pontarius-xmpp/source/Network/Xmpp/Sasl/Mechanisms/DigestMd5.hs

{-# OPTIONS_HADDOCK hide #-}
{-# LANGUAGE OverloadedStrings #-}

module Network.Xmpp.Sasl.Mechanisms.DigestMd5
    ( digestMd5
    ) where

import           Control.Applicative
import           Control.Arrow (left)
import           Control.Monad
import           Control.Monad.Error
import           Control.Monad.State.Strict
import           Data.Maybe (fromJust, isJust)

import qualified Crypto.Classes as CC

import qualified Data.Binary as Binary
import qualified Data.ByteString.Base64 as B64
import qualified Data.ByteString.Char8 as BS8
import qualified Data.ByteString.Lazy as BL
import qualified Data.Digest.Pure.MD5 as MD5
import qualified Data.List as L

import qualified Data.Text as Text
import           Data.Text (Text)
import qualified Data.Text.Encoding as Text

import           Data.XML.Pickle

import qualified Data.ByteString as BS

import           Data.XML.Types

import           Network.Xmpp.Connection
import           Network.Xmpp.Stream
import           Network.Xmpp.Types
import           Network.Xmpp.Sasl.Common
import           Network.Xmpp.Sasl.StringPrep
import           Network.Xmpp.Sasl.Types


xmppDigestMd5 ::  Text -- ^ Authentication identity (authzid or username)
               -> Maybe Text -- ^ Authorization identity (authcid)
               -> Text -- ^ Password (authzid)
               -> SaslM ()
xmppDigestMd5 authcid authzid password = do
    (ac, az, pw) <- prepCredentials authcid authzid password
    hn <- gets cHostName
    xmppDigestMd5' (fromJust hn) ac az pw
  where
    xmppDigestMd5' :: Text -> Text -> Maybe Text -> Text -> SaslM ()
    xmppDigestMd5' hostname authcid authzid password = do
        -- Push element and receive the challenge (in SaslM).
        _ <- saslInit "DIGEST-MD5" Nothing -- TODO: Check boolean?
        pairs <- toPairs =<< saslFromJust =<< pullChallenge
        cnonce <- liftIO $ makeNonce
        _b <- respond . Just $ createResponse hostname pairs cnonce
        challenge2 <- pullFinalMessage
        return ()
      where
        -- Produce the response to the challenge.
        createResponse :: Text
                       -> Pairs
                       -> BS.ByteString -- nonce
                       -> BS.ByteString
        createResponse hostname pairs cnonce = let
            Just qop   = L.lookup "qop" pairs -- TODO: proper handling
            Just nonce = L.lookup "nonce" pairs
            uname_     = Text.encodeUtf8 authcid
            passwd_    = Text.encodeUtf8 password
            -- Using Int instead of Word8 for random 1.0.0.0 (GHC 7)
            -- compatibility.

            nc         = "00000001"
            digestURI  = "xmpp/" `BS.append` Text.encodeUtf8 hostname
            digest     = md5Digest
                uname_
                (lookup "realm" pairs)
                passwd_
                digestURI
                nc
                qop
                nonce
                cnonce
            response = BS.intercalate "," . map (BS.intercalate "=") $
                [["username", quote uname_]] ++
                    case L.lookup "realm" pairs of
                        Just realm -> [["realm" , quote realm ]]
                        Nothing -> [] ++
                            [ ["nonce"     , quote nonce    ]
                            , ["cnonce"    , quote cnonce   ]
                            , ["nc"        ,       nc       ]
                            , ["qop"       ,       qop      ]
                            , ["digest-uri", quote digestURI]
                            , ["response"  ,       digest   ]
                            , ["charset"   ,       "utf-8"  ]
                            ]
            in B64.encode response
        hash :: [BS8.ByteString] -> BS8.ByteString
        hash = BS8.pack . show
               . (CC.hash' :: BS.ByteString -> MD5.MD5Digest)
                  . BS.intercalate (":")
        hashRaw :: [BS8.ByteString] -> BS8.ByteString
        hashRaw = toStrict . Binary.encode .
            (CC.hash' :: BS.ByteString -> MD5.MD5Digest) . BS.intercalate (":")
        toStrict :: BL.ByteString -> BS8.ByteString
        toStrict = BS.concat . BL.toChunks
        -- TODO: this only handles MD5-sess
        md5Digest :: BS8.ByteString
                  -> Maybe BS8.ByteString
                  -> BS8.ByteString
                  -> BS8.ByteString
                  -> BS8.ByteString
                  -> BS8.ByteString
                  -> BS8.ByteString
                  -> BS8.ByteString
                  -> BS8.ByteString
        md5Digest uname realm password digestURI nc qop nonce cnonce =
          let ha1 = hash [ hashRaw [uname, maybe "" id realm, password]
                         , nonce
                         , cnonce
                         ]
              ha2 = hash ["AUTHENTICATE", digestURI]
          in hash [ha1, nonce, nc, cnonce, qop, ha2]

digestMd5 :: Text -- ^ Authentication identity (authcid or username)
          -> Maybe Text -- ^ Authorization identity (authzid)
          -> Text -- ^ Password
          -> SaslHandler
digestMd5 authcid authzid password = ( "DIGEST-MD5"
                                     , xmppDigestMd5 authcid authzid password
                                     )
shape documentation 13 years ago			`{-# OPTIONS_HADDOCK hide #-}`
Merge remote-tracking branch 'nejla/master' Conflicts: source/Network/Xmpp.hs source/Network/Xmpp/Sasl.hs source/Network/Xmpp/Sasl/Plain.hs source/Network/Xmpp/Sasl/Scram.hs source/Network/Xmpp/Sasl/Types.hs fix DigestMd5.hs filename make DigestMd5 compile again 14 years ago			`{-# LANGUAGE OverloadedStrings #-}`

shape documentation 13 years ago			`module Network.Xmpp.Sasl.Mechanisms.DigestMd5`
			`( digestMd5`
			`) where`
Merge remote-tracking branch 'nejla/master' Conflicts: source/Network/Xmpp.hs source/Network/Xmpp/Sasl.hs source/Network/Xmpp/Sasl/Plain.hs source/Network/Xmpp/Sasl/Scram.hs source/Network/Xmpp/Sasl/Types.hs fix DigestMd5.hs filename make DigestMd5 compile again 14 years ago
			`import Control.Applicative`
			`import Control.Arrow (left)`
			`import Control.Monad`
			`import Control.Monad.Error`
			`import Control.Monad.State.Strict`
			`import Data.Maybe (fromJust, isJust)`

			`import qualified Crypto.Classes as CC`

			`import qualified Data.Binary as Binary`
			`import qualified Data.ByteString.Base64 as B64`
			`import qualified Data.ByteString.Char8 as BS8`
			`import qualified Data.ByteString.Lazy as BL`
			`import qualified Data.Digest.Pure.MD5 as MD5`
			`import qualified Data.List as L`

			`import qualified Data.Text as Text`
			`import Data.Text (Text)`
			`import qualified Data.Text.Encoding as Text`

			`import Data.XML.Pickle`

			`import qualified Data.ByteString as BS`

			`import Data.XML.Types`

Change module structure We can treat all functions related to SASL negotiation as a submodule to Pontarius XMPP if there are no dependencies from the internal Network.Xmpp modules to the SASL functionality. Because of this, `auth' and `authSimple' were moved from Session.hs to Sasl.hs. As the bind and the `{urn:ietf:params:xml:ns:xmpp-session}session' functionality are related only to the SASL negotation functionality, these functions has been moved to the SASL submodule as well. As these changes only leaves `connect' in the Session module, it seems fitting to move `connect' to Network.Xmpp.Stream (not Network.Xmpp.Connection, as `connect' depends on `startStream'). The internal Network.Xmpp modules (Connection.hs) no longer depend on the Concurrent submodule. This will decrease the coupling between Network.Xmpp and the concurrent implementation, making it easier for developers to replace the concurrent implementation if they wanted to. As Network.Xmpp.Connection is really a module that breaks the encapsulation that is Network.Xmpp and the concurrent interface, I have renamed it Network.Xmpp.Internal. As this frees up the Network.Xmpp.Connection name, Network.Xmpp.Connection_ can reclaim it. The high-level "utility" functions of Network.Xmpp.Utilities, Network.Xmpp.Presence, and Network.Xmpp.Message has been moved to Network.Xmpp.Utilities. This module contains functions that at most only depend on the internal Network.Xmpp.Types module, and doesn't belong in any other module. The functionality of Jid.hs was moved to Types.hs. Moved some of the functions of Network.Xmpp.Pickle to Network.Xmpp.Marshal, and removed the Network.Xmpp.Pickle module. A module imports diagram corresponding to the one of my last patch shows the new module structure. I also include a diagram showing the `Sasl' and `Concurrent' module imports. 13 years ago			`import Network.Xmpp.Connection`
Merge remote-tracking branch 'nejla/master' Conflicts: source/Network/Xmpp.hs source/Network/Xmpp/Sasl.hs source/Network/Xmpp/Sasl/Plain.hs source/Network/Xmpp/Sasl/Scram.hs source/Network/Xmpp/Sasl/Types.hs fix DigestMd5.hs filename make DigestMd5 compile again 14 years ago			`import Network.Xmpp.Stream`
			`import Network.Xmpp.Types`
			`import Network.Xmpp.Sasl.Common`
			`import Network.Xmpp.Sasl.StringPrep`
			`import Network.Xmpp.Sasl.Types`



shape documentation 13 years ago			`xmppDigestMd5 :: Text -- ^ Authentication identity (authzid or username)`
			`-> Maybe Text -- ^ Authorization identity (authcid)`
			`-> Text -- ^ Password (authzid)`
Merge remote-tracking branch 'nejla/master' Conflicts: source/Network/Xmpp.hs source/Network/Xmpp/Sasl.hs source/Network/Xmpp/Sasl/Plain.hs source/Network/Xmpp/Sasl/Scram.hs source/Network/Xmpp/Sasl/Types.hs fix DigestMd5.hs filename make DigestMd5 compile again 14 years ago			`-> SaslM ()`
move mechanisms to Sasl/Mechanisms factor out prepCredentials 14 years ago			`xmppDigestMd5 authcid authzid password = do`
			`(ac, az, pw) <- prepCredentials authcid authzid password`
Hide `Context', add exports, extend documentation As mentioned in #pontarius, `Context' is simply a bunch of thread management features, and users that want that can build their own on top of the `Connection' layer. The benefit of hiding `Context' is that it makes the API clearer, and significantly decreases the complexity of the library. As the `Basic' module is simply an interface to `Connection', it was renamed to `Connection'. The old `Connection' module was moved to `Connection_'. Exported the types of the fields of `Connection' (such as `ConnectionState' and `ConnectionHandle' (previously `HandleLike'). 13 years ago			`hn <- gets cHostName`
Tweak failure approach I'm assuming and defining the following: 1. XMPP failures (which can occur at the TCP, TLS, and XML/XMPP layers (as a stream error or forbidden input)) are fatal; they will distrupt the XMPP session. 2. All fatal failures should be thrown (or similar) by `session', or any other function that might produce them. 3. Authentication failures that are not "XMPP failures" are not fatal. They do not necessarily terminate the stream. For example, the developer should be able to make another authentication attempt. The `Session' object returned by `session' might be useful even if the authentication fails. 4. We can (and should) use one single data type for fatal failures. (Previously, both StreamFailure and TlsFailure was used.) 5. We can catch and rethrow/wrap IO exceptions in the context of the Pontarius XMPP error system that we decide to use, making the error system more intuitive, Haskell-like, and more straight-forward to implement. Calling `error' may only be done in the case of a program error (a bug). 6. A logging system will remove the need for many of the error types. Only exceptions that seem likely to affect the flow of client applications should be defined. 7. The authentication functions are prone to fatal XMPP failures in addition to non-fatal authentication conditions. (Previously, `AuthStreamFailure' was used to wrap these errors.) I'm hereby suggesting (and implementing) the following: `StreamFailure' and `TlsFailure' should be joined into `XmppFailure'. `pullStanza' and the other Connection functions used to throw `IOException', `StreamFailure' and `TlsFailure' exceptions. With this patch, they have been converted to `StateT Connection IO (Either XmppFailure a)' computations. They also catch (some) IOException errors and wrap them in the new `XmppIOException' constructor. `newSession' is now `IO (Either XmppFailure Session)' as well (being capable of throwing IO exceptions). Whether or not to continue to a) wrap `XmppFailure' failures in an `AuthStreamFailure' equivalent, or, b) treat the authentication functions just like the other functions that may result in failure (Either XmppFailure a), depends on how Network.Xmpp.Connection.auth will be used. Since the latter will make `auth' more consistent, as well as remove the need for a wrapped (and special-case) "AuthFailure" type, I have decided to give the "b" approach a try. (The drawback being, of course, that authentication errors can not be accessed through the use of ErrorT. Whether or not this might be a problem, I don't really know at this point.) As the SASL code (and SaslM) depended on `AuthStreamFailure', it remains for internal use, at least for the time-being. `session' is now an ErrorT computation as well. Some functions have been updated as hacks, but this will be changed if we decide to move forward with this approach. 13 years ago			`xmppDigestMd5' (fromJust hn) ac az pw`
Merge remote-tracking branch 'nejla/master' Conflicts: source/Network/Xmpp.hs source/Network/Xmpp/Sasl.hs source/Network/Xmpp/Sasl/Plain.hs source/Network/Xmpp/Sasl/Scram.hs source/Network/Xmpp/Sasl/Types.hs fix DigestMd5.hs filename make DigestMd5 compile again 14 years ago			`where`
			`xmppDigestMd5' :: Text -> Text -> Maybe Text -> Text -> SaslM ()`
			`xmppDigestMd5' hostname authcid authzid password = do`
			`-- Push element and receive the challenge (in SaslM).`
			`_ <- saslInit "DIGEST-MD5" Nothing -- TODO: Check boolean?`
			`pairs <- toPairs =<< saslFromJust =<< pullChallenge`
			`cnonce <- liftIO $ makeNonce`
			`_b <- respond . Just $ createResponse hostname pairs cnonce`
			`challenge2 <- pullFinalMessage`
			`return ()`
			`where`
			`-- Produce the response to the challenge.`
			`createResponse :: Text`
			`-> Pairs`
			`-> BS.ByteString -- nonce`
			`-> BS.ByteString`
			`createResponse hostname pairs cnonce = let`
			`Just qop = L.lookup "qop" pairs -- TODO: proper handling`
			`Just nonce = L.lookup "nonce" pairs`
			`uname_ = Text.encodeUtf8 authcid`
			`passwd_ = Text.encodeUtf8 password`
			`-- Using Int instead of Word8 for random 1.0.0.0 (GHC 7)`
			`-- compatibility.`

			`nc = "00000001"`
			digestURI = "xmpp/" `BS.append` Text.encodeUtf8 hostname
			`digest = md5Digest`
			`uname_`
			`(lookup "realm" pairs)`
			`passwd_`
			`digestURI`
			`nc`
			`qop`
			`nonce`
			`cnonce`
			`response = BS.intercalate "," . map (BS.intercalate "=") $`
			`[["username", quote uname_]] ++`
			`case L.lookup "realm" pairs of`
			`Just realm -> [["realm" , quote realm ]]`
			`Nothing -> [] ++`
			`[ ["nonce" , quote nonce ]`
			`, ["cnonce" , quote cnonce ]`
			`, ["nc" , nc ]`
			`, ["qop" , qop ]`
			`, ["digest-uri", quote digestURI]`
			`, ["response" , digest ]`
			`, ["charset" , "utf-8" ]`
			`]`
			`in B64.encode response`
			`hash :: [BS8.ByteString] -> BS8.ByteString`
			`hash = BS8.pack . show`
			`. (CC.hash' :: BS.ByteString -> MD5.MD5Digest)`
			`. BS.intercalate (":")`
			`hashRaw :: [BS8.ByteString] -> BS8.ByteString`
			`hashRaw = toStrict . Binary.encode .`
			`(CC.hash' :: BS.ByteString -> MD5.MD5Digest) . BS.intercalate (":")`
			`toStrict :: BL.ByteString -> BS8.ByteString`
			`toStrict = BS.concat . BL.toChunks`
			`-- TODO: this only handles MD5-sess`
			`md5Digest :: BS8.ByteString`
			`-> Maybe BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`md5Digest uname realm password digestURI nc qop nonce cnonce =`
			`let ha1 = hash [ hashRaw [uname, maybe "" id realm, password]`
			`, nonce`
			`, cnonce`
			`]`
			`ha2 = hash ["AUTHENTICATE", digestURI]`
			`in hash [ha1, nonce, nc, cnonce, qop, ha2]`

shape documentation 13 years ago			`digestMd5 :: Text -- ^ Authentication identity (authcid or username)`
			`-> Maybe Text -- ^ Authorization identity (authzid)`
			`-> Text -- ^ Password`
Merge remote-tracking branch 'nejla/master' Conflicts: source/Network/Xmpp.hs source/Network/Xmpp/Sasl.hs source/Network/Xmpp/Sasl/Plain.hs source/Network/Xmpp/Sasl/Scram.hs source/Network/Xmpp/Sasl/Types.hs fix DigestMd5.hs filename make DigestMd5 compile again 14 years ago			`-> SaslHandler`
split auth in auth (takes mechanism list) and simpleAuth (defaults to Scram and DigestMd5) swap authzic and authcid parameters in DigestMd5 14 years ago			`digestMd5 authcid authzid password = ( "DIGEST-MD5"`
move mechanisms to Sasl/Mechanisms factor out prepCredentials 14 years ago			`, xmppDigestMd5 authcid authzid password`
remove redundant xmppRestartStream from DigestMD5 13 years ago			`)`