* src/cyrsasl.erl: Change API of check_password: pass a function

to generate the digest (thanks to Graham Whitted)(EJAB-863) * src/cyrsasl_anonymous.erl: Likewise * src/cyrsasl_digest.erl: Likewise * src/cyrsasl_plain.erl: Likewise * src/ejabberd_auth.erl: Likewise * src/ejabberd_auth_anonymous.erl: Likewise * src/ejabberd_auth_external.erl: Likewise * src/ejabberd_auth_internal.erl: Likewise * src/ejabberd_auth_ldap.erl: Likewise * src/ejabberd_auth_odbc.erl: Likewise * src/ejabberd_auth_pam.erl: Likewise * src/ejabberd_c2s.erl: Likewise SVN Revision: 2033
2024-11-24 16:23:40 +01:00 · 2009-04-22 11:44:03 +00:00 · 2009-04-22 11:44:03 +00:00 · aedb847a81
commit aedb847a81
parent ca8eeaac57
13 changed files with 60 additions and 37 deletions
--- a/14
+++ b/14
@ -1,5 +1,19 @@
 2009-04-22  Badlop  <badlop@process-one.net>

+	* src/cyrsasl.erl: Change API of check_password: pass a function
+	to generate the digest (thanks to Graham Whitted)(EJAB-863)
+	* src/cyrsasl_anonymous.erl: Likewise
+	* src/cyrsasl_digest.erl: Likewise
+	* src/cyrsasl_plain.erl: Likewise
+	* src/ejabberd_auth.erl: Likewise
+	* src/ejabberd_auth_anonymous.erl: Likewise
+	* src/ejabberd_auth_external.erl: Likewise
+	* src/ejabberd_auth_internal.erl: Likewise
+	* src/ejabberd_auth_ldap.erl: Likewise
+	* src/ejabberd_auth_odbc.erl: Likewise
+	* src/ejabberd_auth_pam.erl: Likewise
+	* src/ejabberd_c2s.erl: Likewise
+
 	* src/ejabberd_c2s.erl: Fix for SASL Anonymous connections not
 	stored or purged (thanks to Andy Skelton)(EJAB-912)

--- a/src/cyrsasl.erl
+++ b/src/cyrsasl.erl
@ -30,19 +30,19 @@
 -export([start/0,
 	 register_mechanism/3,
 	 listmech/1,
-	 server_new/6,
+	 server_new/7,
 	 server_start/3,
 	 server_step/2]).

 -record(sasl_mechanism, {mechanism, module, require_plain_password}).
 -record(sasl_state, {service, myname, realm,
-		     get_password, check_password,
+		     get_password, check_password, check_password_digest,
 		     mech_mod, mech_state}).

 -export([behaviour_info/1]).

 behaviour_info(callbacks) ->
-    [{mech_new, 3}, {mech_step, 2}];
+    [{mech_new, 4}, {mech_step, 2}];
 behaviour_info(_Other) ->
    undefined.

@ -113,12 +113,13 @@ listmech(Host) ->
    filter_anonymous(Host, Mechs).

 server_new(Service, ServerFQDN, UserRealm, _SecFlags,
-	   GetPassword, CheckPassword) ->
+	   GetPassword, CheckPassword, CheckPasswordDigest) ->
    #sasl_state{service = Service,
 		myname = ServerFQDN,
 		realm = UserRealm,
 		get_password = GetPassword,
-		check_password = CheckPassword}.
+		check_password = CheckPassword,
+		check_password_digest= CheckPasswordDigest}.

 server_start(State, Mech, ClientIn) ->
    case lists:member(Mech, listmech(State#sasl_state.myname)) of
@ -128,7 +129,8 @@ server_start(State, Mech, ClientIn) ->
 		    {ok, MechState} = Module:mech_new(
 					State#sasl_state.myname,
 					State#sasl_state.get_password,
-					State#sasl_state.check_password),
+					State#sasl_state.check_password,
+					State#sasl_state.check_password_digest),
 		    server_step(State#sasl_state{mech_mod = Module,
 						 mech_state = MechState},
 				ClientIn);
--- a/src/cyrsasl_anonymous.erl
+++ b/src/cyrsasl_anonymous.erl
@ -27,7 +27,7 @@

 -module(cyrsasl_anonymous).

-export([start/1, stop/0, mech_new/3, mech_step/2]).
+-export([start/1, stop/0, mech_new/4, mech_step/2]).

 -behaviour(cyrsasl).

@ -40,7 +40,7 @@ start(_Opts) ->
 stop() ->
    ok.

-mech_new(Host, _GetPassword, _CheckPassword) ->
+mech_new(Host, _GetPassword, _CheckPassword, _CheckPasswordDigest) ->
    {ok, #state{server = Host}}.

 mech_step(State, _ClientIn) ->
--- a/src/cyrsasl_digest.erl
+++ b/src/cyrsasl_digest.erl
@ -11,14 +11,14 @@

 -export([start/1,
 	 stop/0,
-	 mech_new/3,
+	 mech_new/4,
 	 mech_step/2]).

 -include("ejabberd.hrl").

 -behaviour(cyrsasl).

-record(state, {step, nonce, username, authzid, get_password, auth_module,
+-record(state, {step, nonce, username, authzid, get_password, check_password, auth_module,
 		host}).

 start(_Opts) ->
@ -27,11 +27,12 @@ start(_Opts) ->
 stop() ->
    ok.

-mech_new(Host, GetPassword, _CheckPassword) ->
+mech_new(Host, GetPassword, _CheckPassword, CheckPasswordDigest) ->
    {ok, #state{step = 1,
 		nonce = randoms:get_string(),
 		host = Host,
-		get_password = GetPassword}}.
+		get_password = GetPassword,
+		check_password = CheckPasswordDigest}}.

 mech_step(#state{step = 1, nonce = Nonce} = State, _) ->
    {continue,
@ -56,10 +57,11 @@ mech_step(#state{step = 3, nonce = Nonce} = State, ClientIn) ->
 			{false, _} ->
 			    {error, "not-authorized", UserName};
 			{Passwd, AuthModule} ->
-			    Response = response(KeyVals, UserName, Passwd,
-						Nonce, AuthzId, "AUTHENTICATE"),
-			    case xml:get_attr_s("response", KeyVals) of
-				Response ->
+				case (State#state.check_password)(UserName, Passwd,
+					xml:get_attr_s("response", KeyVals),
+					fun(PW) -> response(KeyVals, UserName, PW, Nonce, AuthzId,
+						"AUTHENTICATE") end) of
+				{true, _} ->
 				    RspAuth = response(KeyVals,
 						       UserName, Passwd,
 						       Nonce, AuthzId, ""),
@ -69,7 +71,7 @@ mech_step(#state{step = 3, nonce = Nonce} = State, ClientIn) ->
 						 auth_module = AuthModule,
 						 username = UserName,
 						 authzid = AuthzId}};
-				_ ->
+				{false, _} ->
 				    {error, "not-authorized", UserName}
 			    end
 		    end
--- a/src/cyrsasl_plain.erl
+++ b/src/cyrsasl_plain.erl
@ -27,7 +27,7 @@
 -module(cyrsasl_plain).
 -author('alexey@process-one.net').

-export([start/1, stop/0, mech_new/3, mech_step/2, parse/1]).
+-export([start/1, stop/0, mech_new/4, mech_step/2, parse/1]).

 -behaviour(cyrsasl).

@ -40,7 +40,7 @@ start(_Opts) ->
 stop() ->
    ok.

-mech_new(_Host, _GetPassword, CheckPassword) ->
+mech_new(_Host, _GetPassword, CheckPassword, _CheckPasswordDigest) ->
    {ok, #state{check_password = CheckPassword}}.

 mech_step(State, ClientIn) ->
--- a/src/ejabberd_auth.erl
+++ b/src/ejabberd_auth.erl
@ -84,12 +84,12 @@ check_password(User, Server, Password) ->
    end.

 %% @doc Check if the user and password can login in server.
-%% @spec (User::string(), Server::string(), Password::string(),
-%%        StreamID::string(), Digest::string()) ->
+%% @spec (User::string(), Server::string(), Password::string()
+%%        Digest::string(), DigestGen::function()) ->
 %%     true | false
-check_password(User, Server, Password, StreamID, Digest) ->
+check_password(User, Server, Password, Digest, DigestGen) ->
    case check_password_with_authmodule(User, Server, Password,
-					StreamID, Digest) of
+					Digest, DigestGen) of
 	{true, _AuthModule} -> true;
 	false -> false
    end.
@ -107,9 +107,9 @@ check_password(User, Server, Password, StreamID, Digest) ->
 check_password_with_authmodule(User, Server, Password) ->
    check_password_loop(auth_modules(Server), [User, Server, Password]).

-check_password_with_authmodule(User, Server, Password, StreamID, Digest) ->
+check_password_with_authmodule(User, Server, Password, Digest, DigestGen) ->
    check_password_loop(auth_modules(Server), [User, Server, Password,
-					       StreamID, Digest]).
+					       Digest, DigestGen]).

 check_password_loop([], _Args) ->
    false;
--- a/src/ejabberd_auth_anonymous.erl
+++ b/src/ejabberd_auth_anonymous.erl
@ -173,7 +173,7 @@ purge_hook(true, LUser, LServer) ->
 %% before allowing access
 check_password(User, Server, Password) ->
    check_password(User, Server, Password, undefined, undefined).
-check_password(User, Server, _Password, _StreamID, _Digest) ->
+check_password(User, Server, _Password, _Digest, _DigestGen) ->
    %% We refuse login for registered accounts (They cannot logged but
    %% they however are "reserved")
    case ejabberd_auth:is_user_exists_in_other_modules(?MODULE, 
@ -226,7 +226,7 @@ get_password(User, Server) ->
    get_password(User, Server, "").

 get_password(User, Server, DefaultValue) ->
-    case anonymous_user_exist(User, Server) of
+    case anonymous_user_exist(User, Server) or login(User, Server) of
 	%% We return the default value if the user is anonymous
 	true ->
 	    DefaultValue;
--- a/src/ejabberd_auth_external.erl
+++ b/src/ejabberd_auth_external.erl
@ -57,7 +57,7 @@ plain_password_required() ->
 check_password(User, Server, Password) ->
    extauth:check_password(User, Server, Password) andalso Password /= "".

-check_password(User, Server, Password, _StreamID, _Digest) ->
+check_password(User, Server, Password, _Digest, _DigestGen) ->
    check_password(User, Server, Password).

 set_password(User, Server, Password) ->
--- a/src/ejabberd_auth_internal.erl
+++ b/src/ejabberd_auth_internal.erl
@ -73,7 +73,7 @@ check_password(User, Server, Password) ->
 	    false
    end.

-check_password(User, Server, Password, StreamID, Digest) ->
+check_password(User, Server, Password, Digest, DigestGen) ->
    LUser = jlib:nodeprep(User),
    LServer = jlib:nameprep(Server),
    US = {LUser, LServer},
@ -81,7 +81,7 @@ check_password(User, Server, Password, StreamID, Digest) ->
 	[#passwd{password = Passwd}] ->
 	    DigRes = if
 			 Digest /= "" ->
-			     Digest == sha:sha(StreamID ++ Passwd);
+			     Digest == DigestGen(Passwd);
 			 true ->
 			     false
 		     end,
--- a/src/ejabberd_auth_ldap.erl
+++ b/src/ejabberd_auth_ldap.erl
@ -147,7 +147,7 @@ check_password(User, Server, Password) ->
        end
    end.

-check_password(User, Server, Password, _StreamID, _Digest) ->
+check_password(User, Server, Password, _Digest, _DigestGen) ->
    check_password(User, Server, Password).

 set_password(_User, _Server, _Password) ->
--- a/src/ejabberd_auth_odbc.erl
+++ b/src/ejabberd_auth_odbc.erl
@ -80,8 +80,8 @@ check_password(User, Server, Password) ->
 	    end
    end.

-%% @spec (User, Server, Password, StreamID, Digest) -> true | false | {error, Error}
-check_password(User, Server, Password, StreamID, Digest) ->
+%% @spec (User, Server, Password, Digest, DigestGen) -> true | false | {error, Error}
+check_password(User, Server, Password, Digest, DigestGen) ->
    case jlib:nodeprep(User) of
 	error ->
 	    false;
@ -93,7 +93,7 @@ check_password(User, Server, Password, StreamID, Digest) ->
 		{selected, ["password"], [{Passwd}]} ->
 		    DigRes = if
 				 Digest /= "" ->
-				     Digest == sha:sha(StreamID ++ Passwd);
+				     Digest == DigestGen(Passwd);
 				 true ->
 				     false
 			     end,
--- a/src/ejabberd_auth_pam.erl
+++ b/src/ejabberd_auth_pam.erl
@ -55,7 +55,7 @@ start(_Host) ->
 set_password(_User, _Server, _Password) ->
    {error, not_allowed}.

-check_password(User, Server, Password, _StreamID, _Digest) ->
+check_password(User, Server, Password, _Digest, _DigestGen) ->
    check_password(User, Server, Password).

 check_password(User, Host, Password) ->
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@ -258,6 +258,10 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
 					  fun(U, P) ->
 						  ejabberd_auth:check_password_with_authmodule(
 						    U, Server, P)
+					  end,
+					  fun(U, P, D, DG) ->
+						  ejabberd_auth:check_password_with_authmodule(
+						    U, Server, P, D, DG)
 					  end),
 				    Mechs = lists:map(
 					      fun(S) ->
@ -444,9 +448,10 @@ wait_for_auth({xmlstreamelement, El}, StateData) ->
 		(acl:match_rule(StateData#state.server,
 				StateData#state.access, JID) == allow) of
 		true ->
+                    DGen = fun(PW) ->
+                             sha:sha(StateData#state.streamid ++ PW) end,
 		    case ejabberd_auth:check_password_with_authmodule(
-			   U, StateData#state.server, P,
-			   StateData#state.streamid, D) of
+			   U, StateData#state.server, P, D, DGen) of
 			{true, AuthModule} ->
 			    ?INFO_MSG(
 			       "(~w) Accepted legacy authentication for ~s by ~p",