bitbot-3.11-fork/modules/sasl.py

143 lines
5.7 KiB
Python
Raw Normal View History

import base64, hashlib, hmac, uuid
from src import ModuleManager, utils
2018-07-15 22:56:06 +00:00
def _validate(self, s):
mechanism = s
if " " in s:
mechanism, arguments = s.split(" ", 1)
return {"mechanism": mechanism, "args": arguments}
def _scram_nonce():
return str(uuid.uuid4().hex)
def _scram_escape(s):
return s.replace("=", "=3D").replace(",", "=2C")
def _scram_unescape(s):
return s.replace("=3D", "=").replace("=2C", ",")
def _scram_xor(s1, s2):
return bytes(a ^ b for a, b in zip(s1, s2))
@utils.export("serverset", {"setting": "sasl",
"help": "Set the sasl username/password for this server",
"validate": _validate})
class Module(ModuleManager.BaseModule):
@utils.hook("received.cap.ls")
2018-07-15 22:56:06 +00:00
def on_cap(self, event):
2018-09-07 14:51:41 +00:00
has_sasl = "sasl" in event["capabilities"]
our_sasl = event["server"].get_setting("sasl", None)
2018-09-07 14:51:41 +00:00
do_sasl = False
if has_sasl and our_sasl:
if not event["capabilities"]["sasl"] == None:
our_mechanism = our_sasl["mechanism"].upper()
do_sasl = our_mechanism in event["capabilities"
]["sasl"].split(",")
else:
do_sasl = True
if do_sasl:
event["server"].queue_capability("sasl")
2018-09-07 14:51:41 +00:00
@utils.hook("received.cap.ack")
def on_cap_ack(self, event):
if "sasl" in event["capabilities"]:
2018-09-17 10:31:40 +00:00
sasl = event["server"].get_setting("sasl")
event["server"].send_authenticate(sasl["mechanism"].upper())
event["server"].wait_for_capability("sasl")
2018-07-15 22:56:06 +00:00
@utils.hook("received.authenticate")
2018-07-15 22:56:06 +00:00
def on_authenticate(self, event):
sasl = event["server"].get_setting("sasl")
mechanism = sasl["mechanism"].upper()
if mechanism == "PLAIN":
if event["message"] != "+":
event["server"].send_authenticate("*")
else:
sasl_username, sasl_password = sasl["args"].split(":", 1)
auth_text = ("%s\0%s\0%s" % (
sasl_username, sasl_username, sasl_password)).encode("utf8")
2018-09-17 10:31:40 +00:00
elif mechanism == "EXTERNAL":
if event["message"] != "+":
event["server"].send_authenticate("*")
else:
2018-09-17 10:31:40 +00:00
auth_text = "+"
elif mechanism.startswith("SCRAM-"):
algo = mechanism.split("SCRAM-", 1)[1].replace("-", "")
sasl_username, sasl_password = sasl["args"].split(":", 1)
if event["message"] == "+":
# start SCRAM handshake
first_base = "n=%s,r=%s" % (
_scram_escape(sasl_username), _scram_nonce())
first_withchannel = "n,,%s" % first_base
auth_text = first_withchannel.encode("utf8")
event["server"]._scram_first = first_base.encode("utf8")
2018-09-17 10:31:40 +00:00
else:
data = base64.b64decode(event["message"]).decode("utf8")
pieces = dict(piece.split("=", 1) for piece in data.split(","))
if "s" in pieces:
# server-first-message
nonce = pieces["r"].encode("utf8")
salt = base64.b64decode(pieces["s"])
iterations = pieces["i"]
password = sasl_password.encode("utf8")
salted_password = hashlib.pbkdf2_hmac(algo, password, salt,
int(iterations), dklen=None)
event["server"]._scram_salted_password = salted_password
client_key = hmac.digest(salted_password, b"Client Key",
algo)
stored_key = hashlib.new(algo, client_key).digest()
channel = base64.b64encode(b"n,,")
auth_noproof = b"c=%s,r=%s" % (channel, nonce)
auth_message = b"%s,%s,%s" % (event["server"]._scram_first,
data.encode("utf8"), auth_noproof)
event["server"]._scram_auth_message = auth_message
client_signature = hmac.digest(stored_key, auth_message,
algo)
client_proof = base64.b64encode(
_scram_xor(client_key, client_signature))
auth_text = auth_noproof + (b",p=%s" % client_proof)
elif "v" in pieces:
# server-final-message
verifier = pieces["v"]
salted_password = event["server"]._scram_salted_password
auth_message = event["server"]._scram_auth_message
server_key = hmac.digest(salted_password, b"Server Key",
algo)
server_signature = hmac.digest(server_key, auth_message,
algo)
del event["server"]._scram_first
del event["server"]._scram_salted_password
del event["server"]._scram_auth_message
if server_signature != base64.b64decode(verifier):
raise ValueError("SCRAM %s authentication failed "
% algo)
event["server"].disconnect()
auth_text = "+"
else:
raise ValueError("unknown sasl mechanism '%s'" % mechanism)
2018-09-17 10:31:40 +00:00
if not auth_text == "+":
auth_text = base64.b64encode(auth_text)
auth_text = auth_text.decode("utf8")
event["server"].send_authenticate(auth_text)
2018-09-17 11:56:41 +00:00
def _end_sasl(self, server):
server.capability_done("sasl")
@utils.hook("received.numeric.903")
def sasl_success(self, event):
2018-09-17 11:56:41 +00:00
self._end_sasl(event["server"])
@utils.hook("received.numeric.904")
def sasl_failure(self, event):
2018-09-17 11:56:41 +00:00
self._end_sasl(event["server"])