/usr/lib/prosody/modules/mod_auth_internal_hashed.lua is in prosody 0.9.1-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 | -- Prosody IM
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
-- Copyright (C) 2010 Jeff Mitchell
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--
local log = require "util.logger".init("auth_internal_hashed");
local getAuthenticationDatabaseSHA1 = require "util.sasl.scram".getAuthenticationDatabaseSHA1;
local usermanager = require "core.usermanager";
local generate_uuid = require "util.uuid".generate;
local new_sasl = require "util.sasl".new;
local accounts = module:open_store("accounts");
local to_hex;
do
local function replace_byte_with_hex(byte)
return ("%02x"):format(byte:byte());
end
function to_hex(binary_string)
return binary_string:gsub(".", replace_byte_with_hex);
end
end
local from_hex;
do
local function replace_hex_with_byte(hex)
return string.char(tonumber(hex, 16));
end
function from_hex(hex_string)
return hex_string:gsub("..", replace_hex_with_byte);
end
end
-- Default; can be set per-user
local iteration_count = 4096;
local host = module.host;
-- define auth provider
local provider = {};
log("debug", "initializing internal_hashed authentication provider for host '%s'", host);
function provider.test_password(username, password)
local credentials = accounts:get(username) or {};
if credentials.password ~= nil and string.len(credentials.password) ~= 0 then
if credentials.password ~= password then
return nil, "Auth failed. Provided password is incorrect.";
end
if provider.set_password(username, credentials.password) == nil then
return nil, "Auth failed. Could not set hashed password from plaintext.";
else
return true;
end
end
if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then
return nil, "Auth failed. Stored salt and iteration count information is not complete.";
end
local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count);
local stored_key_hex = to_hex(stored_key);
local server_key_hex = to_hex(server_key);
if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then
return true;
else
return nil, "Auth failed. Invalid username, password, or password hash information.";
end
end
function provider.set_password(username, password)
local account = accounts:get(username);
if account then
account.salt = account.salt or generate_uuid();
account.iteration_count = account.iteration_count or iteration_count;
local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, account.salt, account.iteration_count);
local stored_key_hex = to_hex(stored_key);
local server_key_hex = to_hex(server_key);
account.stored_key = stored_key_hex
account.server_key = server_key_hex
account.password = nil;
return accounts:set(username, account);
end
return nil, "Account not available.";
end
function provider.user_exists(username)
local account = accounts:get(username);
if not account then
log("debug", "account not found for username '%s' at host '%s'", username, host);
return nil, "Auth failed. Invalid username";
end
return true;
end
function provider.users()
return accounts:users();
end
function provider.create_user(username, password)
if password == nil then
return accounts:set(username, {});
end
local salt = generate_uuid();
local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, salt, iteration_count);
local stored_key_hex = to_hex(stored_key);
local server_key_hex = to_hex(server_key);
return accounts:set(username, {stored_key = stored_key_hex, server_key = server_key_hex, salt = salt, iteration_count = iteration_count});
end
function provider.delete_user(username)
return accounts:set(username, nil);
end
function provider.get_sasl_handler()
local testpass_authentication_profile = {
plain_test = function(sasl, username, password, realm)
return usermanager.test_password(username, realm, password), true;
end,
scram_sha_1 = function(sasl, username, realm)
local credentials = accounts:get(username);
if not credentials then return; end
if credentials.password then
usermanager.set_password(username, credentials.password, host);
credentials = accounts:get(username);
if not credentials then return; end
end
local stored_key, server_key, iteration_count, salt = credentials.stored_key, credentials.server_key, credentials.iteration_count, credentials.salt;
stored_key = stored_key and from_hex(stored_key);
server_key = server_key and from_hex(server_key);
return stored_key, server_key, iteration_count, salt, true;
end
};
return new_sasl(host, testpass_authentication_profile);
end
module:provides("auth", provider);
|