package client import ( "crypto/md5" "crypto/rand" "encoding/base64" "errors" "fmt" "math/big" "strings" "dev.sum7.eu/genofire/yaja/messages" ) func (client *Client) auth(password string) error { f, err := client.startStream() if err != nil { return err } //auth: mechanism := "" challenge := &messages.SASLChallenge{} response := &messages.SASLResponse{} for _, m := range f.Mechanisms.Mechanism { client.Logging.Debugf("try auth with '%s'", m) if m == "SCRAM-SHA-1" { /* mechanism = m TODO break */ } if m == "DIGEST-MD5" { mechanism = m // Digest-MD5 authentication client.Send(&messages.SASLAuth{ Mechanism: m, }) if err := client.ReadDecode(challenge); err != nil { return err } b, err := base64.StdEncoding.DecodeString(challenge.Body) if err != nil { return err } tokens := map[string]string{} for _, token := range strings.Split(string(b), ",") { kv := strings.SplitN(strings.TrimSpace(token), "=", 2) if len(kv) == 2 { if kv[1][0] == '"' && kv[1][len(kv[1])-1] == '"' { kv[1] = kv[1][1 : len(kv[1])-1] } tokens[kv[0]] = kv[1] } } realm, _ := tokens["realm"] nonce, _ := tokens["nonce"] qop, _ := tokens["qop"] charset, _ := tokens["charset"] cnonceStr := cnonce() digestURI := "xmpp/" + client.JID.Domain nonceCount := fmt.Sprintf("%08x", 1) digest := saslDigestResponse(client.JID.Local, realm, password, nonce, cnonceStr, "AUTHENTICATE", digestURI, nonceCount) message := "username=\"" + client.JID.Local + "\", realm=\"" + realm + "\", nonce=\"" + nonce + "\", cnonce=\"" + cnonceStr + "\", nc=" + nonceCount + ", qop=" + qop + ", digest-uri=\"" + digestURI + "\", response=" + digest + ", charset=" + charset response.Body = base64.StdEncoding.EncodeToString([]byte(message)) client.Send(response) break } if m == "PLAIN" { mechanism = m // Plain authentication: send base64-encoded \x00 user \x00 password. raw := "\x00" + client.JID.Local + "\x00" + password enc := make([]byte, base64.StdEncoding.EncodedLen(len(raw))) base64.StdEncoding.Encode(enc, []byte(raw)) client.Send(&messages.SASLAuth{ Mechanism: "PLAIN", Body: string(enc), }) break } } if mechanism == "" { return fmt.Errorf("PLAIN authentication is not an option: %s", f.Mechanisms.Mechanism) } client.Logging.Info("used auth with '%s'", mechanism) element, err := client.Read() if err != nil { return err } fail := messages.SASLFailure{} if err := client.Decode(&fail, element); err == nil { return errors.New(messages.XMLChildrenString(fail) + " : " + fail.Body) } if err := client.Decode(&messages.SASLSuccess{}, element); err != nil { return errors.New("auth failed - with unexpected answer") } return nil } func saslDigestResponse(username, realm, passwd, nonce, cnonceStr, authenticate, digestURI, nonceCountStr string) string { h := func(text string) []byte { h := md5.New() h.Write([]byte(text)) return h.Sum(nil) } hex := func(bytes []byte) string { return fmt.Sprintf("%x", bytes) } kd := func(secret, data string) []byte { return h(secret + ":" + data) } a1 := string(h(username+":"+realm+":"+passwd)) + ":" + nonce + ":" + cnonceStr a2 := authenticate + ":" + digestURI response := hex(kd(hex(h(a1)), nonce+":"+nonceCountStr+":"+cnonceStr+":auth:"+hex(h(a2)))) return response } func cnonce() string { randSize := big.NewInt(0) randSize.Lsh(big.NewInt(1), 64) cn, err := rand.Int(rand.Reader, randSize) if err != nil { return "" } return fmt.Sprintf("%016x", cn) }