From 5dd049acf05f46a551dbdb08a09ed6e52c17a0bf Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 22 May 2020 20:59:01 +0200 Subject: util.sasl.scram: Apply saslprep before hashing password, fixes #1560 --- util/sasl/scram.lua | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua index 043f328b..f64feb8b 100644 --- a/util/sasl/scram.lua +++ b/util/sasl/scram.lua @@ -106,6 +106,10 @@ local function getAuthenticationDatabaseSHA1(password, salt, iteration_count) if iteration_count < 4096 then log("warn", "Iteration count < 4096 which is the suggested minimum according to RFC 5802.") end + password = saslprep(password); + if not password then + return false, "password fails SASLprep"; + end local salted_password = Hi(password, salt, iteration_count); local stored_key = sha1(hmac_sha1(salted_password, "Client Key")) local server_key = hmac_sha1(salted_password, "Server Key"); -- cgit v1.2.3 From a7083d1dedda96bce48c84a5f348c10714ff7d69 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 22 May 2020 21:05:45 +0200 Subject: util.sasl.plain: Apply saslprep to stored password Fixes something like #1560 here too. The password sent by the user already had saslprep applied. --- util/sasl/plain.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/sasl/plain.lua b/util/sasl/plain.lua index 00c6bd20..43a66c5b 100644 --- a/util/sasl/plain.lua +++ b/util/sasl/plain.lua @@ -70,7 +70,7 @@ local function plain(self, message) if self.profile.plain then local correct_password; correct_password, state = self.profile.plain(self, authentication, self.realm); - correct = (correct_password == password); + correct = (saslprep(correct_password) == password); elseif self.profile.plain_test then correct, state = self.profile.plain_test(self, authentication, password, self.realm); end -- cgit v1.2.3 From 71c6728e69c98d7a70ec4ae4ffacb08ae683803f Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sat, 23 May 2020 14:17:04 +0200 Subject: mod_auth_internal_*: Apply saslprep to passwords Related to #1560 --- plugins/mod_auth_insecure.lua | 5 +++++ plugins/mod_auth_internal_hashed.lua | 7 ++++++- plugins/mod_auth_internal_plain.lua | 15 ++++++++++++++- 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/plugins/mod_auth_insecure.lua b/plugins/mod_auth_insecure.lua index 9e23c29f..dc5ee616 100644 --- a/plugins/mod_auth_insecure.lua +++ b/plugins/mod_auth_insecure.lua @@ -9,6 +9,7 @@ local datamanager = require "util.datamanager"; local new_sasl = require "util.sasl".new; +local saslprep = require "util.encodings".stringprep.saslprep; local host = module.host; local provider = { name = "insecure" }; @@ -21,6 +22,10 @@ end function provider.set_password(username, password) local account = datamanager.load(username, host, "accounts"); + password = saslprep(password); + if not password then + return nil, "Password fails SASLprep."; + end if account then account.password = password; return datamanager.store(username, host, "accounts", account); diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua index 083f648b..15058098 100644 --- a/plugins/mod_auth_internal_hashed.lua +++ b/plugins/mod_auth_internal_hashed.lua @@ -15,6 +15,7 @@ local generate_uuid = require "util.uuid".generate; local new_sasl = require "util.sasl".new; local hex = require"util.hex"; local to_hex, from_hex = hex.to, hex.from; +local saslprep = require "util.encodings".stringprep.saslprep; local log = module._log; local host = module.host; @@ -32,9 +33,13 @@ local provider = {}; function provider.test_password(username, password) log("debug", "test password for user '%s'", username); local credentials = accounts:get(username) or {}; + password = saslprep(password); + if not password then + return nil, "Password fails SASLprep."; + end if credentials.password ~= nil and string.len(credentials.password) ~= 0 then - if credentials.password ~= password then + if saslprep(credentials.password) ~= password then return nil, "Auth failed. Provided password is incorrect."; end diff --git a/plugins/mod_auth_internal_plain.lua b/plugins/mod_auth_internal_plain.lua index 276efb64..56ef52d5 100644 --- a/plugins/mod_auth_internal_plain.lua +++ b/plugins/mod_auth_internal_plain.lua @@ -8,6 +8,7 @@ local usermanager = require "core.usermanager"; local new_sasl = require "util.sasl".new; +local saslprep = require "util.encodings".stringprep.saslprep; local log = module._log; local host = module.host; @@ -20,8 +21,12 @@ local provider = {}; function provider.test_password(username, password) log("debug", "test password for user '%s'", username); local credentials = accounts:get(username) or {}; + password = saslprep(password); + if not password then + return nil, "Password fails SASLprep."; + end - if password == credentials.password then + if password == saslprep(credentials.password) then return true; else return nil, "Auth failed. Invalid username or password."; @@ -35,6 +40,10 @@ end function provider.set_password(username, password) log("debug", "set_password for username '%s'", username); + password = saslprep(password); + if not password then + return nil, "Password fails SASLprep."; + end local account = accounts:get(username); if account then account.password = password; @@ -57,6 +66,10 @@ function provider.users() end function provider.create_user(username, password) + password = saslprep(password); + if not password then + return nil, "Password fails SASLprep."; + end return accounts:set(username, {password = password}); end -- cgit v1.2.3