summaryrefslogtreecommitdiff
path: root/sleekxmpp
diff options
context:
space:
mode:
Diffstat (limited to 'sleekxmpp')
-rw-r--r--sleekxmpp/features/feature_mechanisms/mechanisms.py179
-rw-r--r--sleekxmpp/features/feature_mechanisms/stanza/auth.py3
-rw-r--r--sleekxmpp/features/feature_mechanisms/stanza/challenge.py3
-rw-r--r--sleekxmpp/features/feature_mechanisms/stanza/response.py3
-rw-r--r--sleekxmpp/features/feature_mechanisms/stanza/success.py18
-rw-r--r--sleekxmpp/plugins/xep_0047/stanza.py2
-rw-r--r--sleekxmpp/plugins/xep_0054/stanza.py3
-rw-r--r--sleekxmpp/plugins/xep_0084/stanza.py2
-rw-r--r--sleekxmpp/plugins/xep_0258/stanza.py3
-rw-r--r--sleekxmpp/thirdparty/__init__.py1
-rw-r--r--sleekxmpp/thirdparty/suelta/LICENSE21
-rw-r--r--sleekxmpp/thirdparty/suelta/PLAYING-NICELY27
-rw-r--r--sleekxmpp/thirdparty/suelta/README8
-rw-r--r--sleekxmpp/thirdparty/suelta/__init__.py26
-rw-r--r--sleekxmpp/thirdparty/suelta/exceptions.py35
-rw-r--r--sleekxmpp/thirdparty/suelta/mechanisms/__init__.py8
-rw-r--r--sleekxmpp/thirdparty/suelta/mechanisms/anonymous.py36
-rw-r--r--sleekxmpp/thirdparty/suelta/mechanisms/cram_md5.py63
-rw-r--r--sleekxmpp/thirdparty/suelta/mechanisms/digest_md5.py275
-rw-r--r--sleekxmpp/thirdparty/suelta/mechanisms/facebook_platform.py43
-rw-r--r--sleekxmpp/thirdparty/suelta/mechanisms/google_token.py22
-rw-r--r--sleekxmpp/thirdparty/suelta/mechanisms/messenger_oauth2.py17
-rw-r--r--sleekxmpp/thirdparty/suelta/mechanisms/plain.py61
-rw-r--r--sleekxmpp/thirdparty/suelta/mechanisms/scram_hmac.py176
-rw-r--r--sleekxmpp/thirdparty/suelta/sasl.py402
-rw-r--r--sleekxmpp/thirdparty/suelta/saslprep.py81
-rw-r--r--sleekxmpp/thirdparty/suelta/util.py121
-rw-r--r--sleekxmpp/util/__init__.py4
-rw-r--r--sleekxmpp/util/sasl/__init__.py15
-rw-r--r--sleekxmpp/util/sasl/client.py163
-rw-r--r--sleekxmpp/util/sasl/mechanisms.py531
-rw-r--r--sleekxmpp/util/stringprep_profiles.py12
32 files changed, 859 insertions, 1505 deletions
diff --git a/sleekxmpp/features/feature_mechanisms/mechanisms.py b/sleekxmpp/features/feature_mechanisms/mechanisms.py
index 2ab7b0a4..0132765f 100644
--- a/sleekxmpp/features/feature_mechanisms/mechanisms.py
+++ b/sleekxmpp/features/feature_mechanisms/mechanisms.py
@@ -6,12 +6,11 @@
See the file LICENSE for copying permission.
"""
+import sys
import logging
-from sleekxmpp.thirdparty import suelta
-from sleekxmpp.thirdparty.suelta.exceptions import SASLCancelled, SASLError
-from sleekxmpp.thirdparty.suelta.exceptions import SASLPrepFailure
-
+from sleekxmpp.util import sasl
+from sleekxmpp.util.stringprep_profiles import StringPrepError
from sleekxmpp.stanza import StreamFeatures
from sleekxmpp.xmlstream import RestartStream, register_stanza_plugin
from sleekxmpp.plugins import BasePlugin
@@ -31,7 +30,15 @@ class FeatureMechanisms(BasePlugin):
stanza = stanza
default_config = {
'use_mech': None,
+ 'use_mechs': None,
+ 'min_mech': None,
'sasl_callback': None,
+ 'security_callback': None,
+ 'encrypted_plain': True,
+ 'unencrypted_plain': False,
+ 'unencrypted_digest': False,
+ 'unencrypted_cram': False,
+ 'unencrypted_scram': True,
'order': 100
}
@@ -39,34 +46,13 @@ class FeatureMechanisms(BasePlugin):
if not self.use_mech and not self.xmpp.boundjid.user:
self.use_mech = 'ANONYMOUS'
- def tls_active():
- return 'starttls' in self.xmpp.features
-
- def basic_callback(mech, values):
- creds = self.xmpp.credentials
- for value in values:
- if value == 'username':
- values['username'] = self.xmpp.boundjid.user
- elif value == 'password':
- values['password'] = creds['password']
- elif value == 'email':
- jid = self.xmpp.boundjid.bare
- values['email'] = creds.get('email', jid)
- elif value in creds:
- values[value] = creds[value]
- mech.fulfill(values)
-
if self.sasl_callback is None:
- self.sasl_callback = basic_callback
+ self.sasl_callback = self._default_credentials
- self.mech = None
- self.sasl = suelta.SASL(self.xmpp.boundjid.domain, 'xmpp',
- username=self.xmpp.boundjid.user,
- sec_query=suelta.sec_query_allow,
- request_values=self.sasl_callback,
- tls_active=tls_active,
- mech=self.use_mech)
+ if self.security_callback is None:
+ self.security_callback = self._default_security
+ self.mech = None
self.mech_list = set()
self.attempted_mechs = set()
@@ -99,6 +85,44 @@ class FeatureMechanisms(BasePlugin):
restart=True,
order=self.order)
+ def _default_credentials(self, required_values, optional_values):
+ creds = self.xmpp.credentials
+ result = {}
+ values = required_values.union(optional_values)
+ for value in values:
+ if value == 'username':
+ result[value] = self.xmpp.boundjid.user
+ elif value == 'password':
+ result[value] = creds['password']
+ elif value == 'email':
+ jid = self.xmpp.boundjid.bare
+ result[value] = creds.get('email', jid)
+ elif value == 'channel_binding':
+ if sys.version_info >= (3, 3):
+ result[value] = self.xmpp.socket.channel_binding()
+ else:
+ result[value] = None
+ elif value == 'host':
+ result[value] = self.xmpp.boundjid.domain
+ elif value == 'realm':
+ result[value] = self.xmpp.boundjid.domain
+ elif value == 'service-name':
+ result[value] = self.xmpp.address[0]
+ elif value == 'service':
+ result[value] = 'xmpp'
+ elif value in creds:
+ result[value] = creds[value]
+ return result
+
+ def _default_security(self, values):
+ result = {}
+ for value in values:
+ if value == 'encrypted':
+ result[value] = 'starttls' in self.xmpp.features
+ else:
+ result[value] = self.config.get(value, False)
+ return result
+
def _handle_sasl_auth(self, features):
"""
Handle authenticating using SASL.
@@ -111,37 +135,61 @@ class FeatureMechanisms(BasePlugin):
# server has incorrectly offered it again.
return False
- if not self.use_mech:
- self.mech_list = set(features['mechanisms'])
- else:
- self.mech_list = set([self.use_mech])
+ enforce_limit = False
+ limited_mechs = self.use_mechs
+
+ if limited_mechs is None:
+ limited_mechs = set()
+ elif limited_mechs and not isinstance(limited_mechs, set):
+ limited_mechs = set(limited_mechs)
+ enforce_limit = True
+
+ if self.use_mech:
+ limited_mechs.add(self.use_mech)
+ enforce_limit = True
+
+ if enforce_limit:
+ self.use_mechs = limited_mechs
+
+ self.mech_list = set(features['mechanisms'])
+
return self._send_auth()
def _send_auth(self):
mech_list = self.mech_list - self.attempted_mechs
- self.mech = self.sasl.choose_mechanism(mech_list)
-
- if mech_list and self.mech is not None:
- resp = stanza.Auth(self.xmpp)
- resp['mechanism'] = self.mech.name
- try:
- resp['value'] = self.mech.process()
- except SASLCancelled:
- self.attempted_mechs.add(self.mech.name)
- self._send_auth()
- except SASLError:
- self.attempted_mechs.add(self.mech.name)
- self._send_auth()
- except SASLPrepFailure:
- log.exception("A credential value did not pass SASLprep.")
- self.xmpp.disconnect()
- else:
- resp.send(now=True)
- else:
+ try:
+ self.mech = sasl.choose(mech_list,
+ self.sasl_callback,
+ self.security_callback,
+ limit=self.use_mechs,
+ min_mech=self.min_mech)
+ except sasl.SASLNoAppropriateMechanism:
log.error("No appropriate login method.")
self.xmpp.event("no_auth", direct=True)
self.attempted_mechs = set()
+ return self.xmpp.disconnect()
+
+ resp = stanza.Auth(self.xmpp)
+ resp['mechanism'] = self.mech.name
+ try:
+ resp['value'] = self.mech.process()
+ except sasl.SASLCancelled:
+ self.attempted_mechs.add(self.mech.name)
+ self._send_auth()
+ except sasl.SASLFailed:
+ self.attempted_mechs.add(self.mech.name)
+ self._send_auth()
+ except sasl.SASLMutualAuthFailed:
+ log.error("Mutual authentication failed! " + \
+ "A security breach is possible.")
+ self.attempted_mechs.add(self.mech.name)
+ self.xmpp.disconnect()
+ except StringPrepError:
+ log.exception("A credential value did not pass SASLprep.")
self.xmpp.disconnect()
+ else:
+ resp.send(now=True)
+
return True
def _handle_challenge(self, stanza):
@@ -149,20 +197,33 @@ class FeatureMechanisms(BasePlugin):
resp = self.stanza.Response(self.xmpp)
try:
resp['value'] = self.mech.process(stanza['value'])
- except SASLCancelled:
+ except sasl.SASLCancelled:
self.stanza.Abort(self.xmpp).send()
- except SASLError:
+ except sasl.SASLFailed:
self.stanza.Abort(self.xmpp).send()
+ except sasl.SASLMutualAuthFailed:
+ log.error("Mutual authentication failed! " + \
+ "A security breach is possible.")
+ self.attempted_mechs.add(self.mech.name)
+ self.xmpp.disconnect()
else:
resp.send(now=True)
def _handle_success(self, stanza):
"""SASL authentication succeeded. Restart the stream."""
- self.attempted_mechs = set()
- self.xmpp.authenticated = True
- self.xmpp.features.add('mechanisms')
- self.xmpp.event('auth_success', stanza, direct=True)
- raise RestartStream()
+ try:
+ final = self.mech.process(stanza['value'])
+ except sasl.SASLMutualAuthFailed:
+ log.error("Mutual authentication failed! " + \
+ "A security breach is possible.")
+ self.attempted_mechs.add(self.mech.name)
+ self.xmpp.disconnect()
+ else:
+ self.attempted_mechs = set()
+ self.xmpp.authenticated = True
+ self.xmpp.features.add('mechanisms')
+ self.xmpp.event('auth_success', stanza, direct=True)
+ raise RestartStream()
def _handle_fail(self, stanza):
"""SASL authentication failed. Disconnect and shutdown."""
diff --git a/sleekxmpp/features/feature_mechanisms/stanza/auth.py b/sleekxmpp/features/feature_mechanisms/stanza/auth.py
index 8b9d18b6..7b665345 100644
--- a/sleekxmpp/features/feature_mechanisms/stanza/auth.py
+++ b/sleekxmpp/features/feature_mechanisms/stanza/auth.py
@@ -8,8 +8,7 @@
import base64
-from sleekxmpp.thirdparty.suelta.util import bytes
-
+from sleekxmpp.util import bytes
from sleekxmpp.xmlstream import StanzaBase
diff --git a/sleekxmpp/features/feature_mechanisms/stanza/challenge.py b/sleekxmpp/features/feature_mechanisms/stanza/challenge.py
index 85d65403..24290281 100644
--- a/sleekxmpp/features/feature_mechanisms/stanza/challenge.py
+++ b/sleekxmpp/features/feature_mechanisms/stanza/challenge.py
@@ -8,8 +8,7 @@
import base64
-from sleekxmpp.thirdparty.suelta.util import bytes
-
+from sleekxmpp.util import bytes
from sleekxmpp.xmlstream import StanzaBase
diff --git a/sleekxmpp/features/feature_mechanisms/stanza/response.py b/sleekxmpp/features/feature_mechanisms/stanza/response.py
index 78636c9e..ca7624f1 100644
--- a/sleekxmpp/features/feature_mechanisms/stanza/response.py
+++ b/sleekxmpp/features/feature_mechanisms/stanza/response.py
@@ -8,8 +8,7 @@
import base64
-from sleekxmpp.thirdparty.suelta.util import bytes
-
+from sleekxmpp.util import bytes
from sleekxmpp.xmlstream import StanzaBase
diff --git a/sleekxmpp/features/feature_mechanisms/stanza/success.py b/sleekxmpp/features/feature_mechanisms/stanza/success.py
index 7a5a73f2..7a4eab8e 100644
--- a/sleekxmpp/features/feature_mechanisms/stanza/success.py
+++ b/sleekxmpp/features/feature_mechanisms/stanza/success.py
@@ -6,8 +6,10 @@
See the file LICENSE for copying permission.
"""
-from sleekxmpp.xmlstream import StanzaBase
+import base64
+from sleekxmpp.util import bytes
+from sleekxmpp.xmlstream import StanzaBase
class Success(StanzaBase):
@@ -16,9 +18,21 @@ class Success(StanzaBase):
name = 'success'
namespace = 'urn:ietf:params:xml:ns:xmpp-sasl'
- interfaces = set()
+ interfaces = set(['value'])
plugin_attrib = name
def setup(self, xml):
StanzaBase.setup(self, xml)
self.xml.tag = self.tag_name()
+
+ def get_value(self):
+ return base64.b64decode(bytes(self.xml.text))
+
+ def set_value(self, values):
+ if values:
+ self.xml.text = bytes(base64.b64encode(values)).decode('utf-8')
+ else:
+ self.xml.text = '='
+
+ def del_value(self):
+ self.xml.text = ''
diff --git a/sleekxmpp/plugins/xep_0047/stanza.py b/sleekxmpp/plugins/xep_0047/stanza.py
index afba07a8..e4a32f87 100644
--- a/sleekxmpp/plugins/xep_0047/stanza.py
+++ b/sleekxmpp/plugins/xep_0047/stanza.py
@@ -1,9 +1,9 @@
import re
import base64
+from sleekxmpp.util import bytes
from sleekxmpp.exceptions import XMPPError
from sleekxmpp.xmlstream import ElementBase
-from sleekxmpp.thirdparty.suelta.util import bytes
VALID_B64 = re.compile(r'[A-Za-z0-9\+\/]*=*')
diff --git a/sleekxmpp/plugins/xep_0054/stanza.py b/sleekxmpp/plugins/xep_0054/stanza.py
index 75b69d3e..512e1dd8 100644
--- a/sleekxmpp/plugins/xep_0054/stanza.py
+++ b/sleekxmpp/plugins/xep_0054/stanza.py
@@ -1,8 +1,7 @@
import base64
import datetime as dt
-from sleekxmpp.thirdparty.suelta.util import bytes
-
+from sleekxmpp.util import bytes
from sleekxmpp.xmlstream import ElementBase, ET, register_stanza_plugin, JID
from sleekxmpp.plugins import xep_0082
diff --git a/sleekxmpp/plugins/xep_0084/stanza.py b/sleekxmpp/plugins/xep_0084/stanza.py
index e9133998..22f11b72 100644
--- a/sleekxmpp/plugins/xep_0084/stanza.py
+++ b/sleekxmpp/plugins/xep_0084/stanza.py
@@ -7,8 +7,8 @@
"""
from base64 import b64encode, b64decode
-from sleekxmpp.thirdparty.suelta.util import bytes
+from sleekxmpp.util import bytes
from sleekxmpp.xmlstream import ET, ElementBase, register_stanza_plugin
diff --git a/sleekxmpp/plugins/xep_0258/stanza.py b/sleekxmpp/plugins/xep_0258/stanza.py
index 4d828a46..a506064b 100644
--- a/sleekxmpp/plugins/xep_0258/stanza.py
+++ b/sleekxmpp/plugins/xep_0258/stanza.py
@@ -8,8 +8,7 @@
from base64 import b64encode, b64decode
-from sleekxmpp.thirdparty.suelta.util import bytes
-
+from sleekxmpp.util import bytes
from sleekxmpp.xmlstream import ElementBase, ET, register_stanza_plugin
diff --git a/sleekxmpp/thirdparty/__init__.py b/sleekxmpp/thirdparty/__init__.py
index b9c82a7f..502be6b6 100644
--- a/sleekxmpp/thirdparty/__init__.py
+++ b/sleekxmpp/thirdparty/__init__.py
@@ -8,5 +8,4 @@ try:
except:
from sleekxmpp.thirdparty.gnupg import GPG
-from sleekxmpp.thirdparty import suelta
from sleekxmpp.thirdparty.mini_dateutil import tzutc, tzoffset, parse_iso
diff --git a/sleekxmpp/thirdparty/suelta/LICENSE b/sleekxmpp/thirdparty/suelta/LICENSE
deleted file mode 100644
index 6eee4f33..00000000
--- a/sleekxmpp/thirdparty/suelta/LICENSE
+++ /dev/null
@@ -1,21 +0,0 @@
-This software is subject to "The MIT License"
-
-Copyright 2007-2010 David Alan Cridland
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
diff --git a/sleekxmpp/thirdparty/suelta/PLAYING-NICELY b/sleekxmpp/thirdparty/suelta/PLAYING-NICELY
deleted file mode 100644
index 393b8078..00000000
--- a/sleekxmpp/thirdparty/suelta/PLAYING-NICELY
+++ /dev/null
@@ -1,27 +0,0 @@
-Hi.
-
-This is a short note explaining the license in non-legally-binding terms, and
-describing how I hope to see people work with the licensing.
-
-First off, the license is permissive, and more or less allows you to do
-anything, as long as you leave my credit and copyright intact.
-
-You can, and are very much welcome to, include this in commercial works, and
-in code that has tightly controlled distribution, as well as open-source.
-
-If it doesn't work - and I have no doubt that there are bugs - then this is
-largely your problem.
-
-If you do find a bug, though, do let me know - although you don't have to.
-
-And if you fix it, I'd greatly appreciate a patch, too. Please give me a
-licensing statement, and a copyright statement, along with your patch.
-
-Similarly, any enhancements are welcome, and also will need copyright and
-licensing. Please stick to a license which is compatible with the MIT license,
-and consider assignment (as required) to me to simplify licensing. (Public
-domain does not exist in the UK, sorry).
-
-Thanks,
-
-Dave.
diff --git a/sleekxmpp/thirdparty/suelta/README b/sleekxmpp/thirdparty/suelta/README
deleted file mode 100644
index c32463a4..00000000
--- a/sleekxmpp/thirdparty/suelta/README
+++ /dev/null
@@ -1,8 +0,0 @@
-Suelta - A pure-Python SASL client library
-
-Suelta is a SASL library, providing you with authentication and in some cases
-security layers.
-
-It supports a wide range of typical SASL mechanisms, including the MTI for
-all known protocols.
-
diff --git a/sleekxmpp/thirdparty/suelta/__init__.py b/sleekxmpp/thirdparty/suelta/__init__.py
deleted file mode 100644
index 04f0cbad..00000000
--- a/sleekxmpp/thirdparty/suelta/__init__.py
+++ /dev/null
@@ -1,26 +0,0 @@
-# Copyright 2007-2010 David Alan Cridland
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-from sleekxmpp.thirdparty.suelta.saslprep import saslprep
-from sleekxmpp.thirdparty.suelta.sasl import *
-from sleekxmpp.thirdparty.suelta.mechanisms import *
-
-__version__ = '2.0'
-__version_info__ = (2, 0, 0)
diff --git a/sleekxmpp/thirdparty/suelta/exceptions.py b/sleekxmpp/thirdparty/suelta/exceptions.py
deleted file mode 100644
index 40d8bad3..00000000
--- a/sleekxmpp/thirdparty/suelta/exceptions.py
+++ /dev/null
@@ -1,35 +0,0 @@
-class SASLError(Exception):
-
- def __init__(self, sasl, text, mech=None):
- """
- :param sasl: The main `suelta.SASL` object.
- :param text: Descpription of the error.
- :param mech: Optional reference to the mechanism object.
-
- :type sasl: `suelta.SASL`
- """
- self.sasl = sasl
- self.text = text
- self.mech = mech
-
- def __str__(self):
- if self.mech is None:
- return 'SASL Error: %s' % self.text
- else:
- return 'SASL Error (%s): %s' % (self.mech, self.text)
-
-
-class SASLCancelled(SASLError):
-
- def __init__(self, sasl, mech=None):
- """
- :param sasl: The main `suelta.SASL` object.
- :param mech: Optional reference to the mechanism object.
-
- :type sasl: `suelta.SASL`
- """
- super(SASLCancelled, self).__init__(sasl, "User cancelled", mech)
-
-
-class SASLPrepFailure(UnicodeError):
- pass
diff --git a/sleekxmpp/thirdparty/suelta/mechanisms/__init__.py b/sleekxmpp/thirdparty/suelta/mechanisms/__init__.py
deleted file mode 100644
index 2044ff80..00000000
--- a/sleekxmpp/thirdparty/suelta/mechanisms/__init__.py
+++ /dev/null
@@ -1,8 +0,0 @@
-from sleekxmpp.thirdparty.suelta.mechanisms.anonymous import ANONYMOUS
-from sleekxmpp.thirdparty.suelta.mechanisms.plain import PLAIN
-from sleekxmpp.thirdparty.suelta.mechanisms.cram_md5 import CRAM_MD5
-from sleekxmpp.thirdparty.suelta.mechanisms.digest_md5 import DIGEST_MD5
-from sleekxmpp.thirdparty.suelta.mechanisms.scram_hmac import SCRAM_HMAC
-from sleekxmpp.thirdparty.suelta.mechanisms.messenger_oauth2 import X_MESSENGER_OAUTH2
-from sleekxmpp.thirdparty.suelta.mechanisms.facebook_platform import X_FACEBOOK_PLATFORM
-from sleekxmpp.thirdparty.suelta.mechanisms.google_token import X_GOOGLE_TOKEN
diff --git a/sleekxmpp/thirdparty/suelta/mechanisms/anonymous.py b/sleekxmpp/thirdparty/suelta/mechanisms/anonymous.py
deleted file mode 100644
index e44e91a2..00000000
--- a/sleekxmpp/thirdparty/suelta/mechanisms/anonymous.py
+++ /dev/null
@@ -1,36 +0,0 @@
-from sleekxmpp.thirdparty.suelta.sasl import Mechanism, register_mechanism
-from sleekxmpp.thirdparty.suelta.exceptions import SASLError, SASLCancelled
-
-
-class ANONYMOUS(Mechanism):
-
- """
- """
-
- def __init__(self, sasl, name):
- """
- """
- super(ANONYMOUS, self).__init__(sasl, name, 0)
-
- def get_values(self):
- """
- """
- return {}
-
- def process(self, challenge=None):
- """
- """
- return b'Anonymous, Suelta'
-
- def okay(self):
- """
- """
- return True
-
- def get_user(self):
- """
- """
- return 'anonymous'
-
-
-register_mechanism('ANONYMOUS', 0, ANONYMOUS, use_hashes=False)
diff --git a/sleekxmpp/thirdparty/suelta/mechanisms/cram_md5.py b/sleekxmpp/thirdparty/suelta/mechanisms/cram_md5.py
deleted file mode 100644
index e07bb883..00000000
--- a/sleekxmpp/thirdparty/suelta/mechanisms/cram_md5.py
+++ /dev/null
@@ -1,63 +0,0 @@
-import sys
-import hmac
-
-from sleekxmpp.thirdparty.suelta.util import hash, bytes
-from sleekxmpp.thirdparty.suelta.sasl import Mechanism, register_mechanism
-from sleekxmpp.thirdparty.suelta.exceptions import SASLError, SASLCancelled
-
-
-class CRAM_MD5(Mechanism):
-
- """
- """
-
- def __init__(self, sasl, name):
- """
- """
- super(CRAM_MD5, self).__init__(sasl, name, 2)
-
- self.hash = hash(name[5:])
- if self.hash is None:
- raise SASLCancelled(self.sasl, self)
- if not self.sasl.tls_active():
- if not self.sasl.sec_query(self, 'CRAM-MD5'):
- raise SASLCancelled(self.sasl, self)
-
- def prep(self):
- """
- """
- if 'savepass' not in self.values:
- if self.sasl.sec_query(self, 'CLEAR-PASSWORD'):
- self.values['savepass'] = True
-
- if 'savepass' not in self.values:
- del self.values['password']
-
- def process(self, challenge=None):
- """
- """
- if challenge is None:
- return None
-
- self.check_values(['username', 'password'])
- username = bytes(self.values['username'])
- password = bytes(self.values['password'])
-
- mac = hmac.HMAC(key=password, digestmod=self.hash)
-
- mac.update(challenge)
-
- return username + b' ' + bytes(mac.hexdigest())
-
- def okay(self):
- """
- """
- return True
-
- def get_user(self):
- """
- """
- return self.values['username']
-
-
-register_mechanism('CRAM-', 20, CRAM_MD5)
diff --git a/sleekxmpp/thirdparty/suelta/mechanisms/digest_md5.py b/sleekxmpp/thirdparty/suelta/mechanisms/digest_md5.py
deleted file mode 100644
index 890f3e24..00000000
--- a/sleekxmpp/thirdparty/suelta/mechanisms/digest_md5.py
+++ /dev/null
@@ -1,275 +0,0 @@
-import sys
-
-import random
-import hmac
-
-from sleekxmpp.thirdparty.suelta.util import hash, bytes, quote
-from sleekxmpp.thirdparty.suelta.util import num_to_bytes, bytes_to_num
-from sleekxmpp.thirdparty.suelta.sasl import Mechanism, register_mechanism
-from sleekxmpp.thirdparty.suelta.exceptions import SASLError, SASLCancelled
-
-
-
-def parse_challenge(stuff):
- """
- """
- ret = {}
- var = b''
- val = b''
- in_var = True
- in_quotes = False
- new = False
- escaped = False
- for c in stuff:
- if sys.version_info >= (3, 0):
- c = bytes([c])
- if in_var:
- if c.isspace():
- continue
- if c == b'=':
- in_var = False
- new = True
- else:
- var += c
- else:
- if new:
- if c == b'"':
- in_quotes = True
- else:
- val += c
- new = False
- elif in_quotes:
- if escaped:
- escaped = False
- val += c
- else:
- if c == b'\\':
- escaped = True
- elif c == b'"':
- in_quotes = False
- else:
- val += c
- else:
- if c == b',':
- if var:
- ret[var] = val
- var = b''
- val = b''
- in_var = True
- else:
- val += c
- if var:
- ret[var] = val
- return ret
-
-
-class DIGEST_MD5(Mechanism):
-
- """
- """
-
- enc_magic = 'Digest session key to client-to-server signing key magic'
- dec_magic = 'Digest session key to server-to-client signing key magic'
-
- def __init__(self, sasl, name):
- """
- """
- super(DIGEST_MD5, self).__init__(sasl, name, 3)
-
- self.hash = hash(name[7:])
- if self.hash is None:
- raise SASLCancelled(self.sasl, self)
-
- if not self.sasl.tls_active():
- if not self.sasl.sec_query(self, '-ENCRYPTION, DIGEST-MD5'):
- raise SASLCancelled(self.sasl, self)
-
- self._rspauth_okay = False
- self._digest_uri = None
- self._a1 = None
- self._enc_buf = b''
- self._enc_key = None
- self._enc_seq = 0
- self._max_buffer = 65536
- self._dec_buf = b''
- self._dec_key = None
- self._dec_seq = 0
- self._qops = [b'auth']
- self._qop = b'auth'
-
- def MAC(self, seq, msg, key):
- """
- """
- mac = hmac.HMAC(key=key, digestmod=self.hash)
- seqnum = num_to_bytes(seq)
- mac.update(seqnum)
- mac.update(msg)
- return mac.digest()[:10] + b'\x00\x01' + seqnum
-
-
- def encode(self, text):
- """
- """
- self._enc_buf += text
-
- def flush(self):
- """
- """
- result = b''
- # Leave buffer space for the MAC
- mbuf = self._max_buffer - 10 - 2 - 4
-
- while self._enc_buf:
- msg = self._encbuf[:mbuf]
- mac = self.MAC(self._enc_seq, msg, self._enc_key, self.hash)
- self._enc_seq += 1
- msg += mac
- result += num_to_bytes(len(msg)) + msg
- self._enc_buf = self._enc_buf[mbuf:]
-
- return result
-
- def decode(self, text):
- """
- """
- self._dec_buf += text
- result = b''
-
- while len(self._dec_buf) > 4:
- num = bytes_to_num(self._dec_buf)
- if len(self._dec_buf) < (num + 4):
- return result
-
- mac = self._dec_buf[4:4 + num]
- self._dec_buf = self._dec_buf[4 + num:]
- msg = mac[:-16]
-
- mac_conf = self.MAC(self._dec_mac, msg, self._dec_key)
- if mac[-16:] != mac_conf:
- self._desc_sec = None
- return result
-
- self._dec_seq += 1
- result += msg
-
- return result
-
- def response(self):
- """
- """
- vitals = ['username']
- if not self.has_values(['key_hash']):
- vitals.append('password')
- self.check_values(vitals)
-
- resp = {}
- if 'auth-int' in self._qops:
- self._qop = b'auth-int'
- resp['qop'] = self._qop
- if 'realm' in self.values:
- resp['realm'] = quote(self.values['realm'])
-
- resp['username'] = quote(bytes(self.values['username']))
- resp['nonce'] = quote(self.values['nonce'])
- if self.values['nc']:
- self._cnonce = self.values['cnonce']
- else:
- self._cnonce = bytes('%s' % random.random())[2:]
- resp['cnonce'] = quote(self._cnonce)
- self.values['nc'] += 1
- resp['nc'] = bytes('%08x' % self.values['nc'])
-
- service = bytes(self.sasl.service)
- host = bytes(self.sasl.host)
- self._digest_uri = service + b'/' + host
- resp['digest-uri'] = quote(self._digest_uri)
-
- a2 = b'AUTHENTICATE:' + self._digest_uri
- if self._qop != b'auth':
- a2 += b':00000000000000000000000000000000'
- resp['maxbuf'] = b'16777215' # 2**24-1
- resp['response'] = self.gen_hash(a2)
- return b','.join([bytes(k) + b'=' + bytes(v) for k, v in resp.items()])
-
- def gen_hash(self, a2):
- """
- """
- if not self.has_values(['key_hash']):
- key_hash = self.hash()
- user = bytes(self.values['username'])
- password = bytes(self.values['password'])
- realm = bytes(self.values['realm'])
- kh = user + b':' + realm + b':' + password
- key_hash.update(kh)
- self.values['key_hash'] = key_hash.digest()
-
- a1 = self.hash(self.values['key_hash'])
- a1h = b':' + self.values['nonce'] + b':' + self._cnonce
- a1.update(a1h)
- response = self.hash()
- self._a1 = a1.digest()
- rv = bytes(a1.hexdigest().lower())
- rv += b':' + self.values['nonce']
- rv += b':' + bytes('%08x' % self.values['nc'])
- rv += b':' + self._cnonce
- rv += b':' + self._qop
- rv += b':' + bytes(self.hash(a2).hexdigest().lower())
- response.update(rv)
- return bytes(response.hexdigest().lower())
-
- def mutual_auth(self, cmp_hash):
- """
- """
- a2 = b':' + self._digest_uri
- if self._qop != b'auth':
- a2 += b':00000000000000000000000000000000'
- if self.gen_hash(a2) == cmp_hash:
- self._rspauth_okay = True
-
- def prep(self):
- """
- """
- if 'password' in self.values:
- del self.values['password']
- self.values['cnonce'] = self._cnonce
-
- def process(self, challenge=None):
- """
- """
- if challenge is None:
- if self.has_values(['username', 'realm', 'nonce', 'key_hash',
- 'nc', 'cnonce', 'qops']):
- self._qops = self.values['qops']
- return self.response()
- else:
- return None
-
- d = parse_challenge(challenge)
- if b'rspauth' in d:
- self.mutual_auth(d[b'rspauth'])
- else:
- if b'realm' not in d:
- d[b'realm'] = self.sasl.def_realm
- for key in ['nonce', 'realm']:
- if bytes(key) in d:
- self.values[key] = d[bytes(key)]
- self.values['nc'] = 0
- self._qops = [b'auth']
- if b'qop' in d:
- self._qops = [x.strip() for x in d[b'qop'].split(b',')]
- self.values['qops'] = self._qops
- if b'maxbuf' in d:
- self._max_buffer = int(d[b'maxbuf'])
- return self.response()
-
- def okay(self):
- """
- """
- if self._rspauth_okay and self._qop == b'auth-int':
- self._enc_key = self.hash(self._a1 + self.enc_magic).digest()
- self._dec_key = self.hash(self._a1 + self.dec_magic).digest()
- self.encoding = True
- return self._rspauth_okay
-
-
-register_mechanism('DIGEST-', 30, DIGEST_MD5)
diff --git a/sleekxmpp/thirdparty/suelta/mechanisms/facebook_platform.py b/sleekxmpp/thirdparty/suelta/mechanisms/facebook_platform.py
deleted file mode 100644
index af6a78eb..00000000
--- a/sleekxmpp/thirdparty/suelta/mechanisms/facebook_platform.py
+++ /dev/null
@@ -1,43 +0,0 @@
-from sleekxmpp.thirdparty.suelta.util import bytes
-from sleekxmpp.thirdparty.suelta.sasl import Mechanism, register_mechanism
-
-try:
- import urlparse
-except ImportError:
- import urllib.parse as urlparse
-
-
-
-class X_FACEBOOK_PLATFORM(Mechanism):
-
- def __init__(self, sasl, name):
- super(X_FACEBOOK_PLATFORM, self).__init__(sasl, name)
- self.check_values(['access_token', 'api_key'])
-
- def process(self, challenge=None):
- if challenge is not None:
- values = {}
- for kv in challenge.split(b'&'):
- key, value = kv.split(b'=')
- values[key] = value
-
- resp_data = {
- 'method': values[b'method'],
- 'v': '1.0',
- 'call_id': '1.0',
- 'nonce': values[b'nonce'],
- 'access_token': self.values['access_token'],
- 'api_key': self.values['api_key']
- }
-
- for k, v in resp_data.items():
- resp_data[k] = bytes(v).decode('utf-8')
-
- resp = '&'.join(['%s=%s' % (k, v) for k, v in resp_data.items()])
- return bytes(resp)
- return b''
-
- def okay(self):
- return True
-
-register_mechanism('X-FACEBOOK-PLATFORM', 40, X_FACEBOOK_PLATFORM, use_hashes=False)
diff --git a/sleekxmpp/thirdparty/suelta/mechanisms/google_token.py b/sleekxmpp/thirdparty/suelta/mechanisms/google_token.py
deleted file mode 100644
index e641bb91..00000000
--- a/sleekxmpp/thirdparty/suelta/mechanisms/google_token.py
+++ /dev/null
@@ -1,22 +0,0 @@
-from sleekxmpp.thirdparty.suelta.util import bytes
-from sleekxmpp.thirdparty.suelta.sasl import Mechanism, register_mechanism
-from sleekxmpp.thirdparty.suelta.exceptions import SASLError, SASLCancelled
-
-
-
-class X_GOOGLE_TOKEN(Mechanism):
-
- def __init__(self, sasl, name):
- super(X_GOOGLE_TOKEN, self).__init__(sasl, name)
- self.check_values(['email', 'access_token'])
-
- def process(self, challenge=None):
- email = bytes(self.values['email'])
- token = bytes(self.values['access_token'])
- return b'\x00' + email + b'\x00' + token
-
- def okay(self):
- return True
-
-
-register_mechanism('X-GOOGLE-TOKEN', 3, X_GOOGLE_TOKEN, use_hashes=False)
diff --git a/sleekxmpp/thirdparty/suelta/mechanisms/messenger_oauth2.py b/sleekxmpp/thirdparty/suelta/mechanisms/messenger_oauth2.py
deleted file mode 100644
index f5b0ddec..00000000
--- a/sleekxmpp/thirdparty/suelta/mechanisms/messenger_oauth2.py
+++ /dev/null
@@ -1,17 +0,0 @@
-from sleekxmpp.thirdparty.suelta.util import bytes
-from sleekxmpp.thirdparty.suelta.sasl import Mechanism, register_mechanism
-
-
-class X_MESSENGER_OAUTH2(Mechanism):
-
- def __init__(self, sasl, name):
- super(X_MESSENGER_OAUTH2, self).__init__(sasl, name)
- self.check_values(['access_token'])
-
- def process(self, challenge=None):
- return bytes(self.values['access_token'])
-
- def okay(self):
- return True
-
-register_mechanism('X-MESSENGER-OAUTH2', 10, X_MESSENGER_OAUTH2, use_hashes=False)
diff --git a/sleekxmpp/thirdparty/suelta/mechanisms/plain.py b/sleekxmpp/thirdparty/suelta/mechanisms/plain.py
deleted file mode 100644
index accae54a..00000000
--- a/sleekxmpp/thirdparty/suelta/mechanisms/plain.py
+++ /dev/null
@@ -1,61 +0,0 @@
-import sys
-
-from sleekxmpp.thirdparty.suelta.util import bytes
-from sleekxmpp.thirdparty.suelta.sasl import Mechanism, register_mechanism
-from sleekxmpp.thirdparty.suelta.exceptions import SASLError, SASLCancelled
-
-
-class PLAIN(Mechanism):
-
- """
- """
-
- def __init__(self, sasl, name):
- """
- """
- super(PLAIN, self).__init__(sasl, name)
-
- if not self.sasl.tls_active():
- if not self.sasl.sec_query(self, '-ENCRYPTION, PLAIN'):
- raise SASLCancelled(self.sasl, self)
- else:
- if not self.sasl.sec_query(self, '+ENCRYPTION, PLAIN'):
- raise SASLCancelled(self.sasl, self)
-
- self.check_values(['username', 'password'])
-
- def prep(self):
- """
- Prepare for processing by deleting the password if
- the user has not approved storing it in the clear.
- """
- if 'savepass' not in self.values:
- if self.sasl.sec_query(self, 'CLEAR-PASSWORD'):
- self.values['savepass'] = True
-
- if 'savepass' not in self.values:
- del self.values['password']
-
- return True
-
- def process(self, challenge=None):
- """
- Process a challenge request and return the response.
-
- :param challenge: A challenge issued by the server that
- must be answered for authentication.
- """
- user = bytes(self.values['username'])
- password = bytes(self.values['password'])
- return b'\x00' + user + b'\x00' + password
-
- def okay(self):
- """
- Mutual authentication is not supported by PLAIN.
-
- :returns: ``True``
- """
- return True
-
-
-register_mechanism('PLAIN', 5, PLAIN, use_hashes=False)
diff --git a/sleekxmpp/thirdparty/suelta/mechanisms/scram_hmac.py b/sleekxmpp/thirdparty/suelta/mechanisms/scram_hmac.py
deleted file mode 100644
index b70ac9a4..00000000
--- a/sleekxmpp/thirdparty/suelta/mechanisms/scram_hmac.py
+++ /dev/null
@@ -1,176 +0,0 @@
-import sys
-import hmac
-import random
-from base64 import b64encode, b64decode
-
-from sleekxmpp.thirdparty.suelta.util import hash, bytes, num_to_bytes, bytes_to_num, XOR
-from sleekxmpp.thirdparty.suelta.sasl import Mechanism, register_mechanism
-from sleekxmpp.thirdparty.suelta.exceptions import SASLError, SASLCancelled
-
-
-def parse_challenge(challenge):
- """
- """
- items = {}
- for key, value in [item.split(b'=', 1) for item in challenge.split(b',')]:
- items[key] = value
- return items
-
-
-class SCRAM_HMAC(Mechanism):
-
- """
- """
-
- def __init__(self, sasl, name):
- """
- """
- super(SCRAM_HMAC, self).__init__(sasl, name, 0)
-
- self._cb = False
- if name[-5:] == '-PLUS':
- name = name[:-5]
- self._cb = True
-
- self.hash = hash(name[6:])
- if self.hash is None:
- raise SASLCancelled(self.sasl, self)
- if not self.sasl.tls_active():
- if not self.sasl.sec_query(self, '-ENCRYPTION, SCRAM'):
- raise SASLCancelled(self.sasl, self)
-
- self._step = 0
- self._rspauth = False
-
- def HMAC(self, key, msg):
- """
- """
- return hmac.HMAC(key=key, msg=msg, digestmod=self.hash).digest()
-
- def Hi(self, text, salt, iterations):
- """
- """
- text = bytes(text)
- ui_1 = self.HMAC(text, salt + b'\0\0\0\01')
- ui = ui_1
- for i in range(iterations - 1):
- ui_1 = self.HMAC(text, ui_1)
- ui = XOR(ui, ui_1)
- return ui
-
- def H(self, text):
- """
- """
- return self.hash(text).digest()
-
- def prep(self):
- if 'password' in self.values:
- del self.values['password']
-
- def process(self, challenge=None):
- """
- """
- steps = {
- 0: self.process_one,
- 1: self.process_two,
- 2: self.process_three
- }
- return steps[self._step](challenge)
-
- def process_one(self, challenge):
- """
- """
- vitals = ['username']
- if 'SaltedPassword' not in self.values:
- vitals.append('password')
- if 'Iterations' not in self.values:
- vitals.append('password')
-
- self.check_values(vitals)
-
- username = bytes(self.values['username'])
-
- self._step = 1
- self._cnonce = bytes(('%s' % random.random())[2:])
- self._soup = b'n=' + username + b',r=' + self._cnonce
- self._gs2header = b''
-
- if not self.sasl.tls_active():
- if self._cb:
- self._gs2header = b'p=tls-unique,,'
- else:
- self._gs2header = b'y,,'
- else:
- self._gs2header = b'n,,'
-
- return self._gs2header + self._soup
-
- def process_two(self, challenge):
- """
- """
- data = parse_challenge(challenge)
-
- self._step = 2
- self._soup += b',' + challenge + b','
- self._nonce = data[b'r']
- self._salt = b64decode(data[b's'])
- self._iter = int(data[b'i'])
-
- if self._nonce[:len(self._cnonce)] != self._cnonce:
- raise SASLCancelled(self.sasl, self)
-
- cbdata = self.sasl.tls_active()
- c = self._gs2header
- if not cbdata and self._cb:
- c += None
-
- r = b'c=' + b64encode(c).replace(b'\n', b'')
- r += b',r=' + self._nonce
- self._soup += r
-
- if 'Iterations' in self.values:
- if self.values['Iterations'] != self._iter:
- if 'SaltedPassword' in self.values:
- del self.values['SaltedPassword']
- if 'Salt' in self.values:
- if self.values['Salt'] != self._salt:
- if 'SaltedPassword' in self.values:
- del self.values['SaltedPassword']
-
- self.values['Iterations'] = self._iter
- self.values['Salt'] = self._salt
-
- if 'SaltedPassword' not in self.values:
- self.check_values(['password'])
- password = bytes(self.values['password'])
- salted_pass = self.Hi(password, self._salt, self._iter)
- self.values['SaltedPassword'] = salted_pass
-
- salted_pass = self.values['SaltedPassword']
- client_key = self.HMAC(salted_pass, b'Client Key')
- stored_key = self.H(client_key)
- client_sig = self.HMAC(stored_key, self._soup)
- client_proof = XOR(client_key, client_sig)
- r += b',p=' + b64encode(client_proof).replace(b'\n', b'')
- server_key = self.HMAC(self.values['SaltedPassword'], b'Server Key')
- self.server_sig = self.HMAC(server_key, self._soup)
- return r
-
- def process_three(self, challenge=None):
- """
- """
- data = parse_challenge(challenge)
- if b64decode(data[b'v']) == self.server_sig:
- self._rspauth = True
-
- def okay(self):
- """
- """
- return self._rspauth
-
- def get_user(self):
- return self.values['username']
-
-
-register_mechanism('SCRAM-', 60, SCRAM_HMAC)
-register_mechanism('SCRAM-', 70, SCRAM_HMAC, extra='-PLUS')
diff --git a/sleekxmpp/thirdparty/suelta/sasl.py b/sleekxmpp/thirdparty/suelta/sasl.py
deleted file mode 100644
index 2ae9ae61..00000000
--- a/sleekxmpp/thirdparty/suelta/sasl.py
+++ /dev/null
@@ -1,402 +0,0 @@
-from sleekxmpp.thirdparty.suelta.util import hashes
-from sleekxmpp.thirdparty.suelta.saslprep import saslprep
-
-#: Global session storage for user answers to requested mechanism values
-#: and security questions. This allows the user's preferences to be
-#: persisted across multiple SASL authentication attempts made by the
-#: same process.
-SESSION = {'answers': {},
- 'passwords': {},
- 'sec_queries': {},
- 'stash': {},
- 'stash_file': ''}
-
-#: Global registry mapping mechanism names to implementation classes.
-MECHANISMS = {}
-
-#: Global registry mapping mechanism names to security scores.
-MECH_SEC_SCORES = {}
-
-
-def register_mechanism(basename, basescore, impl, extra=None, use_hashes=True):
- """
- Add a SASL mechanism to the registry of available mechanisms.
-
- :param basename: The base name of the mechanism type, such as ``CRAM-``.
- :param basescore: The base security score for this type of mechanism.
- :param impl: The class implementing the mechanism.
- :param extra: Any additional qualifiers to the mechanism name,
- such as ``-PLUS``.
- :param use_hashes: If ``True``, then register the mechanism for use with
- all available hashes.
- """
- n = 0
- if use_hashes:
- for hashing_alg in hashes():
- n += 1
- name = basename + hashing_alg
- if extra is not None:
- name += extra
- MECHANISMS[name] = impl
- MECH_SEC_SCORES[name] = basescore + n
- else:
- MECHANISMS[basename] = impl
- MECH_SEC_SCORES[basename] = basescore
-
-
-def set_stash_file(filename):
- """
- Enable or disable storing the stash to disk.
-
- If the filename is ``None``, then disable using a stash file.
-
- :param filename: The path to the file to store the stash data.
- """
- SESSION['stash_file'] = filename
- try:
- import marshal
- stash_file = file(filename)
- SESSION['stash'] = marshal.load(stash_file)
- except:
- SESSION['stash'] = {}
-
-
-def sec_query_allow(mech, query):
- """
- Quick default to allow all feature combinations which could
- negatively affect security.
-
- :param mech: The chosen SASL mechanism
- :param query: An encoding of the combination of enabled and
- disabled features which may affect security.
-
- :returns: ``True``
- """
- return True
-
-
-class SASL(object):
-
- """
- """
-
- def __init__(self, host, service, mech=None, username=None,
- min_sec=0, request_values=None, sec_query=None,
- tls_active=None, def_realm=None):
- """
- :param string host: The host of the service requiring authentication.
- :param string service: The name of the underlying protocol in use.
- :param string mech: Optional name of the SASL mechanism to use.
- If given, only this mechanism may be used for
- authentication.
- :param string username: The username to use when authenticating.
- :param request_values: Reference to a function for supplying
- values requested by mechanisms, such
- as passwords. (See above)
- :param sec_query: Reference to a function for approving or
- denying feature combinations which could
- negatively impact security. (See above)
- :param tls_active: Function for indicating if TLS has been
- negotiated. (See above)
- :param integer min_sec: The minimum security level accepted. This
- only allows for SASL mechanisms whose
- security rating is greater than `min_sec`.
- :param string def_realm: The default realm, if different than `host`.
-
- :type request_values: :func:`request_values`
- :type sec_query: :func:`sec_query`
- :type tls_active: :func:`tls_active`
- """
- self.host = host
- self.def_realm = def_realm or host
- self.service = service
- self.user = username
- self.mech = mech
- self.min_sec = min_sec - 1
-
- self.request_values = request_values
- self._sec_query = sec_query
- if tls_active is not None:
- self.tls_active = tls_active
- else:
- self.tls_active = lambda: False
-
- self.try_username = self.user
- self.try_password = None
-
- self.stash_id = None
- self.testkey = None
-
- def reset_stash_id(self, username):
- """
- Reset the ID for the stash for persisting user data.
-
- :param username: The username to base the new ID on.
- """
- username = saslprep(username)
- self.user = username
- self.try_username = self.user
- self.testkey = [self.user, self.host, self.service]
- self.stash_id = '\0'.join(self.testkey)
-
- def sec_query(self, mech, query):
- """
- Request authorization from the user to use a combination
- of features which could negatively affect security.
-
- The ``sec_query`` callback when creating the SASL object will
- be called if the query has not been answered before. Otherwise,
- the query response will be pulled from ``SESSION['sec_queries']``.
-
- If no ``sec_query`` callback was provided, then all queries
- will be denied.
-
- :param mech: The chosen SASL mechanism
- :param query: An encoding of the combination of enabled and
- disabled features which may affect security.
- :rtype: bool
- """
- if self._sec_query is None:
- return False
- if query in SESSION['sec_queries']:
- return SESSION['sec_queries'][query]
- resp = self._sec_query(mech, query)
- if resp:
- SESSION['sec_queries'][query] = resp
-
- return resp
-
- def find_password(self, mech):
- """
- Find and return the user's password, if it has been entered before
- during this session.
-
- :param mech: The chosen SASL mechanism.
- """
- if self.try_password is not None:
- return self.try_password
- if self.testkey is None:
- return
-
- testkey = self.testkey[:]
- lockout = 1
-
- def find_username(self):
- """Find and return user's username if known."""
- return self.try_username
-
- def success(self, mech):
- mech.preprep()
- if 'password' in mech.values:
- testkey = self.testkey[:]
- while len(testkey):
- tk = '\0'.join(testkey)
- if tk in SESSION['passwords']:
- break
- SESSION['passwords'][tk] = mech.values['password']
- testkey = testkey[:-1]
- mech.prep()
- mech.save_values()
-
- def failure(self, mech):
- mech.clear()
- self.testkey = self.testkey[:-1]
-
- def choose_mechanism(self, mechs, force_plain=False):
- """
- Choose the most secure mechanism from a list of mechanisms.
-
- If ``force_plain`` is given, return the ``PLAIN`` mechanism.
-
- :param mechs: A list of mechanism names.
- :param force_plain: If ``True``, force the selection of the
- ``PLAIN`` mechanism.
- :returns: A SASL mechanism object, or ``None`` if no mechanism
- could be selected.
- """
- # Handle selection of PLAIN and ANONYMOUS
- if force_plain:
- return MECHANISMS['PLAIN'](self, 'PLAIN')
-
- if self.user is not None:
- requested_mech = '*' if self.mech is None else self.mech
- else:
- if self.mech is None:
- requested_mech = 'ANONYMOUS'
- else:
- requested_mech = self.mech
- if requested_mech == '*' and self.user in ['', 'anonymous', None]:
- requested_mech = 'ANONYMOUS'
-
- # If a specific mechanism was requested, try it
- if requested_mech != '*':
- if requested_mech in MECHANISMS and \
- requested_mech in MECH_SEC_SCORES:
- return MECHANISMS[requested_mech](self, requested_mech)
- return None
-
- # Pick the best mechanism based on its security score
- best_score = self.min_sec
- best_mech = None
- for name in mechs:
- if name in MECH_SEC_SCORES:
- if MECH_SEC_SCORES[name] > best_score:
- best_score = MECH_SEC_SCORES[name]
- best_mech = name
- if best_mech is not None:
- best_mech = MECHANISMS[best_mech](self, best_mech)
-
- return best_mech
-
-
-class Mechanism(object):
-
- """
- """
-
- def __init__(self, sasl, name, version=0, use_stash=True):
- self.name = name
- self.sasl = sasl
- self.use_stash = use_stash
-
- self.encoding = False
- self.values = {}
-
- if use_stash:
- self.load_values()
-
- def load_values(self):
- """Retrieve user data from the stash."""
- self.values = {}
- if not self.use_stash:
- return False
- if self.sasl.stash_id is not None:
- if self.sasl.stash_id in SESSION['stash']:
- if SESSION['stash'][self.sasl.stash_id]['mech'] == self.name:
- values = SESSION['stash'][self.sasl.stash_id]['values']
- self.values.update(values)
- if self.sasl.user is not None:
- if not self.has_values(['username']):
- self.values['username'] = self.sasl.user
- return None
-
- def save_values(self):
- """
- Save user data to the session stash.
-
- If a stash file name has been set using ``SESSION['stash_file']``,
- the saved values will be persisted to disk.
- """
- if not self.use_stash:
- return False
- if self.sasl.stash_id is not None:
- if self.sasl.stash_id not in SESSION['stash']:
- SESSION['stash'][self.sasl.stash_id] = {}
- SESSION['stash'][self.sasl.stash_id]['values'] = self.values
- SESSION['stash'][self.sasl.stash_id]['mech'] = self.name
- if SESSION['stash_file'] not in ['', None]:
- import marshal
- stash_file = file(SESSION['stash_file'], 'wb')
- marshal.dump(SESSION['stash'], stash_file)
-
- def clear(self):
- """Reset all user data, except the username."""
- username = None
- if 'username' in self.values:
- username = self.values['username']
- self.values = {}
- if username is not None:
- self.values['username'] = username
- self.save_values()
- self.values = {}
- self.load_values()
-
- def okay(self):
- """
- Indicate if mutual authentication has completed successfully.
-
- :rtype: bool
- """
- return False
-
- def preprep(self):
- """Ensure that the stash ID has been set before processing."""
- if self.sasl.stash_id is None:
- if 'username' in self.values:
- self.sasl.reset_stash_id(self.values['username'])
-
- def prep(self):
- """
- Prepare stored values for processing.
-
- For example, by removing extra copies of passwords from memory.
- """
- pass
-
- def process(self, challenge=None):
- """
- Process a challenge request and return the response.
-
- :param challenge: A challenge issued by the server that
- must be answered for authentication.
- """
- raise NotImplemented
-
- def fulfill(self, values):
- """
- Provide requested values to the mechanism.
-
- :param values: A dictionary of requested values.
- """
- if 'password' in values:
- values['password'] = saslprep(values['password'])
- self.values.update(values)
-
- def missing_values(self, keys):
- """
- Return a dictionary of value names that have not been given values
- by the user, or retrieved from the stash.
-
- :param keys: A list of value names to check.
- :rtype: dict
- """
- vals = {}
- for name in keys:
- if name not in self.values or self.values[name] is None:
- if self.use_stash:
- if name == 'username':
- value = self.sasl.find_username()
- if value is not None:
- self.sasl.reset_stash_id(value)
- self.values[name] = value
- break
- if name == 'password':
- value = self.sasl.find_password(self)
- if value is not None:
- self.values[name] = value
- break
- vals[name] = None
- return vals
-
- def has_values(self, keys):
- """
- Check that the given values have been retrieved from the user,
- or from the stash.
-
- :param keys: A list of value names to check.
- """
- return len(self.missing_values(keys)) == 0
-
- def check_values(self, keys):
- """
- Request missing values from the user.
-
- :param keys: A list of value names to request, if missing.
- """
- vals = self.missing_values(keys)
- if vals:
- self.sasl.request_values(self, vals)
-
- def get_user(self):
- """Return the username usd for this mechanism."""
- return self.values['username']
diff --git a/sleekxmpp/thirdparty/suelta/saslprep.py b/sleekxmpp/thirdparty/suelta/saslprep.py
deleted file mode 100644
index 0e72fcb1..00000000
--- a/sleekxmpp/thirdparty/suelta/saslprep.py
+++ /dev/null
@@ -1,81 +0,0 @@
-from __future__ import unicode_literals
-
-import sys
-import stringprep
-import unicodedata
-
-
-from sleekxmpp.thirdparty.suelta.exceptions import SASLPrepFailure
-
-
-def saslprep(text, strict=True):
- """
- Return a processed version of the given string, using the SASLPrep
- profile of stringprep.
-
- :param text: The string to process, in UTF-8.
- :param strict: If ``True``, prevent the use of unassigned code points.
- """
-
- if sys.version_info < (3, 0):
- if type(text) == str:
- text = text.decode('utf-8')
-
- # Mapping:
- #
- # - non-ASCII space characters [StringPrep, C.1.2] that can be
- # mapped to SPACE (U+0020), and
- #
- # - the 'commonly mapped to nothing' characters [StringPrep, B.1]
- # that can be mapped to nothing.
- buffer = ''
- for char in text:
- if stringprep.in_table_c12(char):
- buffer += ' '
- elif not stringprep.in_table_b1(char):
- buffer += char
-
- # Normalization using form KC
- text = unicodedata.normalize('NFKC', buffer)
-
- # Check for bidirectional string
- buffer = ''
- first_is_randal = False
- if text:
- first_is_randal = stringprep.in_table_d1(text[0])
- if first_is_randal and not stringprep.in_table_d1(text[-1]):
- raise SASLPrepFailure('Section 6.3 [end]')
-
- # Check for prohibited characters
- for x in range(len(text)):
- if strict and stringprep.in_table_a1(text[x]):
- raise SASLPrepFailure('Unassigned Codepoint')
- if stringprep.in_table_c12(text[x]):
- raise SASLPrepFailure('In table C.1.2')
- if stringprep.in_table_c21(text[x]):
- raise SASLPrepFailure('In table C.2.1')
- if stringprep.in_table_c22(text[x]):
- raise SASLPrepFailure('In table C.2.2')
- if stringprep.in_table_c3(text[x]):
- raise SASLPrepFailure('In table C.3')
- if stringprep.in_table_c4(text[x]):
- raise SASLPrepFailure('In table C.4')
- if stringprep.in_table_c5(text[x]):
- raise SASLPrepFailure('In table C.5')
- if stringprep.in_table_c6(text[x]):
- raise SASLPrepFailure('In table C.6')
- if stringprep.in_table_c7(text[x]):
- raise SASLPrepFailure('In table C.7')
- if stringprep.in_table_c8(text[x]):
- raise SASLPrepFailure('In table C.8')
- if stringprep.in_table_c9(text[x]):
- raise SASLPrepFailure('In table C.9')
- if x:
- if first_is_randal and stringprep.in_table_d2(text[x]):
- raise SASLPrepFailure('Section 6.2')
- if not first_is_randal and \
- x != len(text) - 1 and \
- stringprep.in_table_d1(text[x]):
- raise SASLPrepFailure('Section 6.3')
-
- return text
diff --git a/sleekxmpp/thirdparty/suelta/util.py b/sleekxmpp/thirdparty/suelta/util.py
deleted file mode 100644
index cd2439d5..00000000
--- a/sleekxmpp/thirdparty/suelta/util.py
+++ /dev/null
@@ -1,121 +0,0 @@
-"""
-"""
-
-import sys
-import hashlib
-
-
-def bytes(text):
- """
- Convert Unicode text to UTF-8 encoded bytes.
-
- Since Python 2.6+ and Python 3+ have similar but incompatible
- signatures, this function unifies the two to keep code sane.
-
- :param text: Unicode text to convert to bytes
- :rtype: bytes (Python3), str (Python2.6+)
- """
- if text is None:
- return b''
-
- if sys.version_info < (3, 0):
- import __builtin__
- return __builtin__.bytes(text)
- else:
- import builtins
- if isinstance(text, builtins.bytes):
- # We already have bytes, so do nothing
- return text
- if isinstance(text, list):
- # Convert a list of integers to bytes
- return builtins.bytes(text)
- else:
- # Convert UTF-8 text to bytes
- return builtins.bytes(text, encoding='utf-8')
-
-
-def quote(text):
- """
- Enclose in quotes and escape internal slashes and double quotes.
-
- :param text: A Unicode or byte string.
- """
- text = bytes(text)
- return b'"' + text.replace(b'\\', b'\\\\').replace(b'"', b'\\"') + b'"'
-
-
-def num_to_bytes(num):
- """
- Convert an integer into a four byte sequence.
-
- :param integer num: An integer to convert to its byte representation.
- """
- bval = b''
- bval += bytes(chr(0xFF & (num >> 24)))
- bval += bytes(chr(0xFF & (num >> 16)))
- bval += bytes(chr(0xFF & (num >> 8)))
- bval += bytes(chr(0xFF & (num >> 0)))
- return bval
-
-
-def bytes_to_num(bval):
- """
- Convert a four byte sequence to an integer.
-
- :param bytes bval: A four byte sequence to turn into an integer.
- """
- num = 0
- num += ord(bval[0] << 24)
- num += ord(bval[1] << 16)
- num += ord(bval[2] << 8)
- num += ord(bval[3])
- return num
-
-
-def XOR(x, y):
- """
- Return the results of an XOR operation on two equal length byte strings.
-
- :param bytes x: A byte string
- :param bytes y: A byte string
- :rtype: bytes
- """
- result = b''
- for a, b in zip(x, y):
- if sys.version_info < (3, 0):
- result += chr((ord(a) ^ ord(b)))
- else:
- result += bytes([a ^ b])
- return result
-
-
-def hash(name):
- """
- Return a hash function implementing the given algorithm.
-
- :param name: The name of the hashing algorithm to use.
- :type name: string
-
- :rtype: function
- """
- name = name.lower()
- if name.startswith('sha-'):
- name = 'sha' + name[4:]
- if name in dir(hashlib):
- return getattr(hashlib, name)
- return None
-
-
-def hashes():
- """
- Return a list of available hashing algorithms.
-
- :rtype: list of strings
- """
- t = []
- if 'md5' in dir(hashlib):
- t = ['MD5']
- if 'md2' in dir(hashlib):
- t += ['MD2']
- hashes = ['SHA-' + h[3:] for h in dir(hashlib) if h.startswith('sha')]
- return t + hashes
diff --git a/sleekxmpp/util/__init__.py b/sleekxmpp/util/__init__.py
index 86a87222..7637dda0 100644
--- a/sleekxmpp/util/__init__.py
+++ b/sleekxmpp/util/__init__.py
@@ -10,6 +10,10 @@
"""
+from sleekxmpp.util.misc_ops import bytes, unicode, hashes, hash, \
+ num_to_bytes, bytes_to_num, quote, XOR
+
+
# =====================================================================
# Standardize import of Queue class:
diff --git a/sleekxmpp/util/sasl/__init__.py b/sleekxmpp/util/sasl/__init__.py
new file mode 100644
index 00000000..d054ce09
--- /dev/null
+++ b/sleekxmpp/util/sasl/__init__.py
@@ -0,0 +1,15 @@
+# -*- coding: utf-8 -*-
+"""
+ sleekxmpp.util.sasl
+ ~~~~~~~~~~~~~~~~~~~
+
+ This module was originally based on Dave Cridland's Suelta library.
+
+ Part of SleekXMPP: The Sleek XMPP Library
+
+ :copyright: (c) 2012 Nathanael C. Fritz, Lance J.T. Stout
+ :license: MIT, see LICENSE for more details
+"""
+
+from sleekxmpp.util.sasl.client import *
+from sleekxmpp.util.sasl.mechanisms import *
diff --git a/sleekxmpp/util/sasl/client.py b/sleekxmpp/util/sasl/client.py
new file mode 100644
index 00000000..bf05a617
--- /dev/null
+++ b/sleekxmpp/util/sasl/client.py
@@ -0,0 +1,163 @@
+# -*- coding: utf-8 -*-
+"""
+ sleekxmpp.util.sasl.client
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ This module was originally based on Dave Cridland's Suelta library.
+
+ Part of SleekXMPP: The Sleek XMPP Library
+
+ :copyright: (c) 2012 Nathanael C. Fritz, Lance J.T. Stout
+ :license: MIT, see LICENSE for more details
+"""
+
+import stringprep
+
+from sleekxmpp.util import hashes, bytes, stringprep_profiles
+
+
+#: Global registry mapping mechanism names to implementation classes.
+MECHANISMS = {}
+
+
+#: Global registry mapping mechanism names to security scores.
+MECH_SEC_SCORES = {}
+
+
+#: The SASLprep profile of stringprep used to validate simple username
+#: and password credentials.
+saslprep = stringprep_profiles.create(
+ nfkc=True,
+ bidi=True,
+ mappings=[
+ stringprep_profiles.b1_mapping,
+ stringprep_profiles.c12_mapping],
+ prohibited=[
+ stringprep.in_table_c12,
+ stringprep.in_table_c21,
+ stringprep.in_table_c22,
+ stringprep.in_table_c3,
+ stringprep.in_table_c4,
+ stringprep.in_table_c5,
+ stringprep.in_table_c6,
+ stringprep.in_table_c7,
+ stringprep.in_table_c8,
+ stringprep.in_table_c9],
+ unassigned=[stringprep.in_table_a1])
+
+
+def sasl_mech(score):
+ sec_score = score
+ def register(mech):
+ n = 0
+ mech.score = sec_score
+ if mech.use_hashes:
+ for hashing_alg in hashes():
+ n += 1
+ score = mech.score + n
+ name = '%s-%s' % (mech.name, hashing_alg)
+ MECHANISMS[name] = mech
+ MECH_SEC_SCORES[name] = score
+
+ if mech.channel_binding:
+ name += '-PLUS'
+ score += 10
+ MECHANISMS[name] = mech
+ MECH_SEC_SCORES[name] = score
+ else:
+ MECHANISMS[mech.name] = mech
+ MECH_SEC_SCORES[mech.name] = mech.score
+ if mech.channel_binding:
+ MECHANISMS[mech.name + '-PLUS'] = mech
+ MECH_SEC_SCORES[name] = mech.score + 10
+ return mech
+ return register
+
+
+class SASLNoAppropriateMechanism(Exception):
+ pass
+
+
+class SASLCancelled(Exception):
+ pass
+
+
+class SASLFailed(Exception):
+ pass
+
+
+class SASLMutualAuthFailed(SASLFailed):
+ pass
+
+
+class Mech(object):
+
+ name = 'GENERIC'
+ score = -1
+ use_hashes = False
+ channel_binding = False
+ required_credentials = set()
+ optional_credentials = set()
+
+ def __init__(self, name, credentials, security_settings):
+ self.credentials = credentials
+ self.security_settings = security_settings
+ self.values = {}
+ self.base_name = self.name
+ self.name = name
+ self.setup(name)
+
+ def setup(self, name):
+ pass
+
+ def process(self, challenge=b''):
+ return b''
+
+
+def choose(mech_list, credentials, security_settings, limit=None, min_mech=None):
+ available_mechs = set(MECHANISMS.keys())
+ if limit is None:
+ limit = set(mech_list)
+ if not isinstance(limit, set):
+ limit = set(limit)
+ if not isinstance(mech_list, set):
+ mech_list = set(mech_list)
+
+ mech_list = mech_list.intersection(limit)
+ available_mechs = available_mechs.intersection(mech_list)
+
+ best_score = MECH_SEC_SCORES.get(min_mech, -1)
+ best_mech = None
+ for name in available_mechs:
+ if name in MECH_SEC_SCORES:
+ if MECH_SEC_SCORES[name] > best_score:
+ best_score = MECH_SEC_SCORES[name]
+ best_mech = name
+ if best_mech is None:
+ raise SASLNoAppropriateMechanism()
+
+ mech_class = MECHANISMS[best_mech]
+
+ try:
+ creds = credentials(mech_class.required_credentials,
+ mech_class.optional_credentials)
+ for req in mech_class.required_credentials:
+ if req not in creds:
+ raise SASLCancelled('Missing credential: %s' % req)
+ for opt in mech_class.optional_credentials:
+ if opt not in creds:
+ creds[opt] = b''
+ for cred in creds:
+ if cred in ('username', 'password', 'authzid'):
+ creds[cred] = bytes(saslprep(creds[cred]))
+ else:
+ creds[cred] = bytes(creds[cred])
+ security_opts = security_settings(mech_class.security)
+
+ return mech_class(best_mech, creds, security_opts)
+ except SASLCancelled as e:
+ log.debug('SASL: %s: %s', (best_mech, e.message))
+ mech_list.remove(best_mech)
+ return choose(mech_list, credentials, security_settings,
+ limit=limit,
+ min_mech=min_mech)
diff --git a/sleekxmpp/util/sasl/mechanisms.py b/sleekxmpp/util/sasl/mechanisms.py
new file mode 100644
index 00000000..5822a6e4
--- /dev/null
+++ b/sleekxmpp/util/sasl/mechanisms.py
@@ -0,0 +1,531 @@
+# -*- coding: utf-8 -*-
+"""
+ sleekxmpp.util.sasl.mechanisms
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ A collection of supported SASL mechanisms.
+
+ This module was originally based on Dave Cridland's Suelta library.
+
+ Part of SleekXMPP: The Sleek XMPP Library
+
+ :copyright: (c) 2012 Nathanael C. Fritz, Lance J.T. Stout
+ :license: MIT, see LICENSE for more details
+"""
+
+import sys
+import hmac
+import random
+
+from base64 import b64encode, b64decode
+
+from sleekxmpp.util import bytes, hash, XOR, quote, num_to_bytes
+from sleekxmpp.util.sasl.client import sasl_mech, Mech, \
+ SASLCancelled, SASLFailed
+
+
+@sasl_mech(0)
+class ANONYMOUS(Mech):
+
+ name = 'ANONYMOUS'
+
+ def process(self, challenge=b''):
+ return b'Anonymous, Suelta'
+
+
+@sasl_mech(1)
+class LOGIN(Mech):
+
+ name = 'LOGIN'
+ required_credentials = set(['username', 'password'])
+
+ def setup(self, name):
+ self.step = 0
+
+ def process(self, challenge=b''):
+ if not challenge:
+ return b''
+
+ if self.step == 0:
+ self.step = 1
+ return self.credentials['username']
+ else:
+ return self.credentials['password']
+
+
+@sasl_mech(2)
+class PLAIN(Mech):
+
+ name = 'PLAIN'
+ required_credentials = set(['username', 'password'])
+ optional_credentials = set(['authzid'])
+ security = set(['encrypted', 'encrypted_plain', 'unencrypted_plain'])
+
+ def setup(self, name):
+ if not self.security_settings['encrypted']:
+ if not self.security_settings['unencrypted_plain']:
+ raise SASLCancelled('PLAIN without encryption')
+ else:
+ if not self.security_settings['encrypted_plain']:
+ raise SASLCancelled('PLAIN with encryption')
+
+ def process(self, challenge=b''):
+ authzid = self.credentials['authzid']
+ authcid = self.credentials['username']
+ password = self.credentials['password']
+ return authzid + b'\x00' + authcid + b'\x00' + password
+
+
+@sasl_mech(100)
+class EXTERNAL(Mech):
+
+ name = 'EXTERNAL'
+ optional_credentials = set(['authzid'])
+
+ def process(self, challenge=b''):
+ return self.credentials['authzid']
+
+
+@sasl_mech(30)
+class X_FACEBOOK_PLATFORM(Mech):
+
+ name = 'X-FACEBOOK-PLATFORM'
+ required_credentials = set(['api_key', 'access_token'])
+
+ def process(self, challenge=b''):
+ if challenge:
+ values = {}
+ for kv in challenge.split(b'&'):
+ key, value = kv.split(b'=')
+ values[key] = value
+
+ resp_data = {
+ b'method': values[b'method'],
+ b'v': b'1.0',
+ b'call_id': b'1.0',
+ b'nonce': values[b'nonce'],
+ b'access_token': self.credentials['access_token'],
+ b'api_key': self.credentials['api_key']
+ }
+
+ resp = '&'.join(['%s=%s' % (k, v) for k, v in resp_data.items()])
+ return bytes(resp)
+ return b''
+
+
+@sasl_mech(10)
+class X_MESSENGER_OAUTH2(Mech):
+
+ name = 'X-MESSENGER-OAUTH2'
+ required_credentials = set(['access_token'])
+
+ def process(self, challenge=b''):
+ return self.credentials['access_token']
+
+
+@sasl_mech(3)
+class X_GOOGLE_TOKEN(Mech):
+
+ name = 'X-GOOGLE-TOKEN'
+ required_credentials = set(['email', 'access_token'])
+
+ def process(self, challenge=b''):
+ email = self.credentials['email']
+ token = self.credentials['access_token']
+ return b'\x00' + email + b'\x00' + token
+
+
+@sasl_mech(20)
+class CRAM(Mech):
+
+ name = 'CRAM'
+ use_hashes = True
+ required_credentials = set(['username', 'password'])
+ security = set(['encrypted', 'unencrypted_cram'])
+
+ def setup(self, name):
+ self.hash_name = name[5:]
+ self.hash = hash(self.hash_name)
+ if self.hash is None:
+ raise SASLCancelled('Unknown hash: %s' % self.hash_name)
+ if not self.security_settings['encrypted']:
+ if not self.security_settings['unencrypted_cram']:
+ raise SASLCancelled('Unecrypted CRAM-%s' % self.hash_name)
+
+ def process(self, challenge=b''):
+ if not challenge:
+ return None
+
+ username = self.credentials['username']
+ password = self.credentials['password']
+
+ mac = hmac.HMAC(key=password, digestmod=self.hash)
+ mac.update(challenge)
+
+ return username + b' ' + bytes(mac.hexdigest())
+
+
+@sasl_mech(60)
+class SCRAM(Mech):
+
+ name = 'SCRAM'
+ use_hashes = True
+ channel_binding = True
+ required_credentials = set(['username', 'password'])
+ optional_credentials = set(['authzid', 'channel_binding'])
+ security = set(['encrypted', 'unencrypted_scram'])
+
+ def setup(self, name):
+ self.use_channel_binding = False
+ if name[-5:] == '-PLUS':
+ name = name[:-5]
+ self.use_channel_binding = True
+
+ self.hash_name = name[6:]
+ self.hash = hash(self.hash_name)
+
+ if self.hash is None:
+ raise SASLCancelled('Unknown hash: %s' % self.hash_name)
+ if not self.security_settings['encrypted']:
+ if not self.security_settings['unencrypted_scram']:
+ raise SASLCancelled('Unencrypted SCRAM')
+
+ self.step = 0
+ self._mutual_auth = False
+
+ def HMAC(self, key, msg):
+ return hmac.HMAC(key=key, msg=msg, digestmod=self.hash).digest()
+
+ def Hi(self, text, salt, iterations):
+ text = bytes(text)
+ ui1 = self.HMAC(text, salt + b'\0\0\0\01')
+ ui = ui1
+ for i in range(iterations - 1):
+ ui1 = self.HMAC(text, ui1)
+ ui = XOR(ui, ui1)
+ return ui
+
+ def H(self, text):
+ return self.hash(text).digest()
+
+ def saslname(self, value):
+ escaped = b''
+ for char in bytes(value):
+ if char == b',':
+ escaped += b'=2C'
+ elif char == b'=':
+ escaped += b'=3D'
+ else:
+ if isinstance(char, int):
+ char = chr(char)
+ escaped += bytes(char)
+ return escaped
+
+ def parse(self, challenge):
+ items = {}
+ for key, value in [item.split(b'=', 1) for item in challenge.split(b',')]:
+ items[key] = value
+ return items
+
+ def process(self, challenge=b''):
+ steps = [self.process_1, self.process_2, self.process_3]
+ return steps[self.step](challenge)
+
+ def process_1(self, challenge):
+ self.step = 1
+ data = {}
+
+ self.cnonce = bytes(('%s' % random.random())[2:])
+
+ gs2_cbind_flag = b'n'
+ if self.credentials['channel_binding']:
+ if self.use_channel_binding:
+ gs2_cbind_flag = b'p=tls-unique'
+ else:
+ gs2_cbind_flag = b'y'
+
+ authzid = b''
+ if self.credentials['authzid']:
+ authzid = b'a=' + self.saslname(self.credentials['authzid'])
+
+ self.gs2_header = gs2_cbind_flag + b',' + authzid + b','
+
+ nonce = b'r=' + self.cnonce
+ username = b'n=' + self.saslname(self.credentials['username'])
+
+ self.client_first_message_bare = username + b',' + nonce
+ self.client_first_message = self.gs2_header + \
+ self.client_first_message_bare
+
+ return self.client_first_message
+
+ def process_2(self, challenge):
+ self.step = 2
+
+ data = self.parse(challenge)
+ if b'm' in data:
+ raise SASLCancelled('Received reserved attribute.')
+
+ salt = b64decode(data[b's'])
+ iteration_count = int(data[b'i'])
+ nonce = data[b'r']
+
+ if nonce[:len(self.cnonce)] != self.cnonce:
+ raise SASLCancelled('Invalid nonce')
+
+ cbind_data = self.credentials['channel_binding']
+ cbind_input = self.gs2_header + cbind_data
+ channel_binding = b'c=' + b64encode(cbind_input).replace(b'\n', b'')
+
+ client_final_message_without_proof = channel_binding + b',' + \
+ b'r=' + nonce
+
+ salted_password = self.Hi(self.credentials['password'],
+ salt,
+ iteration_count)
+ client_key = self.HMAC(salted_password, b'Client Key')
+ stored_key = self.H(client_key)
+ auth_message = self.client_first_message_bare + b',' + \
+ challenge + b',' + \
+ client_final_message_without_proof
+ client_signature = self.HMAC(stored_key, auth_message)
+ client_proof = XOR(client_key, client_signature)
+ server_key = self.HMAC(salted_password, b'Server Key')
+
+ self.server_signature = self.HMAC(server_key, auth_message)
+
+ client_final_message = client_final_message_without_proof + \
+ b',p=' + b64encode(client_proof)
+
+ return client_final_message
+
+ def process_3(self, challenge):
+ data = self.parse(challenge)
+ verifier = data.get(b'v', None)
+ error = data.get(b'e', 'Unknown error')
+
+ if not verifier:
+ raise SASLFailed(error)
+
+ if b64decode(verifier) != self.server_signature:
+ raise SASLMutualAuthFailed()
+
+ self._mutual_auth = True
+
+ return b''
+
+
+@sasl_mech(30)
+class DIGEST(Mech):
+
+ name = 'DIGEST'
+ use_hashes = True
+ required_credentials = set(['username', 'password', 'realm', 'service', 'host'])
+ optional_credentials = set(['authzid', 'service-name'])
+ security = set(['encrypted', 'unencrypted_digest'])
+
+ def setup(self, name):
+ self.hash_name = name[7:]
+ self.hash = hash(self.hash_name)
+ if self.hash is None:
+ raise SASLCancelled('Unknown hash: %s' % self.hash_name)
+ if not self.security_settings['encrypted']:
+ if not self.security_settings['unencrypted_digest']:
+ raise SASLCancelled('Unencrypted DIGEST')
+
+ self.qops = [b'auth']
+ self.qop = b'auth'
+ self.maxbuf = b'65536'
+ self.nonce = b''
+ self.cnonce = b''
+ self.nonce_count = 1
+
+ def parse(self, challenge=b''):
+ data = {}
+ var_name = b''
+ var_value = b''
+
+ # States: var, new_var, end, quote, escaped_quote
+ state = 'var'
+
+
+ for char in challenge:
+ if sys.version_info >= (3, 0):
+ char = bytes([char])
+
+ if state == 'var':
+ if char.isspace():
+ continue
+ if char == b'=':
+ state = 'value'
+ else:
+ var_name += char
+ elif state == 'value':
+ if char == b'"':
+ state = 'quote'
+ elif char == b',':
+ if var_name:
+ data[var_name.decode('utf-8')] = var_value
+ var_name = b''
+ var_value = b''
+ state = 'var'
+ else:
+ var_value += char
+ elif state == 'escaped':
+ var_value += char
+ elif state == 'quote':
+ if char == b'\\':
+ state = 'escaped'
+ elif char == b'"':
+ state = 'end'
+ else:
+ var_value += char
+ else:
+ if char == b',':
+ if var_name:
+ data[var_name.decode('utf-8')] = var_value
+ var_name = b''
+ var_value = b''
+ state = 'var'
+ else:
+ var_value += char
+
+ if var_name:
+ data[var_name.decode('utf-8')] = var_value
+ var_name = b''
+ var_value = b''
+ state = 'var'
+ return data
+
+ def MAC(self, key, seq, msg):
+ mac = hmac.HMAC(key=key, digestmod=self.hash)
+ seqnum = num_to_bytes(seq)
+ mac.update(seqnum)
+ mac.update(msg)
+ return mac.digest()[:10] + b'\x00\x01' + seqnum
+
+ def A1(self):
+ username = self.credentials['username']
+ password = self.credentials['password']
+ authzid = self.credentials['authzid']
+ realm = self.credentials['realm']
+
+ a1 = self.hash()
+ a1.update(username + b':' + realm + b':' + password)
+ a1 = a1.digest()
+ a1 += b':' + self.nonce + b':' + self.cnonce
+ if authzid:
+ a1 += b':' + authzid
+
+ return bytes(a1)
+
+ def A2(self, prefix=b''):
+ a2 = prefix + b':' + self.digest_uri()
+ if self.qop in (b'auth-int', b'auth-conf'):
+ a2 += b':00000000000000000000000000000000'
+ return bytes(a2)
+
+ def response(self, prefix=b''):
+ nc = bytes('%08x' % self.nonce_count)
+
+ a1 = bytes(self.hash(self.A1()).hexdigest().lower())
+ a2 = bytes(self.hash(self.A2(prefix)).hexdigest().lower())
+ s = self.nonce + b':' + nc + b':' + self.cnonce + \
+ b':' + self.qop + b':' + a2
+
+ return bytes(self.hash(a1 + b':' + s).hexdigest().lower())
+
+ def digest_uri(self):
+ serv_type = self.credentials['service']
+ serv_name = self.credentials['service-name']
+ host = self.credentials['host']
+
+ uri = serv_type + b'/' + host
+ if serv_name and host != serv_name:
+ uri += b'/' + serv_name
+ return uri
+
+ def respond(self):
+ data = {
+ 'username': quote(self.credentials['username']),
+ 'authzid': quote(self.credentials['authzid']),
+ 'realm': quote(self.credentials['realm']),
+ 'nonce': quote(self.nonce),
+ 'cnonce': quote(self.cnonce),
+ 'nc': bytes('%08x' % self.nonce_count),
+ 'qop': self.qop,
+ 'digest-uri': quote(self.digest_uri()),
+ 'response': self.response(b'AUTHENTICATE'),
+ 'maxbuf': self.maxbuf
+ }
+ resp = b''
+ for key, value in data.items():
+ if value and value != b'""':
+ resp += b',' + bytes(key) + b'=' + bytes(value)
+ return resp[1:]
+
+ def process(self, challenge=b''):
+ if not challenge:
+ if self.cnonce and self.nonce and self.nonce_count and self.qop:
+ self.nonce_count += 1
+ return self.respond()
+ return b''
+
+ data = self.parse(challenge)
+ if 'rspauth' in data:
+ if data['rspauth'] != self.response():
+ raise SASLMutualAuthFailed()
+ else:
+ self.nonce_count = 1
+ self.cnonce = bytes('%s' % random.random())[2:]
+ self.qops = data.get('qop', [b'auth'])
+ self.qop = b'auth'
+ if 'nonce' in data:
+ self.nonce = data['nonce']
+ if 'realm' in data and not self.credentials['realm']:
+ self.credentials['realm'] = data['realm']
+
+ return self.respond()
+
+
+try:
+ import kerberos
+except ImportError:
+ pass
+else:
+ @sasl_mech(75)
+ class GSSAPI(Mech):
+
+ name = 'GSSAPI'
+ required_credentials = set(['username', 'service-name'])
+ optional_credentials = set(['authzid'])
+
+ def setup(self, name):
+ authzid = self.credentials['authzid']
+ if not authzid:
+ authzid = 'xmpp@%s' % self.credentials['service-name']
+
+ _, self.gss = kerberos.authGSSClientInit(authzid)
+ self.step = 0
+
+ def process(self, challenge=b''):
+ b64_challenge = b64encode(challenge)
+ try:
+ if self.step == 0:
+ result = kerberos.authGSSClientStep(self.gss, b64_challenge)
+ if result != kerberos.AUTH_GSS_CONTINUE:
+ self.step = 1
+ elif self.step == 1:
+ username = self.credentials['username']
+
+ kerberos.authGSSClientUnwrap(self.gss, b64_challenge)
+ resp = kerberos.authGSSClientResponse(self.gss)
+ kerberos.authGSSClientWrap(self.gss, resp, username)
+
+ resp = kerberos.authGSSClientResponse(self.gss)
+ except kerberos.GSSError as e:
+ raise SASLCancelled('Kerberos error: %s' % e.message)
+ if not resp:
+ return b''
+ else:
+ return b64decode(resp)
diff --git a/sleekxmpp/util/stringprep_profiles.py b/sleekxmpp/util/stringprep_profiles.py
index 08278d6c..ad89d4cc 100644
--- a/sleekxmpp/util/stringprep_profiles.py
+++ b/sleekxmpp/util/stringprep_profiles.py
@@ -20,19 +20,13 @@ import sys
import stringprep
import unicodedata
+from sleekxmpp.util import unicode
+
class StringPrepError(UnicodeError):
pass
-def to_unicode(data):
- """Ensure that a given string is Unicode, regardless of Python version."""
- if sys.version_info < (3, 0):
- return unicode(data)
- else:
- return str(data)
-
-
def b1_mapping(char):
"""Map characters that are commonly mapped to nothing."""
return '' if stringprep.in_table_b1(char) else None
@@ -143,7 +137,7 @@ def create(nfkc=True, bidi=True, mappings=None,
"""
def profile(data, query=False):
try:
- data = to_unicode(data)
+ data = unicode(data)
except UnicodeError:
raise StringPrepError