diff options
author | Tobias Markmann <tm@ayena.de> | 2009-11-18 11:59:50 +0100 |
---|---|---|
committer | Tobias Markmann <tm@ayena.de> | 2009-11-18 11:59:50 +0100 |
commit | 7815630d28c0ffe23c63c54eeb4f401252b61d0f (patch) | |
tree | 3bd17f1d931e5693ecb55a267e7d0c292067b4af /util/sasl | |
parent | b0f89bf88505895e77bfda26c0e2720c14bf2918 (diff) | |
download | prosody-7815630d28c0ffe23c63c54eeb4f401252b61d0f.tar.gz prosody-7815630d28c0ffe23c63c54eeb4f401252b61d0f.zip |
SASLprep usernames and passwords.
Diffstat (limited to 'util/sasl')
-rw-r--r-- | util/sasl/scram.lua | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua index a347e2f3..7d60ef86 100644 --- a/util/sasl/scram.lua +++ b/util/sasl/scram.lua @@ -19,6 +19,8 @@ local xor = require "bit".bxor local hmac_sha1 = require "util.hmac".sha1; local sha1 = require "util.hashes".sha1; local generate_uuid = require "util.uuid".generate; +local saslprep = require "util.encodings".stringprep.saslprep; +local log = require "util.logger".init("sasl"); module "plain" @@ -70,6 +72,7 @@ local function validate_username(username) -- replace =2D with , and =3D with = -- apply SASLprep + username = saslprep(username); return username; end @@ -83,10 +86,16 @@ local function scram_sha_1(self, message) self.state["name"] = client_first_message:match("n=(.+),r=") self.state["clientnonce"] = client_first_message:match("r=([^,]+)") - self.state.name = validate_username(self.state.name); if not self.state.name or not self.state.clientnonce then return "failure", "malformed-request"; end + + self.state.name = validate_username(self.state.name); + if not self.state.name then + log("debug", "Username violates either SASLprep or contains forbidden character sequences.") + return "failure", "malformed-request"; + end + self.state["servernonce"] = generate_uuid(); self.state["salt"] = generate_uuid(); @@ -110,6 +119,11 @@ local function scram_sha_1(self, message) password, state = self.profile.plain(self.state.name, self.realm) if state == nil then return "failure", "not-authorized" elseif state == false then return "failure", "account-disabled" end + password = saslprep(password); + if not password then + log("debug", "Password violates SASLprep."); + return "failure", "not-authorized" + end end local SaltedPassword = Hi(hmac_sha1, password, self.state.salt, default_i) |