X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=util%2Fsasl%2Fscram.lua;h=530ef5a005614837b2edd440b9df120b8cc203a3;hb=a689938fa45323f67433bcd5554affd3f4b0fc52;hp=08533b68c915e50781f95e8c7ea4f74ec5c7cfb7;hpb=5da056aa5b737819d69eacce9858c10a915cfdad;p=prosody.git diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua index 08533b68..530ef5a0 100644 --- a/util/sasl/scram.lua +++ b/util/sasl/scram.lua @@ -27,7 +27,7 @@ local byte = string.byte; module "scram" --========================= ---SASL SCRAM-SHA-1 according to draft-ietf-sasl-scram-10 +--SASL SCRAM-SHA-1 according to RFC 5802 --[[ Supported Authentication Backends @@ -65,9 +65,9 @@ local function binaryXOR( a, b ) end -- hash algorithm independent Hi(PBKDF2) implementation -local function Hi(hmac, str, salt, i) +function Hi(hmac, str, salt, i) local Ust = hmac(str, salt.."\0\0\0\1"); - local res = Ust; + local res = Ust; for n=1,i-1 do local Und = hmac(str, Ust) res = binaryXOR(res, Und) @@ -80,8 +80,8 @@ local function validate_username(username) -- check for forbidden char sequences for eq in username:gmatch("=(.?.?)") do if eq ~= "2D" and eq ~= "3D" then - return false - end + return false + end end -- replace =2D with , and =3D with = @@ -143,7 +143,7 @@ local function scram_gen(hash_name, H_f, HMAC_f) -- retreive credentials if self.profile.plain then - local password, state = self.profile.plain(self.state.name, self.realm) + local password, state = self.profile.plain(self, self.state.name, self.realm) if state == nil then return "failure", "not-authorized" elseif state == false then return "failure", "account-disabled" end @@ -157,17 +157,18 @@ local function scram_gen(hash_name, H_f, HMAC_f) self.state.iteration_count = default_i; local succ = false; - succ, self.state.salted_password = saltedPasswordSHA1(password, self.state.salt, default_i, self.state.iteration_count); + succ, self.state.stored_key, self.state.server_key = getAuthenticationDatabaseSHA1(password, self.state.salt, default_i, self.state.iteration_count); if not succ then - log("error", "Generating salted password failed. Reason: %s", self.state.salted_password); + log("error", "Generating authentication database failed. Reason: %s", self.state.stored_key); return "failure", "temporary-auth-failure"; end elseif self.profile["scram_"..hashprep(hash_name)] then - local salted_password, iteration_count, salt, state = self.profile["scram_"..hashprep(hash_name)](self.state.name, self.realm); + local stored_key, server_key, iteration_count, salt, state = self.profile["scram_"..hashprep(hash_name)](self, self.state.name, self.realm); if state == nil then return "failure", "not-authorized" elseif state == false then return "failure", "account-disabled" end - self.state.salted_password = salted_password; + self.state.stored_key = stored_key; + self.state.server_key = server_key; self.state.iteration_count = iteration_count; self.state.salt = salt end @@ -189,16 +190,15 @@ local function scram_gen(hash_name, H_f, HMAC_f) return "failure", "malformed-request", "Wrong nonce in client-final-message."; end - local SaltedPassword = self.state.salted_password; - local ClientKey = HMAC_f(SaltedPassword, "Client Key") - local ServerKey = HMAC_f(SaltedPassword, "Server Key") - local StoredKey = H_f(ClientKey) + local ServerKey = self.state.server_key; + local StoredKey = self.state.stored_key; + local AuthMessage = "n=" .. s_match(self.state.client_first_message,"n=(.+)") .. "," .. self.state.server_first_message .. "," .. s_match(client_final_message, "(.+),p=.+") local ClientSignature = HMAC_f(StoredKey, AuthMessage) - local ClientProof = binaryXOR(ClientKey, ClientSignature) + local ClientKey = binaryXOR(ClientSignature, base64.decode(self.state.proof)) local ServerSignature = HMAC_f(ServerKey, AuthMessage) - if base64.encode(ClientProof) == self.state.proof then + if StoredKey == H_f(ClientKey) then local server_final_message = "v="..base64.encode(ServerSignature); self["username"] = self.state.name; return "success", server_final_message;