero-length for username '%s' at host '%s'", username, module.host); - return nil, "Auth failed. Password invalid."; - end]] return true; end function provider.create_user(username, password) + if password == nil then + return datamanager.store(username, host, "accounts", {}); + end local salt = generate_uuid(); local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, salt, iteration_count); - local stored_key_hex = stored_key:gsub(".", function (c) return ("%02x"):format(c:byte()); end); - local server_key_hex = server_key:gsub(".", function (c) return ("%02x"):format(c:byte()); end); + local stored_key_hex = to_hex(stored_key); + local server_key_hex = to_hex(server_key); return datamanager.store(username, host, "accounts", {stored_key = stored_key_hex, server_key = server_key_hex, salt = salt, iteration_count = iteration_count}); end + function provider.delete_user(username) + return datamanager.store(username, host, "accounts", nil); + end + function provider.get_sasl_handler() - local realm = module:get_option("sasl_realm") or module.host; local testpass_authentication_profile = { - plain_test = function(username, password, realm) + plain_test = function(sasl, username, password, realm) local prepped_username = nodeprep(username); if not prepped_username then log("debug", "NODEprep failed on username: %s", username); return "", nil; end - return usermanager.test_password(prepped_username, password, realm), true; + return usermanager.test_password(prepped_username, realm, password), true; end, - scram_sha_1 = function(username, realm) - local credentials = datamanager.load(username, host, "accounts") or {}; + scram_sha_1 = function(sasl, username, realm) + local credentials = datamanager.load(username, host, "accounts"); + if not credentials then return; end if credentials.password then usermanager.set_password(username, credentials.password, host); - credentials = datamanager.load(username, host, "accounts") or {}; + credentials = datamanager.load(username, host, "accounts"); + if not credentials then return; end end -- convert hexpass to stored_key and server_key - -- TODO: remove this in near future + -- COMPAT w/old trunk: remove before 0.8 release if credentials.hashpass then - local salted_password = credentials.hashpass:gsub("..", function(x) return string.char(tonumber(x, 16)); end); - credentials.stored_key = sha1(hmac_sha1(salted_password, "Client Key")):gsub(".", function (c) return ("%02x"):format(c:byte()); end); - credentials.server_key = hmac_sha1(salted_password, "Server Key"):gsub(".", function (c) return ("%02x"):format(c:byte()); end); + local salted_password = from_hex(credentials.hashpass); + credentials.stored_key = sha1(hmac_sha1(salted_password, "Client Key"), true); + credentials.server_key = to_hex(hmac_sha1(salted_password, "Server Key")); credentials.hashpass = nil datamanager.store(username, host, "accounts", credentials); end - + local stored_key, server_key, iteration_count, salt = credentials.stored_key, credentials.server_key, credentials.iteration_count, credentials.salt; - stored_key = stored_key and stored_key:gsub("..", function(x) return string.char(tonumber(x, 16)); end); - server_key = server_key and server_key:gsub("..", function(x) return string.char(tonumber(x, 16)); end); + stored_key = stored_key and from_hex(stored_key); + server_key = server_key and from_hex(server_key); return stored_key, server_key, iteration_count, salt, true; end }; - return new_sasl(realm, testpass_authentication_profile); - end - - function provider.is_admin(jid) - local admins = module:get_option_array("admins"); - if admins ~= config.get("*", "core", "admins") and type(admins) == "table" then - jid = jid_bare(jid); - for _,admin in ipairs(admins) do - if admin == jid then return true; end - end - end + return new_sasl(module.host, testpass_authentication_profile); end + return provider; end