/prosody-0.8.2/plugins/mod_auth_internal_hashed.lua

# · Lua · 184 lines · 142 code · 28 blank · 14 comment · 38 complexity · 0716b796d3a2ce7e591ea108876ff9f6 MD5 · raw file 

    

  1. -- Prosody IM
    2. 

  2. -- Copyright (C) 2008-2010 Matthew Wild
    3. 

  3. -- Copyright (C) 2008-2010 Waqas Hussain
    4. 

  4. -- Copyright (C) 2010 Jeff Mitchell
    5. 

  5. --
    6. 

  6. -- This project is MIT/X11 licensed. Please see the
    7. 

  7. -- COPYING file in the source package for more information.
    8. 

  8. --
    9. 

  9. 

  10. local datamanager = require "util.datamanager";
    11. 

  11. local log = require "util.logger".init("auth_internal_hashed");
    12. 

  12. local type = type;
    13. 

  13. local error = error;
    14. 

  14. local ipairs = ipairs;
    15. 

  15. local hashes = require "util.hashes";
    16. 

  16. local jid_bare = require "util.jid".bare;
    17. 

  17. local getAuthenticationDatabaseSHA1 = require "util.sasl.scram".getAuthenticationDatabaseSHA1;
    18. 

  18. local config = require "core.configmanager";
    19. 

  19. local usermanager = require "core.usermanager";
    20. 

  20. local generate_uuid = require "util.uuid".generate;
    21. 

  21. local new_sasl = require "util.sasl".new;
    22. 

  22. local nodeprep = require "util.encodings".stringprep.nodeprep;
    23. 

  23. local hosts = hosts;
    24. 

  24. 

  25. -- COMPAT w/old trunk: remove these two lines before 0.8 release
    26. 

  26. local hmac_sha1 = require "util.hmac".sha1;
    27. 

  27. local sha1 = require "util.hashes".sha1;
    28. 

  28. 

  29. local to_hex;
    30. 

  30. do
    31. 

  31. 	local function replace_byte_with_hex(byte)
    32. 

  32. 		return ("%02x"):format(byte:byte());
    33. 

  33. 	end
    34. 

  34. 	function to_hex(binary_string)
    35. 

  35. 		return binary_string:gsub(".", replace_byte_with_hex);
    36. 

  36. 	end
    37. 

  37. end
    38. 

  38. 

  39. local from_hex;
    40. 

  40. do
    41. 

  41. 	local function replace_hex_with_byte(hex)
    42. 

  42. 		return string.char(tonumber(hex, 16));
    43. 

  43. 	end
    44. 

  44. 	function from_hex(hex_string)
    45. 

  45. 		return hex_string:gsub("..", replace_hex_with_byte);
    46. 

  46. 	end
    47. 

  47. end
    48. 

  48. 

  49. 

  50. local prosody = _G.prosody;
    51. 

  51. 

  52. -- Default; can be set per-user
    53. 

  53. local iteration_count = 4096;
    54. 

  54. 

  55. function new_hashpass_provider(host)
    56. 

  56. 	local provider = { name = "internal_hashed" };
    57. 

  57. 	log("debug", "initializing hashpass authentication provider for host '%s'", host);
    58. 

  58. 

  59. 	function provider.test_password(username, password)
    60. 

  60. 		local credentials = datamanager.load(username, host, "accounts") or {};
    61. 

  61. 	
    62. 

  62. 		if credentials.password ~= nil and string.len(credentials.password) ~= 0 then
    63. 

  63. 			if credentials.password ~= password then
    64. 

  64. 				return nil, "Auth failed. Provided password is incorrect.";
    65. 

  65. 			end
    66. 

  66. 

  67. 			if provider.set_password(username, credentials.password) == nil then
    68. 

  68. 				return nil, "Auth failed. Could not set hashed password from plaintext.";
    69. 

  69. 			else
    70. 

  70. 				return true;
    71. 

  71. 			end
    72. 

  72. 		end
    73. 

  73. 

  74. 		if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then
    75. 

  75. 			return nil, "Auth failed. Stored salt and iteration count information is not complete.";
    76. 

  76. 		end
    77. 

  77. 		
    78. 

  78. 		-- convert hexpass to stored_key and server_key
    79. 

  79. 		-- COMPAT w/old trunk: remove before 0.8 release
    80. 

  80. 		if credentials.hashpass then
    81. 

  81. 			local salted_password = from_hex(credentials.hashpass);
    82. 

  82. 			credentials.stored_key = sha1(hmac_sha1(salted_password, "Client Key"), true);
    83. 

  83. 			credentials.server_key = to_hex(hmac_sha1(salted_password, "Server Key"));
    84. 

  84. 			credentials.hashpass = nil
    85. 

  85. 			datamanager.store(username, host, "accounts", credentials);
    86. 

  86. 		end
    87. 

  87. 		
    88. 

  88. 		local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count);
    89. 

  89. 		
    90. 

  90. 		local stored_key_hex = to_hex(stored_key);
    91. 

  91. 		local server_key_hex = to_hex(server_key);
    92. 

  92. 		
    93. 

  93. 		if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then
    94. 

  94. 			return true;
    95. 

  95. 		else
    96. 

  96. 			return nil, "Auth failed. Invalid username, password, or password hash information.";
    97. 

  97. 		end
    98. 

  98. 	end
    99. 

  99. 

  100. 	function provider.set_password(username, password)
    101. 

  101. 		local account = datamanager.load(username, host, "accounts");
    102. 

  102. 		if account then
    103. 

  103. 			account.salt = account.salt or generate_uuid();
    104. 

  104. 			account.iteration_count = account.iteration_count or iteration_count;
    105. 

  105. 			local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, account.salt, account.iteration_count);
    106. 

  106. 			local stored_key_hex = to_hex(stored_key);
    107. 

  107. 			local server_key_hex = to_hex(server_key);
    108. 

  108. 			
    109. 

  109. 			account.stored_key = stored_key_hex
    110. 

  110. 			account.server_key = server_key_hex
    111. 

  111. 

  112. 			account.password = nil;
    113. 

  113. 			return datamanager.store(username, host, "accounts", account);
    114. 

  114. 		end
    115. 

  115. 		return nil, "Account not available.";
    116. 

  116. 	end
    117. 

  117. 

  118. 	function provider.user_exists(username)
    119. 

  119. 		local account = datamanager.load(username, host, "accounts");
    120. 

  120. 		if not account then
    121. 

  121. 			log("debug", "account not found for username '%s' at host '%s'", username, module.host);
    122. 

  122. 			return nil, "Auth failed. Invalid username";
    123. 

  123. 		end
    124. 

  124. 		return true;
    125. 

  125. 	end
    126. 

  126. 

  127. 	function provider.create_user(username, password)
    128. 

  128. 		if password == nil then
    129. 

  129. 			return datamanager.store(username, host, "accounts", {});
    130. 

  130. 		end
    131. 

  131. 		local salt = generate_uuid();
    132. 

  132. 		local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, salt, iteration_count);
    133. 

  133. 		local stored_key_hex = to_hex(stored_key);
    134. 

  134. 		local server_key_hex = to_hex(server_key);
    135. 

  135. 		return datamanager.store(username, host, "accounts", {stored_key = stored_key_hex, server_key = server_key_hex, salt = salt, iteration_count = iteration_count});
    136. 

  136. 	end
    137. 

  137. 

  138. 	function provider.delete_user(username)
    139. 

  139. 		return datamanager.store(username, host, "accounts", nil);
    140. 

  140. 	end
    141. 

  141. 

  142. 	function provider.get_sasl_handler()
    143. 

  143. 		local testpass_authentication_profile = {
    144. 

  144. 			plain_test = function(sasl, username, password, realm)
    145. 

  145. 				local prepped_username = nodeprep(username);
    146. 

  146. 				if not prepped_username then
    147. 

  147. 					log("debug", "NODEprep failed on username: %s", username);
    148. 

  148. 					return "", nil;
    149. 

  149. 				end
    150. 

  150. 				return usermanager.test_password(prepped_username, realm, password), true;
    151. 

  151. 			end,
    152. 

  152. 			scram_sha_1 = function(sasl, username, realm)
    153. 

  153. 				local credentials = datamanager.load(username, host, "accounts");
    154. 

  154. 				if not credentials then return; end
    155. 

  155. 				if credentials.password then
    156. 

  156. 					usermanager.set_password(username, credentials.password, host);
    157. 

  157. 					credentials = datamanager.load(username, host, "accounts");
    158. 

  158. 					if not credentials then return; end
    159. 

  159. 				end
    160. 

  160. 				
    161. 

  161. 				-- convert hexpass to stored_key and server_key
    162. 

  162. 				-- COMPAT w/old trunk: remove before 0.8 release
    163. 

  163. 				if credentials.hashpass then
    164. 

  164. 					local salted_password = from_hex(credentials.hashpass);
    165. 

  165. 					credentials.stored_key = sha1(hmac_sha1(salted_password, "Client Key"), true);
    166. 

  166. 					credentials.server_key = to_hex(hmac_sha1(salted_password, "Server Key"));
    167. 

  167. 					credentials.hashpass = nil
    168. 

  168. 					datamanager.store(username, host, "accounts", credentials);
    169. 

  169. 				end
    170. 

  170. 			
    171. 

  171. 				local stored_key, server_key, iteration_count, salt = credentials.stored_key, credentials.server_key, credentials.iteration_count, credentials.salt;
    172. 

  172. 				stored_key = stored_key and from_hex(stored_key);
    173. 

  173. 				server_key = server_key and from_hex(server_key);
    174. 

  174. 				return stored_key, server_key, iteration_count, salt, true;
    175. 

  175. 			end
    176. 

  176. 		};
    177. 

  177. 		return new_sasl(module.host, testpass_authentication_profile);
    178. 

  178. 	end
    179. 

  179. 	
    180. 

  180. 	return provider;
    181. 

  181. end
    182. 

  182. 

  183. module:add_item("auth-provider", new_hashpass_provider(module.host));
    184.