aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTobias Markmann <tm@ayena.de>2011-01-17 16:50:21 +0100
committerTobias Markmann <tm@ayena.de>2011-01-17 16:50:21 +0100
commit9e938f0e7c47c76bef0734195c4384e1239a087b (patch)
treefe8ef8134c9b667ded9e6eb55ec754b02b91e7bd
parenta1c646ad48267cdfaefb27e77f335969c7c4cc3f (diff)
downloadprosody-9e938f0e7c47c76bef0734195c4384e1239a087b.tar.gz
prosody-9e938f0e7c47c76bef0734195c4384e1239a087b.zip
util.sasl.scram: Validate channel binding data of client final message.
-rw-r--r--util/sasl/scram.lua15
1 files changed, 12 insertions, 3 deletions
diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua
index cb50390d..66cc941d 100644
--- a/util/sasl/scram.lua
+++ b/util/sasl/scram.lua
@@ -200,9 +200,18 @@ local function scram_gen(hash_name, H_f, HMAC_f)
local client_final_message = message;
log("debug", "client_final_message: %s", client_final_message);
self.state["channelbinding"], self.state["nonce"], self.state["proof"] = client_final_message:match("^c=(.*),r=(.*),.*p=(.*)");
-
- if not self.state.proof or not self.state.nonce or not self.state.channelbinding then
- return "failure", "malformed-request", "Missing an attribute(p, r or c) in SASL message.";
+
+ if self.state.gs2_cbind_name then
+ local client_gs2_header = base64.decode(self.state.channelbinding)
+ local our_client_gs2_header = "p="..self.state.gs2_cbind_name..","..self.state["authzid"]..","..self.profile.cb[self.state.gs2_cbind_name](self);
+
+ if client_gs2_header ~= our_client_gs2_header then
+ return "failure", "malformed-request", "Invalid channel binding value.";
+ end
+ else
+ if not self.state.proof or not self.state.nonce or not self.state.channelbinding then
+ return "failure", "malformed-request", "Missing an attribute(p, r or c) in SASL message.";
+ end
end
if self.state.nonce ~= self.state.clientnonce..self.state.servernonce then