5 files changed, 80 insertions, 48 deletions
diff --git a/util/sasl/anonymous.lua b/util/sasl/anonymous.lua
index b9af17fe..ca5fe404 100644
--- a/util/sasl/anonymous.lua
+++ b/util/sasl/anonymous.lua
@@ -16,7 +16,7 @@ local s_match = string.match;
 local log = require "util.logger".init("sasl");
 local generate_uuid = require "util.uuid".generate;
 
-module "anonymous"
+module "sasl.anonymous"
 
 --=========================
 --SASL ANONYMOUS according to RFC 4505
@@ -43,4 +43,4 @@ function init(registerMechanism)
 	registerMechanism("ANONYMOUS", {"anonymous"}, anonymous);
 end
 
-return _M;
-\ No newline at end of file
+return _M;
diff --git a/util/sasl/digest-md5.lua b/util/sasl/digest-md5.lua
index 6f2c765e..591d8537 100644
--- a/util/sasl/digest-md5.lua
+++ b/util/sasl/digest-md5.lua
@@ -23,8 +23,9 @@ local to_byte, to_char = string.byte, string.char;
 local md5 = require "util.hashes".md5;
 local log = require "util.logger".init("sasl");
 local generate_uuid = require "util.uuid".generate;
+local nodeprep = require "util.encodings".stringprep.nodeprep;
 
-module "digest-md5"
+module "sasl.digest-md5"
 
 --=========================
 --SASL DIGEST-MD5 according to RFC 2831
@@ -139,10 +140,15 @@ local function digest(self, message)
 		end
 
 		-- check for username, it's REQUIRED by RFC 2831
-		if not response["username"] then
+		local username = response["username"];
+		local _nodeprep = self.profile.nodeprep;
+		if username and _nodeprep ~= false then
+			username = (_nodeprep or nodeprep)(username); -- FIXME charset
+		end
+		if not username or username == "" then
 			return "failure", "malformed-request";
 		end
-		self["username"] = response["username"];
+		self.username = username;
 
 		-- check for nonce, ...
 		if not response["nonce"] then
@@ -178,7 +184,6 @@ local function digest(self, message)
 		end
 
 		--TODO maybe realm support
-		self.username = response["username"];
 		local Y, state;
 		if self.profile.plain then
 			local password, state = self.profile.plain(self, response["username"], self.realm)
@@ -240,4 +245,4 @@ function init(registerMechanism)
 	registerMechanism("DIGEST-MD5", {"plain"}, digest);
 end
 
-return _M;
-\ No newline at end of file
+return _M;
diff --git a/util/sasl/external.lua b/util/sasl/external.lua
new file mode 100644
index 00000000..4c5c4343
--- /dev/null
+++ b/util/sasl/external.lua
@@ -0,0 +1,25 @@
+local saslprep = require "util.encodings".stringprep.saslprep;
+
+module "sasl.external"
+
+local function external(self, message)
+	message = saslprep(message);
+	local state
+	self.username, state = self.profile.external(message);
+
+	if state == false then
+		return "failure", "account-disabled";
+	elseif state == nil  then
+		return "failure", "not-authorized";
+	elseif state == "expired" then
+		return "false", "credentials-expired";
+	end
+
+	return "success";
+end
+
+function init(registerMechanism)
+	registerMechanism("EXTERNAL", {"external"}, external);
+end
+
+return _M;
diff --git a/util/sasl/plain.lua b/util/sasl/plain.lua
index d6ebe304..c9ec2911 100644
--- a/util/sasl/plain.lua
+++ b/util/sasl/plain.lua
@@ -13,9 +13,10 @@
 
 local s_match = string.match;
 local saslprep = require "util.encodings".stringprep.saslprep;
+local nodeprep = require "util.encodings".stringprep.nodeprep;
 local log = require "util.logger".init("sasl");
 
-module "plain"
+module "sasl.plain"
 
 -- ================================
 -- SASL PLAIN according to RFC 4616
@@ -54,6 +55,14 @@ local function plain(self, message)
 		return "failure", "malformed-request", "Invalid username or password.";
 	end
 
+	local _nodeprep = self.profile.nodeprep;
+	if _nodeprep ~= false then
+		authentication = (_nodeprep or nodeprep)(authentication);
+		if not authentication or authentication == "" then
+			return "failure", "malformed-request", "Invalid username or password."
+		end
+	end
+
 	local correct, state = false, false;
 	if self.profile.plain then
 		local correct_password;
@@ -64,15 +73,13 @@ local function plain(self, message)
 	end
 
 	self.username = authentication
-	if not state then
+	if state == false then
 		return "failure", "account-disabled";
-	end
-
-	if correct then
-		return "success";
-	else
+	elseif state == nil or not correct then
 		return "failure", "not-authorized", "Unable to authorize you with the authentication credentials you've sent.";
 	end
+
+	return "success";
 end
 
 function init(registerMechanism)
diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua
index 071de505..cf938dba 100644
--- a/util/sasl/scram.lua
+++ b/util/sasl/scram.lua
@@ -16,16 +16,18 @@ local type = type
 local string = string
 local tostring = tostring;
 local base64 = require "util.encodings".base64;
-local hmac_sha1 = require "util.hmac".sha1;
+local hmac_sha1 = require "util.hashes".hmac_sha1;
 local sha1 = require "util.hashes".sha1;
+local Hi = require "util.hashes".scram_Hi_sha1;
 local generate_uuid = require "util.uuid".generate;
 local saslprep = require "util.encodings".stringprep.saslprep;
+local nodeprep = require "util.encodings".stringprep.nodeprep;
 local log = require "util.logger".init("sasl");
 local t_concat = table.concat;
 local char = string.char;
 local byte = string.byte;
 
-module "scram"
+module "sasl.scram"
 
 --=========================
 --SASL SCRAM-SHA-1 according to RFC 5802
@@ -69,33 +71,26 @@ local function binaryXOR( a, b )
 	return t_concat(result);
 end
 
--- hash algorithm independent Hi(PBKDF2) implementation
-function Hi(hmac, str, salt, i)
-	local Ust = hmac(str, salt.."\0\0\0\1");
-	local res = Ust;
-	for n=1,i-1 do
-		local Und = hmac(str, Ust)
-		res = binaryXOR(res, Und)
-		Ust = Und
-	end
-	return res
-end
-
-local function validate_username(username)
+local function validate_username(username, _nodeprep)
 	-- check for forbidden char sequences
 	for eq in username:gmatch("=(.?.?)") do
-		if eq ~= "2D" and eq ~= "3D" then
+		if eq ~= "2C" and eq ~= "3D" then
 			return false
 		end
 	end
-	
-	-- replace =2D with , and =3D with =
-	username = username:gsub("=2D", ",");
+
+	-- replace =2C with , and =3D with =
+	username = username:gsub("=2C", ",");
 	username = username:gsub("=3D", "=");
-	
+
 	-- apply SASLprep
 	username = saslprep(username);
-	return username;
+
+	if username and _nodeprep ~= false then
+		username = (_nodeprep or nodeprep)(username);
+	end
+
+	return username and #username>0 and username;
 end
 
 local function hashprep(hashname)
@@ -109,7 +104,7 @@ function getAuthenticationDatabaseSHA1(password, salt, iteration_count)
 	if iteration_count < 4096 then
 		log("warn", "Iteration count < 4096 which is the suggested minimum according to RFC 5802.")
 	end
-	local salted_password = Hi(hmac_sha1, password, salt, iteration_count);
+	local salted_password = Hi(password, salt, iteration_count);
 	local stored_key = sha1(hmac_sha1(salted_password, "Client Key"))
 	local server_key = hmac_sha1(salted_password, "Server Key");
 	return true, stored_key, server_key
@@ -120,12 +115,12 @@ local function scram_gen(hash_name, H_f, HMAC_f)
 		if not self.state then self["state"] = {} end
 		local support_channel_binding = false;
 		if self.profile.cb then support_channel_binding = true; end
-		
+
 		if type(message) ~= "string" or #message == 0 then return "failure", "malformed-request" end
 		if not self.state.name then
 			-- we are processing client_first_message
 			local client_first_message = message;
-			log("debug", client_first_message);
+
 			-- TODO: fail if authzid is provided, since we don't support them yet
 			self.state["client_first_message"] = client_first_message;
 			self.state["gs2_cbind_flag"], self.state["gs2_cbind_name"], self.state["authzid"], self.state["name"], self.state["clientnonce"]
@@ -156,21 +151,21 @@ local function scram_gen(hash_name, H_f, HMAC_f)
 			if not self.state.name or not self.state.clientnonce then
 				return "failure", "malformed-request", "Channel binding isn't support at this time.";
 			end
-		
-			self.state.name = validate_username(self.state.name);
+
+			self.state.name = validate_username(self.state.name, self.profile.nodeprep);
 			if not self.state.name then
 				log("debug", "Username violates either SASLprep or contains forbidden character sequences.")
 				return "failure", "malformed-request", "Invalid username.";
 			end
-		
+
 			self.state["servernonce"] = generate_uuid();
-			
+
 			-- retreive credentials
 			if self.profile.plain then
 				local password, state = self.profile.plain(self, self.state.name, self.realm)
 				if state == nil then return "failure", "not-authorized"
 				elseif state == false then return "failure", "account-disabled" end
-				
+
 				password = saslprep(password);
 				if not password then
 					log("debug", "Password violates SASLprep.");
@@ -190,20 +185,20 @@ local function scram_gen(hash_name, H_f, HMAC_f)
 				local stored_key, server_key, iteration_count, salt, state = self.profile["scram_"..hashprep(hash_name)](self, self.state.name, self.realm);
 				if state == nil then return "failure", "not-authorized"
 				elseif state == false then return "failure", "account-disabled" end
-				
+
 				self.state.stored_key = stored_key;
 				self.state.server_key = server_key;
 				self.state.iteration_count = iteration_count;
 				self.state.salt = salt
 			end
-		
+
 			local server_first_message = "r="..self.state.clientnonce..self.state.servernonce..",s="..base64.encode(self.state.salt)..",i="..self.state.iteration_count;
 			self.state["server_first_message"] = server_first_message;
 			return "challenge", server_first_message
 		else
 			-- we are processing client_final_message
 			local client_final_message = message;
-			log("debug", "client_final_message: %s", client_final_message);
+
 			self.state["channelbinding"], self.state["nonce"], self.state["proof"] = client_final_message:match("^c=(.*),r=(.*),.*p=(.*)");
 
 			if not self.state.proof or not self.state.nonce or not self.state.channelbinding then
@@ -223,10 +218,10 @@ local function scram_gen(hash_name, H_f, HMAC_f)
 			if self.state.nonce ~= self.state.clientnonce..self.state.servernonce then
 				return "failure", "malformed-request", "Wrong nonce in client-final-message.";
 			end
-			
+
 			local ServerKey = self.state.server_key;
 			local StoredKey = self.state.stored_key;
-			
+
 			local AuthMessage = "n=" .. s_match(self.state.client_first_message,"n=(.+)") .. "," .. self.state.server_first_message .. "," .. s_match(client_final_message, "(.+),p=.+")
 			local ClientSignature = HMAC_f(StoredKey, AuthMessage)
 			local ClientKey = binaryXOR(ClientSignature, base64.decode(self.state.proof))