diff options
author | Tobias Markmann <tm@ayena.de> | 2010-05-22 19:04:53 +0200 |
---|---|---|
committer | Tobias Markmann <tm@ayena.de> | 2010-05-22 19:04:53 +0200 |
commit | 229d07afa05408750fbc8314bd4e51243b9daf4d (patch) | |
tree | 037512832c1b14be9f834303808da69e9a4b1f16 /util/sasl | |
parent | 47c7c633170ae0d947a7f22e720f1868fec63332 (diff) | |
download | prosody-229d07afa05408750fbc8314bd4e51243b9daf4d.tar.gz prosody-229d07afa05408750fbc8314bd4e51243b9daf4d.zip |
util.sasl.scram: Providing an API function to generate a salted password for the SCRAM-SHA-1 mechanism.
Diffstat (limited to 'util/sasl')
-rw-r--r-- | util/sasl/scram.lua | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua index 13b9932f..39daf397 100644 --- a/util/sasl/scram.lua +++ b/util/sasl/scram.lua @@ -92,6 +92,18 @@ local function validate_username(username) return username; end +function saltedPasswordSHA1(password, salt, iteration_count) + local salted_password + if type(password) ~= "string" and type(salt) ~= "string" and type(iteration_count) ~= "number" then + return false, "inappropriate argument types" + end + if iteration_count < 4096 then + log("warning", "Iteration count < 4096 which is the suggested minimum according to RFC 5802.") + end + + return true, Hi(hmac_sha1, password, salt, iteration_count); +end + local function scram_gen(hash_name, H_f, HMAC_f) local function scram_hash(self, message) if not self.state then self["state"] = {} end @@ -133,9 +145,16 @@ local function scram_gen(hash_name, H_f, HMAC_f) log("debug", "Password violates SASLprep."); return "failure", "not-authorized", "Invalid password." end + self.state.salt = generate_uuid(); self.state.iteration_count = default_i; - self.state.salted_password = Hi(HMAC_f, password, self.state.salt, default_i); + + local succ = false; + succ, self.state.salted_password = saltedPasswordSHA1(password, self.state.salt, default_i, self.state.iteration_count); + if not succ then + log("error", "Generating salted password failed. Reason: %s", self.state.salted_password); + return "failure", "temporary-auth-failure"; + end elseif self.profile["scram_"..hash_name] then local salted_password, iteration_count, salt, state = self.profile["scram-"..hash_name](self.state.name, self.realm); if state == nil then return "failure", "not-authorized" |