aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--plugins/mod_auth_insecure.lua5
-rw-r--r--plugins/mod_auth_internal_hashed.lua7
-rw-r--r--plugins/mod_auth_internal_plain.lua15
-rw-r--r--util/sasl/plain.lua2
-rw-r--r--util/sasl/scram.lua4
5 files changed, 30 insertions, 3 deletions
diff --git a/plugins/mod_auth_insecure.lua b/plugins/mod_auth_insecure.lua
index 9e23c29f..dc5ee616 100644
--- a/plugins/mod_auth_insecure.lua
+++ b/plugins/mod_auth_insecure.lua
@@ -9,6 +9,7 @@
local datamanager = require "util.datamanager";
local new_sasl = require "util.sasl".new;
+local saslprep = require "util.encodings".stringprep.saslprep;
local host = module.host;
local provider = { name = "insecure" };
@@ -21,6 +22,10 @@ end
function provider.set_password(username, password)
local account = datamanager.load(username, host, "accounts");
+ password = saslprep(password);
+ if not password then
+ return nil, "Password fails SASLprep.";
+ end
if account then
account.password = password;
return datamanager.store(username, host, "accounts", account);
diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua
index c81830de..4fd0bd13 100644
--- a/plugins/mod_auth_internal_hashed.lua
+++ b/plugins/mod_auth_internal_hashed.lua
@@ -15,6 +15,7 @@ local generate_uuid = require "util.uuid".generate;
local new_sasl = require "util.sasl".new;
local hex = require"util.hex";
local to_hex, from_hex = hex.to, hex.from;
+local saslprep = require "util.encodings".stringprep.saslprep;
local log = module._log;
local host = module.host;
@@ -34,9 +35,13 @@ local provider = {};
function provider.test_password(username, password)
log("debug", "test password for user '%s'", username);
local credentials = accounts:get(username) or {};
+ password = saslprep(password);
+ if not password then
+ return nil, "Password fails SASLprep.";
+ end
if credentials.password ~= nil and string.len(credentials.password) ~= 0 then
- if credentials.password ~= password then
+ if saslprep(credentials.password) ~= password then
return nil, "Auth failed. Provided password is incorrect.";
end
diff --git a/plugins/mod_auth_internal_plain.lua b/plugins/mod_auth_internal_plain.lua
index 276efb64..56ef52d5 100644
--- a/plugins/mod_auth_internal_plain.lua
+++ b/plugins/mod_auth_internal_plain.lua
@@ -8,6 +8,7 @@
local usermanager = require "core.usermanager";
local new_sasl = require "util.sasl".new;
+local saslprep = require "util.encodings".stringprep.saslprep;
local log = module._log;
local host = module.host;
@@ -20,8 +21,12 @@ local provider = {};
function provider.test_password(username, password)
log("debug", "test password for user '%s'", username);
local credentials = accounts:get(username) or {};
+ password = saslprep(password);
+ if not password then
+ return nil, "Password fails SASLprep.";
+ end
- if password == credentials.password then
+ if password == saslprep(credentials.password) then
return true;
else
return nil, "Auth failed. Invalid username or password.";
@@ -35,6 +40,10 @@ end
function provider.set_password(username, password)
log("debug", "set_password for username '%s'", username);
+ password = saslprep(password);
+ if not password then
+ return nil, "Password fails SASLprep.";
+ end
local account = accounts:get(username);
if account then
account.password = password;
@@ -57,6 +66,10 @@ function provider.users()
end
function provider.create_user(username, password)
+ password = saslprep(password);
+ if not password then
+ return nil, "Password fails SASLprep.";
+ end
return accounts:set(username, {password = password});
end
diff --git a/util/sasl/plain.lua b/util/sasl/plain.lua
index 00c6bd20..43a66c5b 100644
--- a/util/sasl/plain.lua
+++ b/util/sasl/plain.lua
@@ -70,7 +70,7 @@ local function plain(self, message)
if self.profile.plain then
local correct_password;
correct_password, state = self.profile.plain(self, authentication, self.realm);
- correct = (correct_password == password);
+ correct = (saslprep(correct_password) == password);
elseif self.profile.plain_test then
correct, state = self.profile.plain_test(self, authentication, password, self.realm);
end
diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua
index b3370d4b..009a01ce 100644
--- a/util/sasl/scram.lua
+++ b/util/sasl/scram.lua
@@ -105,6 +105,10 @@ local function get_scram_hasher(H, HMAC, Hi)
if iteration_count < 4096 then
log("warn", "Iteration count < 4096 which is the suggested minimum according to RFC 5802.")
end
+ password = saslprep(password);
+ if not password then
+ return false, "password fails SASLprep";
+ end
local salted_password = Hi(password, salt, iteration_count);
local stored_key = H(HMAC(salted_password, "Client Key"))
local server_key = HMAC(salted_password, "Server Key");