2003-03-12 20:48:05 +01:00
|
|
|
%%%----------------------------------------------------------------------
|
|
|
|
%%% File : cyrsasl_digest.erl
|
|
|
|
%%% Author : Alexey Shchepin <alexey@sevcom.net>
|
|
|
|
%%% Purpose : DIGEST-MD5 SASL mechanism
|
|
|
|
%%% Created : 11 Mar 2003 by Alexey Shchepin <alexey@sevcom.net>
|
2009-06-09 12:56:14 +02:00
|
|
|
%%%
|
|
|
|
%%%
|
2018-01-05 21:18:58 +01:00
|
|
|
%%% ejabberd, Copyright (C) 2002-2018 ProcessOne
|
2009-06-09 12:56:14 +02:00
|
|
|
%%%
|
|
|
|
%%% This program is free software; you can redistribute it and/or
|
|
|
|
%%% modify it under the terms of the GNU General Public License as
|
|
|
|
%%% published by the Free Software Foundation; either version 2 of the
|
|
|
|
%%% License, or (at your option) any later version.
|
|
|
|
%%%
|
|
|
|
%%% This program is distributed in the hope that it will be useful,
|
|
|
|
%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
%%% General Public License for more details.
|
|
|
|
%%%
|
2014-02-22 11:27:40 +01:00
|
|
|
%%% You should have received a copy of the GNU General Public License along
|
|
|
|
%%% with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
|
%%% 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
2009-06-09 12:56:14 +02:00
|
|
|
%%%
|
2003-03-12 20:48:05 +01:00
|
|
|
%%%----------------------------------------------------------------------
|
|
|
|
|
|
|
|
-module(cyrsasl_digest).
|
2013-03-14 10:33:02 +01:00
|
|
|
|
2015-06-01 14:38:27 +02:00
|
|
|
-behaviour(ejabberd_config).
|
|
|
|
|
2003-03-12 20:48:05 +01:00
|
|
|
-author('alexey@sevcom.net').
|
|
|
|
|
2015-06-01 14:38:27 +02:00
|
|
|
-export([start/1, stop/0, mech_new/4, mech_step/2,
|
2016-12-31 11:47:35 +01:00
|
|
|
parse/1, format_error/1, opt_type/1]).
|
2003-03-12 20:48:05 +01:00
|
|
|
|
2013-04-08 11:12:54 +02:00
|
|
|
-include("logger.hrl").
|
2008-03-21 15:44:16 +01:00
|
|
|
|
2003-03-12 20:48:05 +01:00
|
|
|
-behaviour(cyrsasl).
|
|
|
|
|
2013-03-14 10:33:02 +01:00
|
|
|
-type get_password_fun() :: fun((binary()) -> {false, any()} |
|
|
|
|
{binary(), atom()}).
|
2017-02-16 12:18:36 +01:00
|
|
|
-type check_password_fun() :: fun((binary(), binary(), binary(), binary(),
|
2013-03-14 10:33:02 +01:00
|
|
|
fun((binary()) -> binary())) ->
|
|
|
|
{boolean(), any()} |
|
|
|
|
false).
|
2016-12-31 11:47:35 +01:00
|
|
|
-type error_reason() :: parser_failed | invalid_digest_uri |
|
|
|
|
not_authorized | unexpected_response.
|
|
|
|
-export_type([error_reason/0]).
|
2013-03-14 10:33:02 +01:00
|
|
|
|
|
|
|
-record(state, {step = 1 :: 1 | 3 | 5,
|
|
|
|
nonce = <<"">> :: binary(),
|
|
|
|
username = <<"">> :: binary(),
|
|
|
|
authzid = <<"">> :: binary(),
|
2017-02-16 12:18:36 +01:00
|
|
|
get_password :: get_password_fun(),
|
|
|
|
check_password :: check_password_fun(),
|
2013-03-14 10:33:02 +01:00
|
|
|
auth_module :: atom(),
|
|
|
|
host = <<"">> :: binary(),
|
2017-04-29 10:39:40 +02:00
|
|
|
hostfqdn = [] :: [binary()]}).
|
2003-03-12 20:48:05 +01:00
|
|
|
|
2005-04-17 20:08:34 +02:00
|
|
|
start(_Opts) ->
|
2012-03-16 14:16:17 +01:00
|
|
|
Fqdn = get_local_fqdn(),
|
2018-02-28 19:43:43 +01:00
|
|
|
?DEBUG("FQDN used to check DIGEST-MD5 SASL authentication: ~s",
|
|
|
|
[Fqdn]),
|
2013-03-14 10:33:02 +01:00
|
|
|
cyrsasl:register_mechanism(<<"DIGEST-MD5">>, ?MODULE,
|
|
|
|
digest).
|
2003-03-12 20:48:05 +01:00
|
|
|
|
2013-03-14 10:33:02 +01:00
|
|
|
stop() -> ok.
|
2003-03-12 20:48:05 +01:00
|
|
|
|
2016-12-31 11:47:35 +01:00
|
|
|
-spec format_error(error_reason()) -> {atom(), binary()}.
|
|
|
|
format_error(parser_failed) ->
|
|
|
|
{'bad-protocol', <<"Response decoding failed">>};
|
|
|
|
format_error(invalid_digest_uri) ->
|
|
|
|
{'bad-protocol', <<"Invalid digest URI">>};
|
|
|
|
format_error(not_authorized) ->
|
|
|
|
{'not-authorized', <<"Invalid username or password">>};
|
|
|
|
format_error(unexpected_response) ->
|
|
|
|
{'bad-protocol', <<"Unexpected response">>}.
|
|
|
|
|
2013-03-14 10:33:02 +01:00
|
|
|
mech_new(Host, GetPassword, _CheckPassword,
|
|
|
|
CheckPasswordDigest) ->
|
|
|
|
{ok,
|
|
|
|
#state{step = 1, nonce = randoms:get_string(),
|
|
|
|
host = Host, hostfqdn = get_local_fqdn(),
|
|
|
|
get_password = GetPassword,
|
|
|
|
check_password = CheckPasswordDigest}}.
|
2003-03-12 20:48:05 +01:00
|
|
|
|
2003-11-23 21:11:21 +01:00
|
|
|
mech_step(#state{step = 1, nonce = Nonce} = State, _) ->
|
2003-03-12 20:48:05 +01:00
|
|
|
{continue,
|
2013-03-14 10:33:02 +01:00
|
|
|
<<"nonce=\"", Nonce/binary,
|
|
|
|
"\",qop=\"auth\",charset=utf-8,algorithm=md5-sess">>,
|
2003-03-12 20:48:05 +01:00
|
|
|
State#state{step = 3}};
|
2013-03-14 10:33:02 +01:00
|
|
|
mech_step(#state{step = 3, nonce = Nonce} = State,
|
|
|
|
ClientIn) ->
|
2003-03-12 20:48:05 +01:00
|
|
|
case parse(ClientIn) of
|
2016-12-31 11:47:35 +01:00
|
|
|
bad -> {error, parser_failed};
|
|
|
|
KeyVals ->
|
2013-03-14 10:33:02 +01:00
|
|
|
DigestURI = proplists:get_value(<<"digest-uri">>, KeyVals, <<>>),
|
|
|
|
UserName = proplists:get_value(<<"username">>, KeyVals, <<>>),
|
|
|
|
case is_digesturi_valid(DigestURI, State#state.host,
|
|
|
|
State#state.hostfqdn)
|
|
|
|
of
|
|
|
|
false ->
|
|
|
|
?DEBUG("User login not authorized because digest-uri "
|
|
|
|
"seems invalid: ~p (checking for Host "
|
|
|
|
"~p, FQDN ~p)",
|
|
|
|
[DigestURI, State#state.host, State#state.hostfqdn]),
|
2016-12-31 11:47:35 +01:00
|
|
|
{error, invalid_digest_uri, UserName};
|
2013-03-14 10:33:02 +01:00
|
|
|
true ->
|
|
|
|
AuthzId = proplists:get_value(<<"authzid">>, KeyVals, <<>>),
|
|
|
|
case (State#state.get_password)(UserName) of
|
2016-12-31 11:47:35 +01:00
|
|
|
{false, _} -> {error, not_authorized, UserName};
|
2013-03-14 10:33:02 +01:00
|
|
|
{Passwd, AuthModule} ->
|
2015-04-09 03:21:09 +02:00
|
|
|
case (State#state.check_password)(UserName, UserName, <<"">>,
|
2017-02-16 12:18:36 +01:00
|
|
|
proplists:get_value(<<"response">>, KeyVals, <<>>),
|
2013-03-14 10:33:02 +01:00
|
|
|
fun (PW) ->
|
|
|
|
response(KeyVals,
|
|
|
|
UserName,
|
|
|
|
PW,
|
|
|
|
Nonce,
|
|
|
|
AuthzId,
|
|
|
|
<<"AUTHENTICATE">>)
|
|
|
|
end)
|
|
|
|
of
|
|
|
|
{true, _} ->
|
|
|
|
RspAuth = response(KeyVals, UserName, Passwd, Nonce,
|
|
|
|
AuthzId, <<"">>),
|
|
|
|
{continue, <<"rspauth=", RspAuth/binary>>,
|
|
|
|
State#state{step = 5, auth_module = AuthModule,
|
|
|
|
username = UserName,
|
|
|
|
authzid = AuthzId}};
|
2016-12-31 11:47:35 +01:00
|
|
|
false -> {error, not_authorized, UserName};
|
|
|
|
{false, _} -> {error, not_authorized, UserName}
|
2013-03-14 10:33:02 +01:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2003-03-12 20:48:05 +01:00
|
|
|
end;
|
2013-03-14 10:33:02 +01:00
|
|
|
mech_step(#state{step = 5, auth_module = AuthModule,
|
|
|
|
username = UserName, authzid = AuthzId},
|
|
|
|
<<"">>) ->
|
|
|
|
{ok,
|
2015-04-09 03:21:09 +02:00
|
|
|
[{username, UserName}, {authzid, case AuthzId of
|
|
|
|
<<"">> -> UserName;
|
|
|
|
_ -> AuthzId
|
|
|
|
end
|
|
|
|
},
|
2013-03-14 10:33:02 +01:00
|
|
|
{auth_module, AuthModule}]};
|
2003-03-12 20:48:05 +01:00
|
|
|
mech_step(A, B) ->
|
2013-03-14 10:33:02 +01:00
|
|
|
?DEBUG("SASL DIGEST: A ~p B ~p", [A, B]),
|
2016-12-31 11:47:35 +01:00
|
|
|
{error, unexpected_response}.
|
2003-03-12 20:48:05 +01:00
|
|
|
|
2013-03-14 10:33:02 +01:00
|
|
|
parse(S) -> parse1(binary_to_list(S), "", []).
|
2003-03-12 20:48:05 +01:00
|
|
|
|
|
|
|
parse1([$= | Cs], S, Ts) ->
|
|
|
|
parse2(Cs, lists:reverse(S), "", Ts);
|
2013-03-14 10:33:02 +01:00
|
|
|
parse1([$, | Cs], [], Ts) -> parse1(Cs, [], Ts);
|
|
|
|
parse1([$\s | Cs], [], Ts) -> parse1(Cs, [], Ts);
|
|
|
|
parse1([C | Cs], S, Ts) -> parse1(Cs, [C | S], Ts);
|
|
|
|
parse1([], [], T) -> lists:reverse(T);
|
|
|
|
parse1([], _S, _T) -> bad.
|
|
|
|
|
|
|
|
parse2([$" | Cs], Key, Val, Ts) ->
|
2003-03-12 20:48:05 +01:00
|
|
|
parse3(Cs, Key, Val, Ts);
|
|
|
|
parse2([C | Cs], Key, Val, Ts) ->
|
|
|
|
parse4(Cs, Key, [C | Val], Ts);
|
2013-03-14 10:33:02 +01:00
|
|
|
parse2([], _, _, _) -> bad.
|
2003-03-12 20:48:05 +01:00
|
|
|
|
2013-03-14 10:33:02 +01:00
|
|
|
parse3([$" | Cs], Key, Val, Ts) ->
|
2003-03-12 20:48:05 +01:00
|
|
|
parse4(Cs, Key, Val, Ts);
|
2008-02-14 06:23:16 +01:00
|
|
|
parse3([$\\, C | Cs], Key, Val, Ts) ->
|
|
|
|
parse3(Cs, Key, [C | Val], Ts);
|
2003-03-12 20:48:05 +01:00
|
|
|
parse3([C | Cs], Key, Val, Ts) ->
|
|
|
|
parse3(Cs, Key, [C | Val], Ts);
|
2013-03-14 10:33:02 +01:00
|
|
|
parse3([], _, _, _) -> bad.
|
2003-03-12 20:48:05 +01:00
|
|
|
|
|
|
|
parse4([$, | Cs], Key, Val, Ts) ->
|
2013-03-14 10:33:02 +01:00
|
|
|
parse1(Cs, "", [{list_to_binary(Key), list_to_binary(lists:reverse(Val))} | Ts]);
|
2005-08-11 01:29:16 +02:00
|
|
|
parse4([$\s | Cs], Key, Val, Ts) ->
|
|
|
|
parse4(Cs, Key, Val, Ts);
|
2003-03-12 20:48:05 +01:00
|
|
|
parse4([C | Cs], Key, Val, Ts) ->
|
|
|
|
parse4(Cs, Key, [C | Val], Ts);
|
|
|
|
parse4([], Key, Val, Ts) ->
|
2008-12-23 02:02:44 +01:00
|
|
|
%% @doc Check if the digest-uri is valid.
|
|
|
|
%% RFC-2831 allows to provide the IP address in Host,
|
|
|
|
%% however ejabberd doesn't allow that.
|
|
|
|
%% If the service (for example jabber.example.org)
|
|
|
|
%% is provided by several hosts (being one of them server3.example.org),
|
2012-03-16 14:16:17 +01:00
|
|
|
%% then acceptable digest-uris would be:
|
|
|
|
%% xmpp/server3.example.org/jabber.example.org, xmpp/server3.example.org and
|
|
|
|
%% xmpp/jabber.example.org
|
|
|
|
%% The last version is not actually allowed by the RFC, but implemented by popular clients
|
2013-03-14 10:33:02 +01:00
|
|
|
parse1([], "", [{list_to_binary(Key), list_to_binary(lists:reverse(Val))} | Ts]).
|
|
|
|
|
|
|
|
is_digesturi_valid(DigestURICase, JabberDomain,
|
|
|
|
JabberFQDN) ->
|
2008-12-23 02:02:44 +01:00
|
|
|
DigestURI = stringprep:tolower(DigestURICase),
|
2013-03-14 10:33:02 +01:00
|
|
|
case catch str:tokens(DigestURI, <<"/">>) of
|
|
|
|
[<<"xmpp">>, Host] ->
|
2016-06-08 19:28:17 +02:00
|
|
|
IsHostFqdn = is_host_fqdn(Host, JabberFQDN),
|
2012-06-27 11:10:48 +02:00
|
|
|
(Host == JabberDomain) or IsHostFqdn;
|
2013-03-14 10:33:02 +01:00
|
|
|
[<<"xmpp">>, Host, ServName] ->
|
2016-06-08 19:28:17 +02:00
|
|
|
IsHostFqdn = is_host_fqdn(Host, JabberFQDN),
|
2012-06-27 11:10:48 +02:00
|
|
|
(ServName == JabberDomain) and IsHostFqdn;
|
2008-12-23 02:02:44 +01:00
|
|
|
_ ->
|
|
|
|
false
|
|
|
|
end.
|
2003-03-12 20:48:05 +01:00
|
|
|
|
2012-06-27 11:10:48 +02:00
|
|
|
is_host_fqdn(_Host, []) ->
|
|
|
|
false;
|
|
|
|
is_host_fqdn(Host, [Fqdn | _FqdnTail]) when Host == Fqdn ->
|
|
|
|
true;
|
|
|
|
is_host_fqdn(Host, [Fqdn | FqdnTail]) when Host /= Fqdn ->
|
|
|
|
is_host_fqdn(Host, FqdnTail).
|
|
|
|
|
2012-03-16 14:16:17 +01:00
|
|
|
get_local_fqdn() ->
|
2017-04-29 10:39:40 +02:00
|
|
|
case ejabberd_config:get_option(fqdn) of
|
|
|
|
undefined ->
|
|
|
|
{ok, Hostname} = inet:gethostname(),
|
|
|
|
{ok, {hostent, Fqdn, _, _, _, _}} = inet:gethostbyname(Hostname),
|
|
|
|
[list_to_binary(Fqdn)];
|
|
|
|
Fqdn ->
|
|
|
|
Fqdn
|
2012-03-16 14:16:17 +01:00
|
|
|
end.
|
2003-03-12 20:48:05 +01:00
|
|
|
|
|
|
|
hex(S) ->
|
2017-03-14 00:31:51 +01:00
|
|
|
str:to_hexlist(S).
|
2003-03-12 20:48:05 +01:00
|
|
|
|
2013-03-14 10:33:02 +01:00
|
|
|
proplists_get_bin_value(Key, Pairs, Default) ->
|
|
|
|
case proplists:get_value(Key, Pairs, Default) of
|
|
|
|
L when is_list(L) ->
|
|
|
|
list_to_binary(L);
|
|
|
|
L2 ->
|
|
|
|
L2
|
|
|
|
end.
|
2003-03-12 20:48:05 +01:00
|
|
|
|
2013-03-14 10:33:02 +01:00
|
|
|
response(KeyVals, User, Passwd, Nonce, AuthzId,
|
|
|
|
A2Prefix) ->
|
|
|
|
Realm = proplists_get_bin_value(<<"realm">>, KeyVals, <<>>),
|
|
|
|
CNonce = proplists_get_bin_value(<<"cnonce">>, KeyVals, <<>>),
|
|
|
|
DigestURI = proplists_get_bin_value(<<"digest-uri">>, KeyVals, <<>>),
|
|
|
|
NC = proplists_get_bin_value(<<"nc">>, KeyVals, <<>>),
|
|
|
|
QOP = proplists_get_bin_value(<<"qop">>, KeyVals, <<>>),
|
2013-11-05 11:05:12 +01:00
|
|
|
MD5Hash = erlang:md5(<<User/binary, ":", Realm/binary, ":",
|
2013-03-14 10:33:02 +01:00
|
|
|
Passwd/binary>>),
|
2003-06-07 19:30:25 +02:00
|
|
|
A1 = case AuthzId of
|
2013-03-14 10:33:02 +01:00
|
|
|
<<"">> ->
|
|
|
|
<<MD5Hash/binary, ":", Nonce/binary, ":", CNonce/binary>>;
|
|
|
|
_ ->
|
|
|
|
<<MD5Hash/binary, ":", Nonce/binary, ":", CNonce/binary, ":",
|
|
|
|
AuthzId/binary>>
|
2003-06-07 19:30:25 +02:00
|
|
|
end,
|
2005-04-17 20:08:34 +02:00
|
|
|
A2 = case QOP of
|
2013-03-14 10:33:02 +01:00
|
|
|
<<"auth">> ->
|
|
|
|
<<A2Prefix/binary, ":", DigestURI/binary>>;
|
|
|
|
_ ->
|
|
|
|
<<A2Prefix/binary, ":", DigestURI/binary,
|
|
|
|
":00000000000000000000000000000000">>
|
2005-04-17 20:08:34 +02:00
|
|
|
end,
|
2013-11-05 11:05:12 +01:00
|
|
|
T = <<(hex((erlang:md5(A1))))/binary, ":", Nonce/binary,
|
2013-03-14 10:33:02 +01:00
|
|
|
":", NC/binary, ":", CNonce/binary, ":", QOP/binary,
|
2013-11-05 11:05:12 +01:00
|
|
|
":", (hex((erlang:md5(A2))))/binary>>,
|
|
|
|
hex((erlang:md5(T))).
|
2015-06-01 14:38:27 +02:00
|
|
|
|
2017-05-08 11:59:28 +02:00
|
|
|
-spec opt_type(fqdn) -> fun((binary() | [binary()]) -> [binary()]);
|
|
|
|
(atom()) -> [atom()].
|
2017-04-29 10:39:40 +02:00
|
|
|
opt_type(fqdn) ->
|
|
|
|
fun(FQDN) when is_binary(FQDN) ->
|
|
|
|
[FQDN];
|
|
|
|
(FQDNs) when is_list(FQDNs) ->
|
|
|
|
[iolist_to_binary(FQDN) || FQDN <- FQDNs]
|
|
|
|
end;
|
2015-06-01 14:38:27 +02:00
|
|
|
opt_type(_) -> [fqdn].
|