Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | util.sasl.{scram,plain}: Pass authzid to SASL profile callback | Kim Alvefur | 2023-03-16 | 2 | -5/+4 |
| | | | | | | | For potential future use. Used for logging into a different account than the one used for authentication. | ||||
* | util.sasl.scram: Fix off-by-one indentation | Kim Alvefur | 2023-03-16 | 1 | -2/+2 |
| | |||||
* | util.sasl.oauthbearer: Adjust parsing of GS2 to allow lack of authzid | Kim Alvefur | 2023-03-16 | 2 | -4/+5 |
| | | | | Partly copied from util.sasl.scram and then reduced a bit. | ||||
* | util.sasl.oauthbearer: Return username from callback instead using authzid (BC) | Kim Alvefur | 2023-03-16 | 1 | -33/+3 |
| | | | | | | | | | | | | | RFC 6120 states that > If the initiating entity does not wish to act on behalf of another > entity, it MUST NOT provide an authorization identity. Thus it seems weird to require it here. We can instead expect an username from the token data passed back from the profile. This follows the practice of util.sasl.external where the profile callback returns the selected username, making the authentication module responsible for extracting the username from the token. | ||||
* | util.sasl.oauthbearer: Fix syntax error in b796e08e6376 | Matthew Wild | 2023-03-15 | 1 | -1/+1 |
| | |||||
* | util.sasl.oauthbearer: Attach token_info to sasl handler | Matthew Wild | 2023-03-15 | 1 | -0/+2 |
| | | | | | | This allows token-aware things to access extra information about the authentication, such as when the token is due to expire and the attached custom 'data'. | ||||
* | util.sasl.oauthbearer: Fix traceback on authz in unexpected format | Kim Alvefur | 2023-03-02 | 1 | -0/+4 |
| | | | | | | E.g. if you were to just pass "username" without @hostname, the split will return nil, "username" and the nil gets passed to saslprep() and it does not like that. | ||||
* | util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) | Matthew Wild | 2023-03-01 | 1 | -0/+83 |
| | |||||
* | util.sasl.scram: Add 'tls-exporter' as recognised channel binding method | Kim Alvefur | 2022-07-27 | 1 | -1/+1 |
| | | | | | The last missing piece of #1760, otherwise SCRAM-SHA-*-PLUS is not actually advertised. | ||||
* | mod_auth_internal_hashed: Up iteration count to 10000 per XEP-0438 | Kim Alvefur | 2021-12-26 | 1 | -1/+1 |
| | | | | | | | | More security for less pain than switching to SCRAM-SHA-256 The XEP will likely be change to reference the RFC that will probably come from draft-ietf-kitten-password-storage once it is ready, and then we should update to follow that. | ||||
* | util.sasl.scram: Store username property rather than cached local (#399) | Matthew Wild | 2021-12-07 | 1 | -1/+1 |
| | | | | | This should allow modules to override the username in a profile handler by assigning to self.username. | ||||
* | util.sasl.scram: Use util.strbitop for XOR step | Kim Alvefur | 2019-09-07 | 1 | -29/+1 |
| | |||||
* | Merge 0.11->trunk | Kim Alvefur | 2020-06-06 | 2 | -1/+5 |
|\ | |||||
| * | util.sasl.plain: Apply saslprep to stored password | Kim Alvefur | 2020-05-22 | 1 | -1/+1 |
| | | | | | | | | | | | | Fixes something like #1560 here too. The password sent by the user already had saslprep applied. | ||||
| * | util.sasl.scram: Apply saslprep before hashing password, fixes #1560 | Kim Alvefur | 2020-05-22 | 1 | -0/+4 |
| | | |||||
* | | util.sasl.scram: Mention if clients try PLUS without channel binding | Kim Alvefur | 2020-04-26 | 1 | -2/+6 |
| | | | | | | | | This isn't normal, but is it invalid? Likely a client bug in any case. | ||||
* | | util.sasl.digest-md5: Remove, obsolete since 2011 | Kim Alvefur | 2020-04-14 | 1 | -251/+0 |
| | | | | | | | | | | | | | | RFC 6331 lists several problems with this outdated authentication mechanism. The code here was also completely ignored by lint checks and has probably not been used for a long time, as it is incompatible with SCRAM-hashed password storage. | ||||
* | | util.sasl.scram: Ignore unused authzid variable (strict lint) | Kim Alvefur | 2019-12-09 | 1 | -0/+1 |
| | | | | | | | | | | It would be nice if authzid was passed down into the stack and could be used by plugins for things. | ||||
* | | util.sasl.scram: Avoid implicit coersion of number to string | Kim Alvefur | 2019-10-06 | 1 | -1/+1 |
| | | | | | | | | Lua can be compiled without coercion, which would cause an error here. | ||||
* | | util.sasl.scram: Fix old API | Kim Alvefur | 2019-09-29 | 1 | -1/+1 |
| | | | | | | | | | | This function is not directly used by anything in Prosody anymore and should be considered deprecated. | ||||
* | | util.sasl.scram: Add support for SCRAM-SHA-256 | Kim Alvefur | 2019-01-13 | 1 | -0/+1 |
| | | |||||
* | | util.sasl.scram: Factor out SHA-1 specific getAuthenticationDatabaseSHA1 | Kim Alvefur | 2019-01-13 | 1 | -20/+25 |
|/ | | | | This makes the code more generic, allowing SHA-1 to be replaced | ||||
* | util.sasl.anonymous: Shorter! | Kim Alvefur | 2018-06-06 | 1 | -1/+1 |
| | |||||
* | util.sasl.anonymous: Generate shorter random usernames | Kim Alvefur | 2018-05-29 | 1 | -2/+2 |
| | |||||
* | Fix spelling throughout the codebase [codespell] | Kim Alvefur | 2018-02-04 | 1 | -1/+1 |
| | |||||
* | vairious: Add annotation when an empty environment is set [luacheck] | Kim Alvefur | 2018-02-28 | 5 | -0/+5 |
| | |||||
* | util: Various minor changes to please [luacheck] | Kim Alvefur | 2017-11-10 | 2 | -4/+19 |
| | |||||
* | util.sasl.plain,scram: Record username in sasl state earlier | Kim Alvefur | 2017-04-19 | 2 | -2/+3 |
| | |||||
* | util.sasl.scram: Rename variable in places missed in 65e36b81d56a (thanks mt) | Kim Alvefur | 2016-02-28 | 1 | -2/+2 |
| | |||||
* | util.sasl.scram: Remove unused initial value [luacheck] | Kim Alvefur | 2016-02-28 | 1 | -1/+1 |
| | |||||
* | util.sasl.scram: Rename variable to avoid name clash [luacheck] | Kim Alvefur | 2016-02-28 | 1 | -5/+5 |
| | |||||
* | util.sasl.anonymous: Remove unused locals [luacheck] | Kim Alvefur | 2016-02-28 | 1 | -2/+0 |
| | |||||
* | util.sasl.scram: Get rid of module call | Kim Alvefur | 2015-04-07 | 1 | -4/+7 |
| | |||||
* | util.*: Remove use of module() function, make all module functions local and ↵ | Kim Alvefur | 2015-02-21 | 4 | -12/+20 |
| | | | | return them in a table at the end | ||||
* | util.sasl.scram: Rename variable for clarity | Kim Alvefur | 2013-10-13 | 1 | -7/+7 |
| | |||||
* | util.sasl.scram: Cache profile name instead of concatenating when used | Kim Alvefur | 2013-10-13 | 1 | -2/+3 |
| | |||||
* | util.sasl.scram: Rewrite patterns and capture client-first-message-bare, ↵ | Kim Alvefur | 2013-10-13 | 1 | -5/+6 |
| | | | | client-final-message-without-proof | ||||
* | util.sasl.scram: Create the state table as late as possible, keep state in ↵ | Kim Alvefur | 2013-10-13 | 1 | -41/+40 |
| | | | | locals for faster access | ||||
* | util.sasl.scram: Compare gs2-header to cbind-input (Thanks Tobias) | Kim Alvefur | 2013-10-12 | 1 | -8/+8 |
| | |||||
* | util.sasl.scram: Remove unused function and import | Kim Alvefur | 2013-10-06 | 1 | -9/+0 |
| | |||||
* | util.sasl.scram: Simplify validation of client-first-message | Kim Alvefur | 2013-09-22 | 1 | -14/+18 |
| | |||||
* | Merge Tobias SCRAM-PLUS work | Kim Alvefur | 2013-09-22 | 1 | -5/+42 |
|\ | |||||
| * | Only advertise mechanisms needing channel binding if a channel binding ↵ | Tobias Markmann | 2011-02-07 | 1 | -1/+1 |
| | | | | | | | | backend is avaliable. | ||||
| * | sasl.util.scarm: Rearrage some code so it makes more sense. | Tobias Markmann | 2011-02-06 | 1 | -5/+6 |
| | | |||||
| * | util.sasl.scram: Checking the GS2 header for valid start flag. | Tobias Markmann | 2011-02-06 | 1 | -0/+7 |
| | | |||||
| * | util.sasl.scram: Remove some debugging output. | Tobias Markmann | 2011-01-17 | 1 | -6/+0 |
| | | |||||
| * | util.sasl.scram: Adding reference to RFC 5929 'Channel Bindings for TLS'. | Tobias Markmann | 2011-01-17 | 1 | -0/+4 |
| | | |||||
| * | util.sasl.scram: Validate channel binding data of client final message. | Tobias Markmann | 2011-01-17 | 1 | -3/+12 |
| | | |||||
| * | util.sasl.scram: Use self.profile.cb for detection whether channel binding ↵ | Tobias Markmann | 2011-01-17 | 1 | -3/+3 |
| | | | | | | | | is supported or not. | ||||
| * | Check whether we support the proposed channel binding type. | Tobias Markmann | 2011-01-15 | 1 | -0/+5 |
| | |