aboutsummaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'plugins')
-rw-r--r--plugins/mod_auth_internal_hashed.lua55
1 files changed, 39 insertions, 16 deletions
diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua
index 9cffcc6e..4e554584 100644
--- a/plugins/mod_auth_internal_hashed.lua
+++ b/plugins/mod_auth_internal_hashed.lua
@@ -14,7 +14,7 @@ local error = error;
local ipairs = ipairs;
local hashes = require "util.hashes";
local jid_bare = require "util.jid".bare;
-local saltedPasswordSHA1 = require "util.sasl.scram".saltedPasswordSHA1;
+local getAuthenticationDatabaseSHA1 = require "util.sasl.scram".getAuthenticationDatabaseSHA1;
local config = require "core.configmanager";
local usermanager = require "core.usermanager";
local generate_uuid = require "util.uuid".generate;
@@ -22,6 +22,10 @@ local new_sasl = require "util.sasl".new;
local nodeprep = require "util.encodings".stringprep.nodeprep;
local hosts = hosts;
+-- TODO: remove these two lines in near future
+local hmac_sha1 = require "util.hmac".sha1;
+local sha1 = require "util.hashes".sha1;
+
local prosody = _G.prosody;
local is_cyrus = usermanager.is_cyrus;
@@ -52,11 +56,25 @@ function new_hashpass_provider(host)
if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then
return nil, "Auth failed. Stored salt and iteration count information is not complete.";
end
-
- local valid, binpass = saltedPasswordSHA1(password, credentials.salt, credentials.iteration_count);
- local hexpass = binpass:gsub(".", function (c) return ("%02x"):format(c:byte()); end);
-
- if valid and hexpass == credentials.hashpass then
+
+ local valid, stored_key, server_key
+
+ if credentials.hexpass then
+ -- convert hexpass to stored_key and server_key
+ -- TODO: remove this in near future
+ valid = true;
+ local salted_password = credentials.hexpass:gsub("..", function(x) return string.char(tonumber(x, 16)); end);
+
+ stored_key = sha1(hmac_sha1(salted_password, "Client Key"))
+ server_key = hmac_sha1(salted_password, "Server Key");
+ else
+ valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count);
+ end
+
+ local stored_key_hex = stored_key:gsub(".", function (c) return ("%02x"):format(c:byte()); end);
+ local server_key_hex = server_key:gsub(".", function (c) return ("%02x"):format(c:byte()); end);
+
+ if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key_hex then
return true;
else
return nil, "Auth failed. Invalid username, password, or password hash information.";
@@ -74,10 +92,13 @@ function new_hashpass_provider(host)
if account.salt == nil then
account.salt = generate_uuid();
end
-
- local valid, binpass = saltedPasswordSHA1(password, account.salt, account.iteration_count);
- local hexpass = binpass:gsub(".", function (c) return ("%02x"):format(c:byte()); end);
- account.hashpass = hexpass;
+
+ local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count);
+ local stored_key_hex = stored_key:gsub(".", function (c) return ("%02x"):format(c:byte()); end);
+ local server_key_hex = server_key:gsub(".", function (c) return ("%02x"):format(c:byte()); end);
+
+ account.stored_key = stored_key_hex
+ account.server_key = server_key_hex
account.password = nil;
return datamanager.store(username, host, "accounts", account);
@@ -102,9 +123,10 @@ function new_hashpass_provider(host)
function provider.create_user(username, password)
if is_cyrus(host) then return nil, "Account creation/modification not available with Cyrus SASL."; end
local salt = generate_uuid();
- local valid, binpass = saltedPasswordSHA1(password, salt, iteration_count);
- local hexpass = binpass:gsub(".", function (c) return ("%02x"):format(c:byte()); end);
- return datamanager.store(username, host, "accounts", {hashpass = hexpass, salt = salt, iteration_count = iteration_count});
+ local valid, stored_key, server_key = saltedPasswordSHA1(password, salt, iteration_count);
+ local stored_key_hex = stored_key:gsub(".", function (c) return ("%02x"):format(c:byte()); end);
+ local server_key_hex = server_key:gsub(".", function (c) return ("%02x"):format(c:byte()); end);
+ return datamanager.store(username, host, "accounts", {stored_key = stored_key_hex, server_key = server_key_hex, salt = salt, iteration_count = iteration_count});
end
function provider.get_sasl_handler()
@@ -124,9 +146,10 @@ function new_hashpass_provider(host)
usermanager.set_password(username, credentials.password);
credentials = datamanager.load(username, host, "accounts") or {};
end
- local salted_password, iteration_count, salt = credentials.hashpass, credentials.iteration_count, credentials.salt;
- salted_password = salted_password and salted_password:gsub("..", function(x) return string.char(tonumber(x, 16)); end);
- return salted_password, iteration_count, salt, true;
+ local stored_key, server_key, iteration_count, salt = credentials.stored_key, credentials.server_key, credentials.iteration_count, credentials.salt;
+ stored_key = stored_key and stored_key:gsub("..", function(x) return string.char(tonumber(x, 16)); end);
+ server_key = server_key and server_key:gsub("..", function(x) return string.char(tonumber(x, 16)); end);
+ return stored_key, server_key, iteration_count, salt, true;
end
};
return new_sasl(realm, testpass_authentication_profile);