def handle(self, username, digest):
con = DBautocommit()
c = con.cursor()
c.execute("SELECT password FROM jids WHERE \
jid = ?", (username + '@%s' % self.msg.conn.server.hostname, ))
res = c.fetchone()
if res:
password = res[0]
else:
c.close()
con.close()
raise IQAuthError
c.close()
con.close()
s = sha1()
s.update(self.streamid + password)
hashtext = s.hexdigest()
if hashtext == digest:
d = self.msg.conn.data
d['user']['jid'] = '%s@%s' % (username,
self.msg.conn.server.hostname)
# record the JID for local delivery
self.msg.conn.server.conns[self.msg.conn.id] = (JID(
d['user']['jid']), self.msg.conn)
self.msg.conn.parser.resetParser()
return
else:
raise IQAuthError
def handle(self, username, digest):
con = DBautocommit()
c = con.cursor()
c.execute("SELECT password FROM jids WHERE \
jid = ?", (username + '@%s' % self.msg.conn.server.hostname,))
res = c.fetchone()
if res:
password = res[0]
else:
c.close()
con.close()
raise IQAuthError
c.close()
con.close()
s = sha1()
s.update(self.streamid + password)
hashtext = s.hexdigest()
if hashtext == digest:
d = self.msg.conn.data
d['user']['jid'] = '%s@%s' % (username,
self.msg.conn.server.hostname)
# record the JID for local delivery
self.msg.conn.server.conns[self.msg.conn.id] = (JID(d['user']['jid']),
self.msg.conn)
self.msg.conn.parser.resetParser()
return
else:
raise IQAuthError
def handle(self, b64text):
"""Verify the username/password in response"""
authtext = ''
if b64text:
try:
authtext = fromBase64(b64text)
except:
raise SASLIncorrectEncodingError
auth = authtext.split('\x00')
if len(auth) != 3:
raise SASLIncorrectEncodingError
con = DBautocommit()
c = con.cursor()
c.execute("SELECT * FROM jids WHERE \
jid = ? AND password = ?" , (auth[1] + \
'@' + self.msg.conn.server.hostname, auth[2]))
res = c.fetchall()
if len(res) == 0:
c.close()
con.close()
raise SASLAuthError
c.close()
con.close()
self.msg.conn.data['sasl']['complete'] = True
self.msg.conn.data['sasl']['in-progress'] = False
self.msg.conn.data['user']['jid'] = '%s@%s' % (
auth[1], self.msg.conn.server.hostname)
# record the JID for local delivery
self.msg.conn.server.conns[self.msg.conn.id] = (JID(
self.msg.conn.data['user']['jid']), self.msg.conn)
self.msg.conn.parser.resetParser()
return Element('success',
{'xmlns': 'urn:ietf:params:xml:ns:xmpp-sasl'})
def handle(self, b64text):
"""Verify the username/password in response"""
authtext = ''
if b64text:
try:
authtext = fromBase64(b64text)
except:
raise SASLIncorrectEncodingError
auth = authtext.split('\x00')
if len(auth) != 3:
raise SASLIncorrectEncodingError
con = DBautocommit()
c = con.cursor()
c.execute("SELECT * FROM jids WHERE \
jid = ? AND password = ?", (auth[1] + \
'@' + self.msg.conn.server.hostname, auth[2]))
res = c.fetchall()
if len(res) == 0:
c.close()
con.close()
raise SASLAuthError
c.close()
con.close()
self.msg.conn.data['sasl']['complete'] = True
self.msg.conn.data['sasl']['in-progress'] = False
self.msg.conn.data['user']['jid'] = '%s@%s' % (auth[1], self.msg.conn.server.hostname)
# record the JID for local delivery
self.msg.conn.server.conns[self.msg.conn.id] = (JID(self.msg.conn.data['user']['jid']),
self.msg.conn)
self.msg.conn.parser.resetParser()
return Element('success',
{'xmlns' : 'urn:ietf:params:xml:ns:xmpp-sasl'})
def handle(self, data=None):
"""Performs DIGEST-MD5 auth based on current state.
data -- either None for initial challenge, base64-encoded text when
the client responds to challenge 1, or the tree when the client
responds to challenge 2.
"""
# TODO: authz
# TODO: subsequent auth
qop = 'qop="auth"'
charset = 'charset=utf-8'
algo = 'algorithm=md5-sess'
if self.state == SASLDigestMD5.INIT: # initial challenge
self.nonce = generateId()
self.state = SASLDigestMD5.SENT_CHALLENGE1
nonce = 'nonce="%s"' % self.nonce
realm = 'realm="%s"' % self.realm
res = Element('challenge',
{'xmlns': 'urn:ietf:params:xml:ns:xmpp-sasl'})
res.text = base64.b64encode(','.join(
[realm, qop, nonce, charset, algo]))
return res
elif self.state == SASLDigestMD5.SENT_CHALLENGE1 and data:
# response to client's reponse (ie. challenge 2)
try:
text = fromBase64(data)
except:
raise SASLIncorrectEncodingError
pairs = self._parse(text)
try:
username = pairs['username']
nonce = pairs['nonce']
realm = pairs['realm']
cnonce = pairs['cnonce']
nc = pairs['nc']
qop = pairs['qop']
response = pairs['response']
digest_uri = pairs['digest-uri']
except KeyError:
self._handleFailure()
raise SASLAuthError
self.username = username
# authz is ignored for now
if nonce != self.nonce or realm != self.realm \
or int(nc, 16) != 1 or qop[0] != 'auth' or not response\
or not digest_uri:
self._handleFailure()
raise SASLAuthError
# fetch the password now
con = DBautocommit()
c = con.cursor()
c.execute(
"SELECT password FROM jids WHERE \
jid = ?", (username + '@%s' % self.msg.conn.server.hostname, ))
for row in c:
password = row['password']
break
else:
self._handleFailure()
c.close()
con.close()
raise SASLAuthError
c.close()
con.close()
# compute the digest as per RFC 2831
a1 = "%s:%s:%s" % (H("%s:%s:%s" %
(username, realm, password)), nonce, cnonce)
a2 = ":%s" % digest_uri
a2client = "AUTHENTICATE:%s" % digest_uri
digest = HEX(
KD(
HEX(H(a1)), "%s:%s:%s:%s:%s" %
(nonce, nc, cnonce, "auth", HEX(H(a2client)))))
if digest == response:
rspauth = HEX(
KD(
HEX(H(a1)), "%s:%s:%s:%s:%s" %
(nonce, nc, cnonce, "auth", HEX(H(a2)))))
self.state = SASLDigestMD5.SENT_CHALLENGE2
res = Element('challenge',
{'xmlns': 'urn:ietf:params:xml:ns:xmpp-sasl'})
res.text = base64.b64encode(u"rspauth=%s" % rspauth)
return res
else:
self._handleFailure()
raise SASLAuthError
elif self.state == SASLDigestMD5.SENT_CHALLENGE2 and isinstance(
data, Element):
# expect to get <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
respInd = data.tag.find(
'{urn:ietf:params:xml:ns:xmpp-sasl}response')
d = self.msg.conn.data
if respInd != -1 and len(data) == 0:
self.state = SASLDigestMD5.INIT
d['sasl']['complete'] = True
d['sasl']['in-progress'] = False
d['user']['jid'] = '%s@%s' % (self.username,
self.msg.conn.server.hostname)
# record the JID for local delivery
self.msg.conn.server.conns[self.msg.conn.id] = (JID(
d['user']['jid']), self.msg.conn)
self.msg.conn.parser.resetParser()
res = Element('success',
{'xmlns': 'urn:ietf:params:xml:ns:xmpp-sasl'})
return res
else:
self._handleFailure()
raise SASLAuthError
else:
self._handleFailure()
raise SASLAuthError
def handle(self, data=None):
"""Performs DIGEST-MD5 auth based on current state.
data -- either None for initial challenge, base64-encoded text when
the client responds to challenge 1, or the tree when the client
responds to challenge 2.
"""
# TODO: authz
# TODO: subsequent auth
qop = 'qop="auth"'
charset = 'charset=utf-8'
algo = 'algorithm=md5-sess'
if self.state == SASLDigestMD5.INIT: # initial challenge
self.nonce = generateId()
self.state = SASLDigestMD5.SENT_CHALLENGE1
nonce = 'nonce="%s"' % self.nonce
realm = 'realm="%s"' % self.realm
res = Element('challenge',
{'xmlns' : 'urn:ietf:params:xml:ns:xmpp-sasl'})
res.text = base64.b64encode(','.join([realm, qop, nonce, charset, algo]))
return res
elif self.state == SASLDigestMD5.SENT_CHALLENGE1 and data:
# response to client's reponse (ie. challenge 2)
try:
text = fromBase64(data)
except:
raise SASLIncorrectEncodingError
pairs = self._parse(text)
try:
username = pairs['username']
nonce = pairs['nonce']
realm = pairs['realm']
cnonce = pairs['cnonce']
nc = pairs['nc']
qop = pairs['qop']
response = pairs['response']
digest_uri = pairs['digest-uri']
except KeyError:
self._handleFailure()
raise SASLAuthError
self.username = username
# authz is ignored for now
if nonce != self.nonce or realm != self.realm \
or int(nc, 16) != 1 or qop[0] != 'auth' or not response\
or not digest_uri:
self._handleFailure()
raise SASLAuthError
# fetch the password now
con = DBautocommit()
c = con.cursor()
c.execute("SELECT password FROM jids WHERE \
jid = ?", (username + '@%s' % self.msg.conn.server.hostname,))
for row in c:
password = row['password']
break
else:
self._handleFailure()
c.close()
con.close()
raise SASLAuthError
c.close()
con.close()
# compute the digest as per RFC 2831
a1 = "%s:%s:%s" % (H("%s:%s:%s" % (username, realm, password)),
nonce, cnonce)
a2 = ":%s" % digest_uri
a2client = "AUTHENTICATE:%s" % digest_uri
digest = HEX(KD(HEX(H(a1)),
"%s:%s:%s:%s:%s" % (nonce, nc,
cnonce, "auth",
HEX(H(a2client)))))
if digest == response:
rspauth = HEX(KD(HEX(H(a1)),
"%s:%s:%s:%s:%s" % (nonce, nc,
cnonce, "auth",
HEX(H(a2)))))
self.state = SASLDigestMD5.SENT_CHALLENGE2
res = Element('challenge',
{'xmlns' : 'urn:ietf:params:xml:ns:xmpp-sasl'})
res.text = base64.b64encode(u"rspauth=%s" % rspauth)
return res
else:
self._handleFailure()
raise SASLAuthError
elif self.state == SASLDigestMD5.SENT_CHALLENGE2 and isinstance(data, Element):
# expect to get <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
respInd = data.tag.find('{urn:ietf:params:xml:ns:xmpp-sasl}response')
d = self.msg.conn.data
if respInd != -1 and len(data) == 0:
self.state = SASLDigestMD5.INIT
d['sasl']['complete'] = True
d['sasl']['in-progress'] = False
d['user']['jid'] = '%s@%s' % (self.username,
self.msg.conn.server.hostname)
# record the JID for local delivery
self.msg.conn.server.conns[self.msg.conn.id] = (JID(d['user']['jid']),
self.msg.conn)
self.msg.conn.parser.resetParser()
res = Element('success',
{'xmlns' : 'urn:ietf:params:xml:ns:xmpp-sasl'})
return res
else:
self._handleFailure()
raise SASLAuthError
else:
self._handleFailure()
raise SASLAuthError
