Move sasl.py to a directory module and move SCRAM logic to a different file,

move `github/module.py` to `github/__init__.py`

2 files changed, 185 insertions, 0 deletions

diff --git a/modules/sasl/__init__.py b/modules/sasl/__init__.py
new file mode 100644
index 00000000..b961ba00
--- /dev/null
+++ b/modules/sasl/__init__.py
@@ -0,0 +1,98 @@
+import base64, hashlib, hmac, uuid
+from src import ModuleManager, utils
+from . import scram
+
+def _validate(self, s):
+    mechanism = s
+    if " " in s:
+        mechanism, arguments = s.split(" ", 1)
+    return {"mechanism": mechanism, "args": arguments}
+
+def _scram_nonce():
+    return str(uuid.uuid4().hex)
+def _scram_escape(s):
+    return s.replace("=", "=3D").replace(",", "=2C")
+def _scram_unescape(s):
+    return s.replace("=3D", "=").replace("=2C", ",")
+def _scram_xor(s1, s2):
+    return bytes(a ^ b for a, b in zip(s1, s2))
+
+@utils.export("serverset", {"setting": "sasl",
+    "help": "Set the sasl username/password for this server",
+    "validate": _validate})
+class Module(ModuleManager.BaseModule):
+    @utils.hook("received.cap.ls")
+    def on_cap(self, event):
+        has_sasl = "sasl" in event["capabilities"]
+        our_sasl = event["server"].get_setting("sasl", None)
+
+        do_sasl = False
+        if has_sasl and our_sasl:
+            if not event["capabilities"]["sasl"] == None:
+                our_mechanism = our_sasl["mechanism"].upper()
+                do_sasl = our_mechanism in event["capabilities"
+                    ]["sasl"].split(",")
+            else:
+                do_sasl = True
+
+        if do_sasl:
+            event["server"].queue_capability("sasl")
+
+    @utils.hook("received.cap.ack")
+    def on_cap_ack(self, event):
+        if "sasl" in event["capabilities"]:
+            sasl = event["server"].get_setting("sasl")
+            event["server"].send_authenticate(sasl["mechanism"].upper())
+            event["server"].wait_for_capability("sasl")
+
+    @utils.hook("received.authenticate")
+    def on_authenticate(self, event):
+        sasl = event["server"].get_setting("sasl")
+        mechanism = sasl["mechanism"].upper()
+
+        if mechanism == "PLAIN":
+            if event["message"] != "+":
+                event["server"].send_authenticate("*")
+            else:
+                sasl_username, sasl_password = sasl["args"].split(":", 1)
+                auth_text = ("%s\0%s\0%s" % (
+                    sasl_username, sasl_username, sasl_password)).encode("utf8")
+
+        elif mechanism == "EXTERNAL":
+            if event["message"] != "+":
+                event["server"].send_authenticate("*")
+            else:
+                auth_text = "+"
+
+        elif mechanism.startswith("SCRAM-"):
+            algo = mechanism.split("SCRAM-", 1)[1].replace("-", "")
+            sasl_username, sasl_password = sasl["args"].split(":", 1)
+            if event["message"] == "+":
+                # start SCRAM handshake
+                event["server"]._scram = scram.SCRAM(
+                    algo, sasl_username, sasl_password)
+                auth_text = event["server"]._scram.client_first()
+                print(auth_text)
+            else:
+                current_scram = event["server"]._scram
+                if current_scram.state == scram.SCRAMState.ClientFirst:
+                    auth_text = current_scram.server_first(event["message"])
+                elif current_scram.state == scram.SCRAMState.ClientFinal:
+                    auth_text = current_scram.server_final(event["message"])
+                    del event["server"]._scram
+        else:
+            raise ValueError("unknown sasl mechanism '%s'" % mechanism)
+
+        if not auth_text == "+":
+            auth_text = base64.b64encode(auth_text)
+            auth_text = auth_text.decode("utf8")
+        event["server"].send_authenticate(auth_text)
+
+    def _end_sasl(self, server):
+        server.capability_done("sasl")
+    @utils.hook("received.numeric.903")
+    def sasl_success(self, event):
+        self._end_sasl(event["server"])
+    @utils.hook("received.numeric.904")
+    def sasl_failure(self, event):
+        self._end_sasl(event["server"])
diff --git a/modules/sasl/scram.py b/modules/sasl/scram.py
new file mode 100644
index 00000000..7d2551b4
--- /dev/null
+++ b/modules/sasl/scram.py
@@ -0,0 +1,87 @@
+import base64, enum, hashlib, hmac, uuid
+
+def _scram_nonce():
+    return uuid.uuid4().hex.encode("utf8")
+def _scram_escape(s):
+    return s.replace(b"=", b"=3D").replace(b",", b"=2C")
+def _scram_unescape(s):
+    return s.replace(b"=3D", b"=").replace(b"=2C", b",")
+def _scram_xor(s1, s2):
+    return bytes(a ^ b for a, b in zip(s1, s2))
+
+class SCRAMState(enum.Enum):
+    Uninitialised = 0
+    ClientFirst = 1
+    ClientFinal = 2
+    Success = 3
+    VerifyFailed = 4
+
+class SCRAMError(Exception):
+    pass
+
+class SCRAM(object):
+    def __init__(self, algo, username, password):
+        self._algo = algo
+        self._username = username.encode("utf8")
+        self._password = password.encode("utf8")
+
+        self.state = SCRAMState.Uninitialised
+        self._client_first = None
+        self._salted_password = None
+        self._auth_message = None
+
+    def _get_data(self, message):
+        data = base64.b64decode(message)
+        return data, dict(piece.split(b"=", 1) for piece in data.split(b","))
+
+    def client_first(self):
+        self.state = SCRAMState.ClientFirst
+        # start SCRAM handshake
+        self._client_first = b"n=%s,r=%s" % (
+            _scram_escape(self._username), _scram_nonce())
+        return b"n,,%s" % self._client_first
+
+    def server_first(self, message):
+        self.state = SCRAMState.ClientFinal
+
+        data, pieces = self._get_data(message)
+        # server-first-message
+        nonce = pieces[b"r"]
+        salt = base64.b64decode(pieces[b"s"])
+        iterations = pieces[b"i"]
+        password = self._password
+
+        salted_password = hashlib.pbkdf2_hmac(self._algo, password, salt,
+            int(iterations), dklen=None)
+        self._salted_password = salted_password
+
+        client_key = hmac.digest(salted_password, b"Client Key", self._algo)
+        stored_key = hashlib.new(self._algo, client_key).digest()
+
+        channel = base64.b64encode(b"n,,")
+        auth_noproof = b"c=%s,r=%s" % (channel, nonce)
+        auth_message = b"%s,%s,%s" % (self._client_first, data, auth_noproof)
+        self._auth_message = auth_message
+
+        client_signature = hmac.digest(stored_key, auth_message, self._algo)
+        client_proof = base64.b64encode(
+            _scram_xor(client_key, client_signature))
+
+        return auth_noproof + (b",p=%s" % client_proof)
+
+    def server_final(self, message):
+        # server-final-message
+        data, pieces = self._get_data(message)
+        verifier = pieces[b"v"]
+
+        server_key = hmac.digest(self._salted_password, b"Server Key",
+            self._algo)
+        server_signature = hmac.digest(server_key, self._auth_message,
+            self._algo)
+
+        if server_signature != base64.b64decode(verifier):
+            self.state = SCRAMState.VerifyFailed
+            return None
+        else:
+            self.state = SCRAMState.Success
+            return "+"