aboutsummaryrefslogtreecommitdiffstats
path: root/util/sasl
Commit message (Collapse)AuthorAgeFilesLines
* util.sasl.{scram,plain}: Pass authzid to SASL profile callbackKim Alvefur2023-03-162-5/+4
| | | | | | | For potential future use. Used for logging into a different account than the one used for authentication.
* util.sasl.scram: Fix off-by-one indentationKim Alvefur2023-03-161-2/+2
|
* util.sasl.oauthbearer: Adjust parsing of GS2 to allow lack of authzidKim Alvefur2023-03-162-4/+5
| | | | Partly copied from util.sasl.scram and then reduced a bit.
* util.sasl.oauthbearer: Return username from callback instead using authzid (BC)Kim Alvefur2023-03-161-33/+3
| | | | | | | | | | | | | RFC 6120 states that > If the initiating entity does not wish to act on behalf of another > entity, it MUST NOT provide an authorization identity. Thus it seems weird to require it here. We can instead expect an username from the token data passed back from the profile. This follows the practice of util.sasl.external where the profile callback returns the selected username, making the authentication module responsible for extracting the username from the token.
* util.sasl.oauthbearer: Fix syntax error in b796e08e6376Matthew Wild2023-03-151-1/+1
|
* util.sasl.oauthbearer: Attach token_info to sasl handlerMatthew Wild2023-03-151-0/+2
| | | | | | This allows token-aware things to access extra information about the authentication, such as when the token is due to expire and the attached custom 'data'.
* util.sasl.oauthbearer: Fix traceback on authz in unexpected formatKim Alvefur2023-03-021-0/+4
| | | | | | E.g. if you were to just pass "username" without @hostname, the split will return nil, "username" and the nil gets passed to saslprep() and it does not like that.
* util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)Matthew Wild2023-03-011-0/+83
|
* util.sasl.scram: Add 'tls-exporter' as recognised channel binding methodKim Alvefur2022-07-271-1/+1
| | | | | The last missing piece of #1760, otherwise SCRAM-SHA-*-PLUS is not actually advertised.
* mod_auth_internal_hashed: Up iteration count to 10000 per XEP-0438Kim Alvefur2021-12-261-1/+1
| | | | | | | | More security for less pain than switching to SCRAM-SHA-256 The XEP will likely be change to reference the RFC that will probably come from draft-ietf-kitten-password-storage once it is ready, and then we should update to follow that.
* util.sasl.scram: Store username property rather than cached local (#399)Matthew Wild2021-12-071-1/+1
| | | | | This should allow modules to override the username in a profile handler by assigning to self.username.
* util.sasl.scram: Use util.strbitop for XOR stepKim Alvefur2019-09-071-29/+1
|
* Merge 0.11->trunkKim Alvefur2020-06-062-1/+5
|\
| * util.sasl.plain: Apply saslprep to stored passwordKim Alvefur2020-05-221-1/+1
| | | | | | | | | | | | Fixes something like #1560 here too. The password sent by the user already had saslprep applied.
| * util.sasl.scram: Apply saslprep before hashing password, fixes #1560Kim Alvefur2020-05-221-0/+4
| |
* | util.sasl.scram: Mention if clients try PLUS without channel bindingKim Alvefur2020-04-261-2/+6
| | | | | | | | This isn't normal, but is it invalid? Likely a client bug in any case.
* | util.sasl.digest-md5: Remove, obsolete since 2011Kim Alvefur2020-04-141-251/+0
| | | | | | | | | | | | | | RFC 6331 lists several problems with this outdated authentication mechanism. The code here was also completely ignored by lint checks and has probably not been used for a long time, as it is incompatible with SCRAM-hashed password storage.
* | util.sasl.scram: Ignore unused authzid variable (strict lint)Kim Alvefur2019-12-091-0/+1
| | | | | | | | | | It would be nice if authzid was passed down into the stack and could be used by plugins for things.
* | util.sasl.scram: Avoid implicit coersion of number to stringKim Alvefur2019-10-061-1/+1
| | | | | | | | Lua can be compiled without coercion, which would cause an error here.
* | util.sasl.scram: Fix old APIKim Alvefur2019-09-291-1/+1
| | | | | | | | | | This function is not directly used by anything in Prosody anymore and should be considered deprecated.
* | util.sasl.scram: Add support for SCRAM-SHA-256Kim Alvefur2019-01-131-0/+1
| |
* | util.sasl.scram: Factor out SHA-1 specific getAuthenticationDatabaseSHA1Kim Alvefur2019-01-131-20/+25
|/ | | | This makes the code more generic, allowing SHA-1 to be replaced
* util.sasl.anonymous: Shorter!Kim Alvefur2018-06-061-1/+1
|
* util.sasl.anonymous: Generate shorter random usernamesKim Alvefur2018-05-291-2/+2
|
* Fix spelling throughout the codebase [codespell]Kim Alvefur2018-02-041-1/+1
|
* vairious: Add annotation when an empty environment is set [luacheck]Kim Alvefur2018-02-285-0/+5
|
* util: Various minor changes to please [luacheck]Kim Alvefur2017-11-102-4/+19
|
* util.sasl.plain,scram: Record username in sasl state earlierKim Alvefur2017-04-192-2/+3
|
* util.sasl.scram: Rename variable in places missed in 65e36b81d56a (thanks mt)Kim Alvefur2016-02-281-2/+2
|
* util.sasl.scram: Remove unused initial value [luacheck]Kim Alvefur2016-02-281-1/+1
|
* util.sasl.scram: Rename variable to avoid name clash [luacheck]Kim Alvefur2016-02-281-5/+5
|
* util.sasl.anonymous: Remove unused locals [luacheck]Kim Alvefur2016-02-281-2/+0
|
* util.sasl.scram: Get rid of module callKim Alvefur2015-04-071-4/+7
|
* util.*: Remove use of module() function, make all module functions local and ↵Kim Alvefur2015-02-214-12/+20
| | | | return them in a table at the end
* util.sasl.scram: Rename variable for clarityKim Alvefur2013-10-131-7/+7
|
* util.sasl.scram: Cache profile name instead of concatenating when usedKim Alvefur2013-10-131-2/+3
|
* util.sasl.scram: Rewrite patterns and capture client-first-message-bare, ↵Kim Alvefur2013-10-131-5/+6
| | | | client-final-message-without-proof
* util.sasl.scram: Create the state table as late as possible, keep state in ↵Kim Alvefur2013-10-131-41/+40
| | | | locals for faster access
* util.sasl.scram: Compare gs2-header to cbind-input (Thanks Tobias)Kim Alvefur2013-10-121-8/+8
|
* util.sasl.scram: Remove unused function and importKim Alvefur2013-10-061-9/+0
|
* util.sasl.scram: Simplify validation of client-first-messageKim Alvefur2013-09-221-14/+18
|
* Merge Tobias SCRAM-PLUS workKim Alvefur2013-09-221-5/+42
|\
| * Only advertise mechanisms needing channel binding if a channel binding ↵Tobias Markmann2011-02-071-1/+1
| | | | | | | | backend is avaliable.
| * sasl.util.scarm: Rearrage some code so it makes more sense.Tobias Markmann2011-02-061-5/+6
| |
| * util.sasl.scram: Checking the GS2 header for valid start flag.Tobias Markmann2011-02-061-0/+7
| |
| * util.sasl.scram: Remove some debugging output.Tobias Markmann2011-01-171-6/+0
| |
| * util.sasl.scram: Adding reference to RFC 5929 'Channel Bindings for TLS'.Tobias Markmann2011-01-171-0/+4
| |
| * util.sasl.scram: Validate channel binding data of client final message.Tobias Markmann2011-01-171-3/+12
| |
| * util.sasl.scram: Use self.profile.cb for detection whether channel binding ↵Tobias Markmann2011-01-171-3/+3
| | | | | | | | is supported or not.
| * Check whether we support the proposed channel binding type.Tobias Markmann2011-01-151-0/+5
| |