pontarius-xmpp/source/Network/Xmpp/Sasl/DigestMd5

{-# LANGUAGE OverloadedStrings #-}

module Network.Xmpp.Sasl.DigestMd5 where

import           Control.Applicative
import           Control.Arrow (left)
import           Control.Monad
import           Control.Monad.Error
import           Control.Monad.State.Strict
import           Data.Maybe (fromJust, isJust)

import qualified Crypto.Classes as CC

import qualified Data.Binary as Binary
import qualified Data.ByteString.Base64 as B64
import qualified Data.ByteString.Char8 as BS8
import qualified Data.ByteString.Lazy as BL
import qualified Data.Digest.Pure.MD5 as MD5
import qualified Data.List as L

import qualified Data.Text as Text
import           Data.Text (Text)
import qualified Data.Text.Encoding as Text

import Data.XML.Pickle

import qualified Data.ByteString as BS

import Data.XML.Types

import           Network.Xmpp.Monad
import           Network.Xmpp.Stream
import           Network.Xmpp.Types
import           Network.Xmpp.Pickle


import Network.Xmpp.Sasl.Common
import Network.Xmpp.Sasl.Types


xmppDigestMd5 :: Maybe Text -- Authorization identity (authzid)
               -> Text -- Authentication identity (authzid)
               -> Text -- Password (authzid)
               -> SaslM ()
xmppDigestMd5 authzid authcid passwd = do
    hn <- gets sHostname
    case hn of
        Just hn' -> do
            xmppDigestMD5' hn'
            -- TODO: Save authzid
            modify (\s -> s{sUsername = Just authcid})
        Nothing -> throwError AuthConnectionError
  where
    xmppDigestMD5' :: Text -> SaslM ()
    xmppDigestMD5' hostname = do
        -- Push element and receive the challenge (in SaslM).
        _ <- saslInit "DIGEST-MD5" Nothing -- TODO: Check boolean?
        pairs <- toPairs =<< saslFromJust =<< pullChallenge
        cnonce <- liftIO $ makeNonce
        _b <- respond . Just $ createResponse hostname pairs cnonce
        challenge2 <- pullFinalMessage
        _ <- ErrorT $ left AuthStreamError <$> xmppRestartStream
        return ()
    -- Produce the response to the challenge.
    createResponse :: Text
                   -> Pairs
                   -> BS.ByteString -- nonce
                   -> BS.ByteString
    createResponse hostname pairs cnonce = let
        Just qop   = L.lookup "qop" pairs -- TODO: proper handling
        Just nonce = L.lookup "nonce" pairs
        uname_     = Text.encodeUtf8 authcid
        passwd_    = Text.encodeUtf8 passwd
        -- Using Int instead of Word8 for random 1.0.0.0 (GHC 7) compatibility.

        nc         = "00000001"
        digestURI  = "xmpp/" `BS.append` Text.encodeUtf8 hostname
        digest     = md5Digest
            uname_
            (lookup "realm" pairs)
            passwd_
            digestURI
            nc
            qop
            nonce
            cnonce
        response = BS.intercalate "," . map (BS.intercalate "=") $
            [["username", quote uname_]] ++
                case L.lookup "realm" pairs of
                    Just realm -> [["realm" , quote realm ]]
                    Nothing -> [] ++
                        [ ["nonce"     , quote nonce    ]
                        , ["cnonce"    , quote cnonce   ]
                        , ["nc"        ,       nc       ]
                        , ["qop"       ,       qop      ]
                        , ["digest-uri", quote digestURI]
                        , ["response"  ,       digest   ]
                        , ["charset"   ,       "utf-8"  ]
                        ]
        in B64.encode response
    hash :: [BS8.ByteString] -> BS8.ByteString
    hash = BS8.pack . show
           . (CC.hash' :: BS.ByteString -> MD5.MD5Digest) . BS.intercalate (":")
    hashRaw :: [BS8.ByteString] -> BS8.ByteString
    hashRaw = toStrict . Binary.encode .
        (CC.hash' :: BS.ByteString -> MD5.MD5Digest) . BS.intercalate (":")
    toStrict :: BL.ByteString -> BS8.ByteString
    toStrict = BS.concat . BL.toChunks
    -- TODO: this only handles MD5-sess
    md5Digest :: BS8.ByteString
              -> Maybe BS8.ByteString
              -> BS8.ByteString
              -> BS8.ByteString
              -> BS8.ByteString
              -> BS8.ByteString
              -> BS8.ByteString
              -> BS8.ByteString
              -> BS8.ByteString
    md5Digest uname realm password digestURI nc qop nonce cnonce =
      let ha1 = hash [ hashRaw [uname, maybe "" id realm, password]
                     , nonce
                     , cnonce
                     ]
          ha2 = hash ["AUTHENTICATE", digestURI]
      in hash [ha1, nonce, nc, cnonce, qop, ha2]

digestMd5 :: Maybe Text -- Authorization identity (authzid)
          -> Text -- Authentication identity (authzid)
          -> Text -- Password (authzid)
          -> SaslHandler
digestMd5 authzid authcid password = ( "DIGEST-MD5"
                                     , xmppDigestMd5 authzid authcid password
                                     )
prepared to extend sasl functionality, put digest-md5 code in its own module 14 years ago			`{-# LANGUAGE OverloadedStrings #-}`

add stringprep to scram rename DigestMD5 to DigestMd5 Don't thread credentials through xmppSasl 14 years ago			`module Network.Xmpp.Sasl.DigestMd5 where`
prepared to extend sasl functionality, put digest-md5 code in its own module 14 years ago
			`import Control.Applicative`
			`import Control.Arrow (left)`
			`import Control.Monad`
			`import Control.Monad.Error`
			`import Control.Monad.State.Strict`
			`import Data.Maybe (fromJust, isJust)`

			`import qualified Crypto.Classes as CC`

			`import qualified Data.Binary as Binary`
			`import qualified Data.ByteString.Base64 as B64`
			`import qualified Data.ByteString.Char8 as BS8`
			`import qualified Data.ByteString.Lazy as BL`
			`import qualified Data.Digest.Pure.MD5 as MD5`
			`import qualified Data.List as L`

			`import qualified Data.Text as Text`
			`import Data.Text (Text)`
			`import qualified Data.Text.Encoding as Text`

			`import Data.XML.Pickle`

			`import qualified Data.ByteString as BS`

			`import Data.XML.Types`

replace XMPP with Xmpp everywhere to unify style replace SASL with Sasl replace DIGEST_MD5 with DigestMD5 replace PLAIN with Plain 14 years ago			`import Network.Xmpp.Monad`
			`import Network.Xmpp.Stream`
			`import Network.Xmpp.Types`
			`import Network.Xmpp.Pickle`
prepared to extend sasl functionality, put digest-md5 code in its own module 14 years ago

refactor digestMd5 to move common functionality to module Common 14 years ago			`import Network.Xmpp.Sasl.Common`
replace XMPP with Xmpp everywhere to unify style replace SASL with Sasl replace DIGEST_MD5 with DigestMD5 replace PLAIN with Plain 14 years ago			`import Network.Xmpp.Sasl.Types`
prepared to extend sasl functionality, put digest-md5 code in its own module 14 years ago
refactor digestMd5 to move common functionality to module Common 14 years ago

add stringprep to scram rename DigestMD5 to DigestMd5 Don't thread credentials through xmppSasl 14 years ago			`xmppDigestMd5 :: Maybe Text -- Authorization identity (authzid)`
prepared to extend sasl functionality, put digest-md5 code in its own module 14 years ago			`-> Text -- Authentication identity (authzid)`
			`-> Text -- Password (authzid)`
add stringprep to scram rename DigestMD5 to DigestMd5 Don't thread credentials through xmppSasl 14 years ago			`-> SaslM ()`
			`xmppDigestMd5 authzid authcid passwd = do`
add scram add sAuthzid to XmppConnection add sAuthzid to XmppConnection more work on sasl infrastructure move more stuff from DigestMd5 to Common more work on sasl infrastructure 14 years ago			`hn <- gets sHostname`
			`case hn of`
			`Just hn' -> do`
			`xmppDigestMD5' hn'`
prepared to extend sasl functionality, put digest-md5 code in its own module 14 years ago			`-- TODO: Save authzid`
			`modify (\s -> s{sUsername = Just authcid})`
			`Nothing -> throwError AuthConnectionError`
			`where`
add scram add sAuthzid to XmppConnection add sAuthzid to XmppConnection more work on sasl infrastructure move more stuff from DigestMd5 to Common more work on sasl infrastructure 14 years ago			`xmppDigestMD5' :: Text -> SaslM ()`
			`xmppDigestMD5' hostname = do`
refactor digestMd5 to move common functionality to module Common 14 years ago			`-- Push element and receive the challenge (in SaslM).`
			`_ <- saslInit "DIGEST-MD5" Nothing -- TODO: Check boolean?`
			`pairs <- toPairs =<< saslFromJust =<< pullChallenge`
add scram add sAuthzid to XmppConnection add sAuthzid to XmppConnection more work on sasl infrastructure move more stuff from DigestMd5 to Common more work on sasl infrastructure 14 years ago			`cnonce <- liftIO $ makeNonce`
			`_b <- respond . Just $ createResponse hostname pairs cnonce`
			`challenge2 <- pullFinalMessage`
prepared to extend sasl functionality, put digest-md5 code in its own module 14 years ago			`_ <- ErrorT $ left AuthStreamError <$> xmppRestartStream`
			`return ()`
			`-- Produce the response to the challenge.`
add scram add sAuthzid to XmppConnection add sAuthzid to XmppConnection more work on sasl infrastructure move more stuff from DigestMd5 to Common more work on sasl infrastructure 14 years ago			`createResponse :: Text`
			`-> Pairs`
			`-> BS.ByteString -- nonce`
			`-> BS.ByteString`
			`createResponse hostname pairs cnonce = let`
add stringprep to scram rename DigestMD5 to DigestMd5 Don't thread credentials through xmppSasl 14 years ago			`Just qop = L.lookup "qop" pairs -- TODO: proper handling`
prepared to extend sasl functionality, put digest-md5 code in its own module 14 years ago			`Just nonce = L.lookup "nonce" pairs`
			`uname_ = Text.encodeUtf8 authcid`
			`passwd_ = Text.encodeUtf8 passwd`
			`-- Using Int instead of Word8 for random 1.0.0.0 (GHC 7) compatibility.`
add scram add sAuthzid to XmppConnection add sAuthzid to XmppConnection more work on sasl infrastructure move more stuff from DigestMd5 to Common more work on sasl infrastructure 14 years ago
prepared to extend sasl functionality, put digest-md5 code in its own module 14 years ago			`nc = "00000001"`
			digestURI = "xmpp/" `BS.append` Text.encodeUtf8 hostname
			`digest = md5Digest`
			`uname_`
			`(lookup "realm" pairs)`
			`passwd_`
			`digestURI`
			`nc`
			`qop`
			`nonce`
			`cnonce`
			`response = BS.intercalate "," . map (BS.intercalate "=") $`
			`[["username", quote uname_]] ++`
			`case L.lookup "realm" pairs of`
			`Just realm -> [["realm" , quote realm ]]`
			`Nothing -> [] ++`
			`[ ["nonce" , quote nonce ]`
			`, ["cnonce" , quote cnonce ]`
			`, ["nc" , nc ]`
			`, ["qop" , qop ]`
			`, ["digest-uri", quote digestURI]`
			`, ["response" , digest ]`
			`, ["charset" , "utf-8" ]`
			`]`
add scram add sAuthzid to XmppConnection add sAuthzid to XmppConnection more work on sasl infrastructure move more stuff from DigestMd5 to Common more work on sasl infrastructure 14 years ago			`in B64.encode response`
prepared to extend sasl functionality, put digest-md5 code in its own module 14 years ago			`hash :: [BS8.ByteString] -> BS8.ByteString`
			`hash = BS8.pack . show`
			`. (CC.hash' :: BS.ByteString -> MD5.MD5Digest) . BS.intercalate (":")`
			`hashRaw :: [BS8.ByteString] -> BS8.ByteString`
			`hashRaw = toStrict . Binary.encode .`
			`(CC.hash' :: BS.ByteString -> MD5.MD5Digest) . BS.intercalate (":")`
			`toStrict :: BL.ByteString -> BS8.ByteString`
			`toStrict = BS.concat . BL.toChunks`
			`-- TODO: this only handles MD5-sess`
			`md5Digest :: BS8.ByteString`
			`-> Maybe BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`md5Digest uname realm password digestURI nc qop nonce cnonce =`
			`let ha1 = hash [ hashRaw [uname, maybe "" id realm, password]`
			`, nonce`
			`, cnonce`
			`]`
			`ha2 = hash ["AUTHENTICATE", digestURI]`
add stringprep to scram rename DigestMD5 to DigestMd5 Don't thread credentials through xmppSasl 14 years ago			`in hash [ha1, nonce, nc, cnonce, qop, ha2]`

			`digestMd5 :: Maybe Text -- Authorization identity (authzid)`
			`-> Text -- Authentication identity (authzid)`
			`-> Text -- Password (authzid)`
			`-> SaslHandler`
			`digestMd5 authzid authcid password = ( "DIGEST-MD5"`
			`, xmppDigestMd5 authzid authcid password`
			`)`