2019-02-05 12:17:25 +00:00
|
|
|
import base64, hashlib, hmac, uuid
|
2018-10-03 12:22:37 +00:00
|
|
|
from src import ModuleManager, utils
|
2019-02-05 15:54:20 +00:00
|
|
|
from . import scram
|
2018-07-15 22:56:06 +00:00
|
|
|
|
2018-09-27 11:08:07 +00:00
|
|
|
def _validate(self, s):
|
2019-02-06 11:22:13 +00:00
|
|
|
mechanism, _, arguments = s.partition(" ")
|
2018-09-27 11:08:07 +00:00
|
|
|
return {"mechanism": mechanism, "args": arguments}
|
2018-09-09 09:04:21 +00:00
|
|
|
|
2019-02-05 12:17:25 +00:00
|
|
|
def _scram_nonce():
|
|
|
|
return str(uuid.uuid4().hex)
|
|
|
|
def _scram_escape(s):
|
|
|
|
return s.replace("=", "=3D").replace(",", "=2C")
|
|
|
|
def _scram_unescape(s):
|
|
|
|
return s.replace("=3D", "=").replace("=2C", ",")
|
|
|
|
def _scram_xor(s1, s2):
|
|
|
|
return bytes(a ^ b for a, b in zip(s1, s2))
|
|
|
|
|
2018-10-03 12:22:37 +00:00
|
|
|
@utils.export("serverset", {"setting": "sasl",
|
2018-09-27 11:08:07 +00:00
|
|
|
"help": "Set the sasl username/password for this server",
|
|
|
|
"validate": _validate})
|
|
|
|
class Module(ModuleManager.BaseModule):
|
2018-10-03 12:22:37 +00:00
|
|
|
@utils.hook("received.cap.ls")
|
2018-07-15 22:56:06 +00:00
|
|
|
def on_cap(self, event):
|
2018-09-07 14:51:41 +00:00
|
|
|
has_sasl = "sasl" in event["capabilities"]
|
2018-09-17 10:49:23 +00:00
|
|
|
our_sasl = event["server"].get_setting("sasl", None)
|
2018-09-07 14:51:41 +00:00
|
|
|
|
2018-09-17 10:49:23 +00:00
|
|
|
do_sasl = False
|
|
|
|
if has_sasl and our_sasl:
|
|
|
|
if not event["capabilities"]["sasl"] == None:
|
|
|
|
our_mechanism = our_sasl["mechanism"].upper()
|
|
|
|
do_sasl = our_mechanism in event["capabilities"
|
|
|
|
]["sasl"].split(",")
|
|
|
|
else:
|
2018-09-17 12:25:11 +00:00
|
|
|
do_sasl = True
|
2018-09-17 10:49:23 +00:00
|
|
|
|
|
|
|
if do_sasl:
|
2018-09-03 10:14:27 +00:00
|
|
|
event["server"].queue_capability("sasl")
|
2018-09-07 14:51:41 +00:00
|
|
|
|
2018-10-03 12:22:37 +00:00
|
|
|
@utils.hook("received.cap.ack")
|
2018-09-03 10:14:27 +00:00
|
|
|
def on_cap_ack(self, event):
|
|
|
|
if "sasl" in event["capabilities"]:
|
2018-09-17 10:31:40 +00:00
|
|
|
sasl = event["server"].get_setting("sasl")
|
|
|
|
event["server"].send_authenticate(sasl["mechanism"].upper())
|
2018-09-03 10:14:27 +00:00
|
|
|
event["server"].wait_for_capability("sasl")
|
2018-07-15 22:56:06 +00:00
|
|
|
|
2018-10-03 12:22:37 +00:00
|
|
|
@utils.hook("received.authenticate")
|
2018-07-15 22:56:06 +00:00
|
|
|
def on_authenticate(self, event):
|
2019-02-05 12:17:25 +00:00
|
|
|
sasl = event["server"].get_setting("sasl")
|
|
|
|
mechanism = sasl["mechanism"].upper()
|
|
|
|
|
|
|
|
if mechanism == "PLAIN":
|
|
|
|
if event["message"] != "+":
|
|
|
|
event["server"].send_authenticate("*")
|
|
|
|
else:
|
|
|
|
sasl_username, sasl_password = sasl["args"].split(":", 1)
|
|
|
|
auth_text = ("%s\0%s\0%s" % (
|
|
|
|
sasl_username, sasl_username, sasl_password)).encode("utf8")
|
2018-09-17 10:31:40 +00:00
|
|
|
|
2019-02-05 12:17:25 +00:00
|
|
|
elif mechanism == "EXTERNAL":
|
|
|
|
if event["message"] != "+":
|
|
|
|
event["server"].send_authenticate("*")
|
|
|
|
else:
|
2018-09-17 10:31:40 +00:00
|
|
|
auth_text = "+"
|
2019-02-05 12:17:25 +00:00
|
|
|
|
|
|
|
elif mechanism.startswith("SCRAM-"):
|
|
|
|
algo = mechanism.split("SCRAM-", 1)[1].replace("-", "")
|
|
|
|
sasl_username, sasl_password = sasl["args"].split(":", 1)
|
|
|
|
if event["message"] == "+":
|
|
|
|
# start SCRAM handshake
|
2019-02-05 15:54:20 +00:00
|
|
|
event["server"]._scram = scram.SCRAM(
|
|
|
|
algo, sasl_username, sasl_password)
|
|
|
|
auth_text = event["server"]._scram.client_first()
|
2018-09-17 10:31:40 +00:00
|
|
|
else:
|
2019-02-05 15:54:20 +00:00
|
|
|
current_scram = event["server"]._scram
|
2019-02-06 08:50:19 +00:00
|
|
|
data = base64.b64decode(event["message"])
|
2019-02-05 15:54:20 +00:00
|
|
|
if current_scram.state == scram.SCRAMState.ClientFirst:
|
2019-02-06 08:50:19 +00:00
|
|
|
auth_text = current_scram.server_first(data)
|
2019-02-05 15:54:20 +00:00
|
|
|
elif current_scram.state == scram.SCRAMState.ClientFinal:
|
2019-02-06 11:07:50 +00:00
|
|
|
verified = current_scram.server_final(data)
|
2019-02-05 15:54:20 +00:00
|
|
|
del event["server"]._scram
|
2019-02-05 17:03:41 +00:00
|
|
|
|
2019-02-06 11:07:50 +00:00
|
|
|
if verified:
|
|
|
|
auth_text = "+"
|
|
|
|
else:
|
2019-02-05 17:03:41 +00:00
|
|
|
event["server"].disconnect()
|
|
|
|
raise ValueError("Server SCRAM verification failed")
|
|
|
|
|
2019-02-05 12:17:25 +00:00
|
|
|
else:
|
|
|
|
raise ValueError("unknown sasl mechanism '%s'" % mechanism)
|
2018-09-17 10:31:40 +00:00
|
|
|
|
2019-02-05 12:17:25 +00:00
|
|
|
if not auth_text == "+":
|
|
|
|
auth_text = base64.b64encode(auth_text)
|
|
|
|
auth_text = auth_text.decode("utf8")
|
|
|
|
event["server"].send_authenticate(auth_text)
|
2018-09-07 15:04:37 +00:00
|
|
|
|
2018-09-17 11:56:41 +00:00
|
|
|
def _end_sasl(self, server):
|
|
|
|
server.capability_done("sasl")
|
2018-10-03 12:22:37 +00:00
|
|
|
@utils.hook("received.numeric.903")
|
2018-09-07 15:04:37 +00:00
|
|
|
def sasl_success(self, event):
|
2018-09-17 11:56:41 +00:00
|
|
|
self._end_sasl(event["server"])
|
2018-10-03 12:22:37 +00:00
|
|
|
@utils.hook("received.numeric.904")
|
2018-09-17 12:10:22 +00:00
|
|
|
def sasl_failure(self, event):
|
2018-09-17 11:56:41 +00:00
|
|
|
self._end_sasl(event["server"])
|