diff options
-rw-r--r-- | util/sasl/scram.lua | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua index a347e2f3..7d60ef86 100644 --- a/util/sasl/scram.lua +++ b/util/sasl/scram.lua @@ -19,6 +19,8 @@ local xor = require "bit".bxor local hmac_sha1 = require "util.hmac".sha1; local sha1 = require "util.hashes".sha1; local generate_uuid = require "util.uuid".generate; +local saslprep = require "util.encodings".stringprep.saslprep; +local log = require "util.logger".init("sasl"); module "plain" @@ -70,6 +72,7 @@ local function validate_username(username) -- replace =2D with , and =3D with = -- apply SASLprep + username = saslprep(username); return username; end @@ -83,10 +86,16 @@ local function scram_sha_1(self, message) self.state["name"] = client_first_message:match("n=(.+),r=") self.state["clientnonce"] = client_first_message:match("r=([^,]+)") - self.state.name = validate_username(self.state.name); if not self.state.name or not self.state.clientnonce then return "failure", "malformed-request"; end + + self.state.name = validate_username(self.state.name); + if not self.state.name then + log("debug", "Username violates either SASLprep or contains forbidden character sequences.") + return "failure", "malformed-request"; + end + self.state["servernonce"] = generate_uuid(); self.state["salt"] = generate_uuid(); @@ -110,6 +119,11 @@ local function scram_sha_1(self, message) password, state = self.profile.plain(self.state.name, self.realm) if state == nil then return "failure", "not-authorized" elseif state == false then return "failure", "account-disabled" end + password = saslprep(password); + if not password then + log("debug", "Password violates SASLprep."); + return "failure", "not-authorized" + end end local SaltedPassword = Hi(hmac_sha1, password, self.state.salt, default_i) |