* src/cyrsasl.erl: Change API of check_password: pass a function
to generate the digest (thanks to Graham Whitted)(EJAB-863) * src/cyrsasl_anonymous.erl: Likewise * src/cyrsasl_digest.erl: Likewise * src/cyrsasl_plain.erl: Likewise * src/ejabberd_auth.erl: Likewise * src/ejabberd_auth_anonymous.erl: Likewise * src/ejabberd_auth_external.erl: Likewise * src/ejabberd_auth_internal.erl: Likewise * src/ejabberd_auth_ldap.erl: Likewise * src/ejabberd_auth_odbc.erl: Likewise * src/ejabberd_auth_pam.erl: Likewise * src/ejabberd_c2s.erl: Likewise SVN Revision: 2033
This commit is contained in:
Badlop
parent
ca8eeaac57
commit
aedb847a81
14
ChangeLog
14
ChangeLog
|
|
@ -1,5 +1,19 @@
|
|||
2009-04-22 Badlop <badlop@process-one.net>
|
||||
|
||||
* src/cyrsasl.erl: Change API of check_password: pass a function
|
||||
to generate the digest (thanks to Graham Whitted)(EJAB-863)
|
||||
* src/cyrsasl_anonymous.erl: Likewise
|
||||
* src/cyrsasl_digest.erl: Likewise
|
||||
* src/cyrsasl_plain.erl: Likewise
|
||||
* src/ejabberd_auth.erl: Likewise
|
||||
* src/ejabberd_auth_anonymous.erl: Likewise
|
||||
* src/ejabberd_auth_external.erl: Likewise
|
||||
* src/ejabberd_auth_internal.erl: Likewise
|
||||
* src/ejabberd_auth_ldap.erl: Likewise
|
||||
* src/ejabberd_auth_odbc.erl: Likewise
|
||||
* src/ejabberd_auth_pam.erl: Likewise
|
||||
* src/ejabberd_c2s.erl: Likewise
|
||||
|
||||
* src/ejabberd_c2s.erl: Fix for SASL Anonymous connections not
|
||||
stored or purged (thanks to Andy Skelton)(EJAB-912)
|
||||
|
||||
|
|
|
|||
|
|
@ -30,19 +30,19 @@
|
|||
-export([start/0,
|
||||
register_mechanism/3,
|
||||
listmech/1,
|
||||
server_new/6,
|
||||
server_new/7,
|
||||
server_start/3,
|
||||
server_step/2]).
|
||||
|
||||
-record(sasl_mechanism, {mechanism, module, require_plain_password}).
|
||||
-record(sasl_state, {service, myname, realm,
|
||||
get_password, check_password,
|
||||
get_password, check_password, check_password_digest,
|
||||
mech_mod, mech_state}).
|
||||
|
||||
-export([behaviour_info/1]).
|
||||
|
||||
behaviour_info(callbacks) ->
|
||||
[{mech_new, 3}, {mech_step, 2}];
|
||||
[{mech_new, 4}, {mech_step, 2}];
|
||||
behaviour_info(_Other) ->
|
||||
undefined.
|
||||
|
||||
|
|
@ -113,12 +113,13 @@ listmech(Host) ->
|
|||
filter_anonymous(Host, Mechs).
|
||||
|
||||
server_new(Service, ServerFQDN, UserRealm, _SecFlags,
|
||||
GetPassword, CheckPassword) ->
|
||||
GetPassword, CheckPassword, CheckPasswordDigest) ->
|
||||
#sasl_state{service = Service,
|
||||
myname = ServerFQDN,
|
||||
realm = UserRealm,
|
||||
get_password = GetPassword,
|
||||
check_password = CheckPassword}.
|
||||
check_password = CheckPassword,
|
||||
check_password_digest= CheckPasswordDigest}.
|
||||
|
||||
server_start(State, Mech, ClientIn) ->
|
||||
case lists:member(Mech, listmech(State#sasl_state.myname)) of
|
||||
|
|
@ -128,7 +129,8 @@ server_start(State, Mech, ClientIn) ->
|
|||
{ok, MechState} = Module:mech_new(
|
||||
State#sasl_state.myname,
|
||||
State#sasl_state.get_password,
|
||||
State#sasl_state.check_password),
|
||||
State#sasl_state.check_password,
|
||||
State#sasl_state.check_password_digest),
|
||||
server_step(State#sasl_state{mech_mod = Module,
|
||||
mech_state = MechState},
|
||||
ClientIn);
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@
|
|||
|
||||
-module(cyrsasl_anonymous).
|
||||
|
||||
-export([start/1, stop/0, mech_new/3, mech_step/2]).
|
||||
-export([start/1, stop/0, mech_new/4, mech_step/2]).
|
||||
|
||||
-behaviour(cyrsasl).
|
||||
|
||||
|
|
@ -40,7 +40,7 @@ start(_Opts) ->
|
|||
stop() ->
|
||||
ok.
|
||||
|
||||
mech_new(Host, _GetPassword, _CheckPassword) ->
|
||||
mech_new(Host, _GetPassword, _CheckPassword, _CheckPasswordDigest) ->
|
||||
{ok, #state{server = Host}}.
|
||||
|
||||
mech_step(State, _ClientIn) ->
|
||||
|
|
|
|||
|
|
@ -11,14 +11,14 @@
|
|||
|
||||
-export([start/1,
|
||||
stop/0,
|
||||
mech_new/3,
|
||||
mech_new/4,
|
||||
mech_step/2]).
|
||||
|
||||
-include("ejabberd.hrl").
|
||||
|
||||
-behaviour(cyrsasl).
|
||||
|
||||
-record(state, {step, nonce, username, authzid, get_password, auth_module,
|
||||
-record(state, {step, nonce, username, authzid, get_password, check_password, auth_module,
|
||||
host}).
|
||||
|
||||
start(_Opts) ->
|
||||
|
|
@ -27,11 +27,12 @@ start(_Opts) ->
|
|||
stop() ->
|
||||
ok.
|
||||
|
||||
mech_new(Host, GetPassword, _CheckPassword) ->
|
||||
mech_new(Host, GetPassword, _CheckPassword, CheckPasswordDigest) ->
|
||||
{ok, #state{step = 1,
|
||||
nonce = randoms:get_string(),
|
||||
host = Host,
|
||||
get_password = GetPassword}}.
|
||||
get_password = GetPassword,
|
||||
check_password = CheckPasswordDigest}}.
|
||||
|
||||
mech_step(#state{step = 1, nonce = Nonce} = State, _) ->
|
||||
{continue,
|
||||
|
|
@ -56,10 +57,11 @@ mech_step(#state{step = 3, nonce = Nonce} = State, ClientIn) ->
|
|||
{false, _} ->
|
||||
{error, "not-authorized", UserName};
|
||||
{Passwd, AuthModule} ->
|
||||
Response = response(KeyVals, UserName, Passwd,
|
||||
Nonce, AuthzId, "AUTHENTICATE"),
|
||||
case xml:get_attr_s("response", KeyVals) of
|
||||
Response ->
|
||||
case (State#state.check_password)(UserName, Passwd,
|
||||
xml:get_attr_s("response", KeyVals),
|
||||
fun(PW) -> response(KeyVals, UserName, PW, Nonce, AuthzId,
|
||||
"AUTHENTICATE") end) of
|
||||
{true, _} ->
|
||||
RspAuth = response(KeyVals,
|
||||
UserName, Passwd,
|
||||
Nonce, AuthzId, ""),
|
||||
|
|
@ -69,7 +71,7 @@ mech_step(#state{step = 3, nonce = Nonce} = State, ClientIn) ->
|
|||
auth_module = AuthModule,
|
||||
username = UserName,
|
||||
authzid = AuthzId}};
|
||||
_ ->
|
||||
{false, _} ->
|
||||
{error, "not-authorized", UserName}
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@
|
|||
-module(cyrsasl_plain).
|
||||
-author('alexey@process-one.net').
|
||||
|
||||
-export([start/1, stop/0, mech_new/3, mech_step/2, parse/1]).
|
||||
-export([start/1, stop/0, mech_new/4, mech_step/2, parse/1]).
|
||||
|
||||
-behaviour(cyrsasl).
|
||||
|
||||
|
|
@ -40,7 +40,7 @@ start(_Opts) ->
|
|||
stop() ->
|
||||
ok.
|
||||
|
||||
mech_new(_Host, _GetPassword, CheckPassword) ->
|
||||
mech_new(_Host, _GetPassword, CheckPassword, _CheckPasswordDigest) ->
|
||||
{ok, #state{check_password = CheckPassword}}.
|
||||
|
||||
mech_step(State, ClientIn) ->
|
||||
|
|
|
|||
|
|
@ -84,12 +84,12 @@ check_password(User, Server, Password) ->
|
|||
end.
|
||||
|
||||
%% @doc Check if the user and password can login in server.
|
||||
%% @spec (User::string(), Server::string(), Password::string(),
|
||||
%% StreamID::string(), Digest::string()) ->
|
||||
%% @spec (User::string(), Server::string(), Password::string()
|
||||
%% Digest::string(), DigestGen::function()) ->
|
||||
%% true | false
|
||||
check_password(User, Server, Password, StreamID, Digest) ->
|
||||
check_password(User, Server, Password, Digest, DigestGen) ->
|
||||
case check_password_with_authmodule(User, Server, Password,
|
||||
StreamID, Digest) of
|
||||
Digest, DigestGen) of
|
||||
{true, _AuthModule} -> true;
|
||||
false -> false
|
||||
end.
|
||||
|
|
@ -107,9 +107,9 @@ check_password(User, Server, Password, StreamID, Digest) ->
|
|||
check_password_with_authmodule(User, Server, Password) ->
|
||||
check_password_loop(auth_modules(Server), [User, Server, Password]).
|
||||
|
||||
check_password_with_authmodule(User, Server, Password, StreamID, Digest) ->
|
||||
check_password_with_authmodule(User, Server, Password, Digest, DigestGen) ->
|
||||
check_password_loop(auth_modules(Server), [User, Server, Password,
|
||||
StreamID, Digest]).
|
||||
Digest, DigestGen]).
|
||||
|
||||
check_password_loop([], _Args) ->
|
||||
false;
|
||||
|
|
|
|||
|
|
@ -173,7 +173,7 @@ purge_hook(true, LUser, LServer) ->
|
|||
%% before allowing access
|
||||
check_password(User, Server, Password) ->
|
||||
check_password(User, Server, Password, undefined, undefined).
|
||||
check_password(User, Server, _Password, _StreamID, _Digest) ->
|
||||
check_password(User, Server, _Password, _Digest, _DigestGen) ->
|
||||
%% We refuse login for registered accounts (They cannot logged but
|
||||
%% they however are "reserved")
|
||||
case ejabberd_auth:is_user_exists_in_other_modules(?MODULE,
|
||||
|
|
@ -226,7 +226,7 @@ get_password(User, Server) ->
|
|||
get_password(User, Server, "").
|
||||
|
||||
get_password(User, Server, DefaultValue) ->
|
||||
case anonymous_user_exist(User, Server) of
|
||||
case anonymous_user_exist(User, Server) or login(User, Server) of
|
||||
%% We return the default value if the user is anonymous
|
||||
true ->
|
||||
DefaultValue;
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ plain_password_required() ->
|
|||
check_password(User, Server, Password) ->
|
||||
extauth:check_password(User, Server, Password) andalso Password /= "".
|
||||
|
||||
check_password(User, Server, Password, _StreamID, _Digest) ->
|
||||
check_password(User, Server, Password, _Digest, _DigestGen) ->
|
||||
check_password(User, Server, Password).
|
||||
|
||||
set_password(User, Server, Password) ->
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ check_password(User, Server, Password) ->
|
|||
false
|
||||
end.
|
||||
|
||||
check_password(User, Server, Password, StreamID, Digest) ->
|
||||
check_password(User, Server, Password, Digest, DigestGen) ->
|
||||
LUser = jlib:nodeprep(User),
|
||||
LServer = jlib:nameprep(Server),
|
||||
US = {LUser, LServer},
|
||||
|
|
@ -81,7 +81,7 @@ check_password(User, Server, Password, StreamID, Digest) ->
|
|||
[#passwd{password = Passwd}] ->
|
||||
DigRes = if
|
||||
Digest /= "" ->
|
||||
Digest == sha:sha(StreamID ++ Passwd);
|
||||
Digest == DigestGen(Passwd);
|
||||
true ->
|
||||
false
|
||||
end,
|
||||
|
|
|
|||
|
|
@ -147,7 +147,7 @@ check_password(User, Server, Password) ->
|
|||
end
|
||||
end.
|
||||
|
||||
check_password(User, Server, Password, _StreamID, _Digest) ->
|
||||
check_password(User, Server, Password, _Digest, _DigestGen) ->
|
||||
check_password(User, Server, Password).
|
||||
|
||||
set_password(_User, _Server, _Password) ->
|
||||
|
|
|
|||
|
|
@ -80,8 +80,8 @@ check_password(User, Server, Password) ->
|
|||
end
|
||||
end.
|
||||
|
||||
%% @spec (User, Server, Password, StreamID, Digest) -> true | false | {error, Error}
|
||||
check_password(User, Server, Password, StreamID, Digest) ->
|
||||
%% @spec (User, Server, Password, Digest, DigestGen) -> true | false | {error, Error}
|
||||
check_password(User, Server, Password, Digest, DigestGen) ->
|
||||
case jlib:nodeprep(User) of
|
||||
error ->
|
||||
false;
|
||||
|
|
@ -93,7 +93,7 @@ check_password(User, Server, Password, StreamID, Digest) ->
|
|||
{selected, ["password"], [{Passwd}]} ->
|
||||
DigRes = if
|
||||
Digest /= "" ->
|
||||
Digest == sha:sha(StreamID ++ Passwd);
|
||||
Digest == DigestGen(Passwd);
|
||||
true ->
|
||||
false
|
||||
end,
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ start(_Host) ->
|
|||
set_password(_User, _Server, _Password) ->
|
||||
{error, not_allowed}.
|
||||
|
||||
check_password(User, Server, Password, _StreamID, _Digest) ->
|
||||
check_password(User, Server, Password, _Digest, _DigestGen) ->
|
||||
check_password(User, Server, Password).
|
||||
|
||||
check_password(User, Host, Password) ->
|
||||
|
|
|
|||
|
|
@ -258,6 +258,10 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
|
|||
fun(U, P) ->
|
||||
ejabberd_auth:check_password_with_authmodule(
|
||||
U, Server, P)
|
||||
end,
|
||||
fun(U, P, D, DG) ->
|
||||
ejabberd_auth:check_password_with_authmodule(
|
||||
U, Server, P, D, DG)
|
||||
end),
|
||||
Mechs = lists:map(
|
||||
fun(S) ->
|
||||
|
|
@ -444,9 +448,10 @@ wait_for_auth({xmlstreamelement, El}, StateData) ->
|
|||
(acl:match_rule(StateData#state.server,
|
||||
StateData#state.access, JID) == allow) of
|
||||
true ->
|
||||
DGen = fun(PW) ->
|
||||
sha:sha(StateData#state.streamid ++ PW) end,
|
||||
case ejabberd_auth:check_password_with_authmodule(
|
||||
U, StateData#state.server, P,
|
||||
StateData#state.streamid, D) of
|
||||
U, StateData#state.server, P, D, DGen) of
|
||||
{true, AuthModule} ->
|
||||
?INFO_MSG(
|
||||
"(~w) Accepted legacy authentication for ~s by ~p",
|
||||
|
|
|
|||
Loading…
Reference in New Issue