From fdf06e3692b59d4e34da988b9c976336fb15766b Mon Sep 17 00:00:00 2001 From: Tobias Markmann Date: Wed, 19 Aug 2009 21:34:28 +0200 Subject: Do SASLprep for SASL PLAIN mechanism to be more conform with RFC 4616. --- util/sasl.lua | 3 +++ 1 file changed, 3 insertions(+) diff --git a/util/sasl.lua b/util/sasl.lua index 0082b9cc..15f3e29e 100644 --- a/util/sasl.lua +++ b/util/sasl.lua @@ -20,6 +20,7 @@ local generate_uuid = require "util.uuid".generate; local t_insert, t_concat = table.insert, table.concat; local to_byte, to_char = string.byte, string.char; local to_unicode = require "util.encodings".idna.to_unicode; +local u_e_saslprep = require "utii.encodings".stringprep.saslprep; local s_match = string.match; local gmatch = string.gmatch local string = string @@ -39,6 +40,7 @@ local function new_plain(realm, password_handler) local authorization = s_match(response, "([^&%z]+)") local authentication = s_match(response, "%z([^&%z]+)%z") local password = s_match(response, "%z[^&%z]+%z([^&%z]+)") + authorization, authentication, password = u_e_saslprep(authorization), u_e_saslprep(authentication), u_e_saslprep(password); if authentication == nil or password == nil then return "failure", "malformed-request" end @@ -50,6 +52,7 @@ local function new_plain(realm, password_handler) local claimed_password = "" if password_encoding == nil then claimed_password = password else claimed_password = password_encoding(password) end + caimed_password = u_e_saslprep(claimed_password); self.username = authentication if claimed_password == correct_password then -- cgit v1.2.3 From 563d1911f2f8109a12d5ba816deaf2ef7127a96b Mon Sep 17 00:00:00 2001 From: Tobias Markmann Date: Wed, 19 Aug 2009 21:59:16 +0200 Subject: Use NODEprep for prepping usernames used during SASL logins. --- plugins/mod_saslauth.lua | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 8d1e0529..32269221 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -12,7 +12,7 @@ local st = require "util.stanza"; local sm_bind_resource = require "core.sessionmanager".bind_resource; local sm_make_authenticated = require "core.sessionmanager".make_authenticated; local base64 = require "util.encodings".base64; - +local nodeprep = require "util.encodings".stringprep.nodeprep; local datamanager_load = require "util.datamanager".load; local usermanager_validate_credentials = require "core.usermanager".validate_credentials; local t_concat, t_insert = table.concat, table.insert; @@ -65,8 +65,12 @@ local function handle_status(session, status) end local function password_callback(node, hostname, realm, mechanism, decoder) - local password = (datamanager_load(node, hostname, "accounts") or {}).password; -- FIXME handle hashed passwords local func = function(x) return x; end; + local node = nodeprep(node); + if not node then + return func, nil; + end + local password = (datamanager_load(node, hostname, "accounts") or {}).password; -- FIXME handle hashed passwords if password then if mechanism == "PLAIN" then return func, password; -- cgit v1.2.3 From 38bc2857bd5100a02ccfa7ed2d91f46585f73012 Mon Sep 17 00:00:00 2001 From: Tobias Markmann Date: Wed, 19 Aug 2009 22:04:14 +0200 Subject: Change variable name. The previous choice was too ugly looking. --- util/sasl.lua | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/util/sasl.lua b/util/sasl.lua index 15f3e29e..6305d414 100644 --- a/util/sasl.lua +++ b/util/sasl.lua @@ -20,7 +20,7 @@ local generate_uuid = require "util.uuid".generate; local t_insert, t_concat = table.insert, table.concat; local to_byte, to_char = string.byte, string.char; local to_unicode = require "util.encodings".idna.to_unicode; -local u_e_saslprep = require "utii.encodings".stringprep.saslprep; +local saslprep = require "utii.encodings".stringprep.saslprep; local s_match = string.match; local gmatch = string.gmatch local string = string @@ -40,7 +40,7 @@ local function new_plain(realm, password_handler) local authorization = s_match(response, "([^&%z]+)") local authentication = s_match(response, "%z([^&%z]+)%z") local password = s_match(response, "%z[^&%z]+%z([^&%z]+)") - authorization, authentication, password = u_e_saslprep(authorization), u_e_saslprep(authentication), u_e_saslprep(password); + authorization, authentication, password = saslprep(authorization), saslprep(authentication), saslprep(password); if authentication == nil or password == nil then return "failure", "malformed-request" end @@ -52,7 +52,7 @@ local function new_plain(realm, password_handler) local claimed_password = "" if password_encoding == nil then claimed_password = password else claimed_password = password_encoding(password) end - caimed_password = u_e_saslprep(claimed_password); + caimed_password = saslprep(claimed_password); self.username = authentication if claimed_password == correct_password then -- cgit v1.2.3 From c03e9b5ddc206873cecacb17b9b21274273523f0 Mon Sep 17 00:00:00 2001 From: Tobias Markmann Date: Wed, 19 Aug 2009 22:16:27 +0200 Subject: Allow ampersands in passwords for SASL PLAIN mechanism and fixing a typo. --- util/sasl.lua | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/util/sasl.lua b/util/sasl.lua index 6305d414..7ced9f8a 100644 --- a/util/sasl.lua +++ b/util/sasl.lua @@ -20,7 +20,7 @@ local generate_uuid = require "util.uuid".generate; local t_insert, t_concat = table.insert, table.concat; local to_byte, to_char = string.byte, string.char; local to_unicode = require "util.encodings".idna.to_unicode; -local saslprep = require "utii.encodings".stringprep.saslprep; +local saslprep = require "util.encodings".stringprep.saslprep; local s_match = string.match; local gmatch = string.gmatch local string = string @@ -37,9 +37,9 @@ local function new_plain(realm, password_handler) if message == "" or message == nil then return "failure", "malformed-request" end local response = message - local authorization = s_match(response, "([^&%z]+)") - local authentication = s_match(response, "%z([^&%z]+)%z") - local password = s_match(response, "%z[^&%z]+%z([^&%z]+)") + local authorization = s_match(response, "([^%z]+)") + local authentication = s_match(response, "%z([^%z]+)%z") + local password = s_match(response, "%z[^%z]+%z([^%z]+)") authorization, authentication, password = saslprep(authorization), saslprep(authentication), saslprep(password); if authentication == nil or password == nil then return "failure", "malformed-request" end -- cgit v1.2.3 From 7f7d80a4e808d80f0f0f92dd965b5a4f8dfa051a Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Thu, 20 Aug 2009 04:15:41 +0100 Subject: util.sasl: Fix 2 global sets (one a tpyo) --- util/sasl.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/util/sasl.lua b/util/sasl.lua index 7ced9f8a..295f5684 100644 --- a/util/sasl.lua +++ b/util/sasl.lua @@ -52,7 +52,7 @@ local function new_plain(realm, password_handler) local claimed_password = "" if password_encoding == nil then claimed_password = password else claimed_password = password_encoding(password) end - caimed_password = saslprep(claimed_password); + claimed_password = saslprep(claimed_password); self.username = authentication if claimed_password == correct_password then @@ -133,7 +133,7 @@ local function new_digest_md5(realm, password_handler) return t_concat(p); end local function parse(data) - message = {} + local message = {} for k, v in gmatch(data, [[([%w%-]+)="?([^",]*)"?,?]]) do -- FIXME The hacky regex makes me shudder message[k] = v; end -- cgit v1.2.3