From b31120775b59ed388bee390187d8911d8e5e4213 Mon Sep 17 00:00:00 2001
From: Tobias Markmann <tm@ayena.de>
Date: Tue, 8 Jun 2010 11:00:26 +0200
Subject: util.sasl.scram: Authenticate clients by calculated StoredKey instead
 of ClientProof.

---
 util/sasl/scram.lua | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/util/sasl/scram.lua b/util/sasl/scram.lua
index 08533b68..63f6f2fe 100644
--- a/util/sasl/scram.lua
+++ b/util/sasl/scram.lua
@@ -157,17 +157,18 @@ local function scram_gen(hash_name, H_f, HMAC_f)
 				self.state.iteration_count = default_i;
 
 				local succ = false;
-				succ, self.state.salted_password = saltedPasswordSHA1(password, self.state.salt, default_i, self.state.iteration_count);
+				succ, self.state.stored_key, self.state.server_key = getAuthenticationDatabaseSHA1(password, self.state.salt, default_i, self.state.iteration_count);
 				if not succ then
-					log("error", "Generating salted password failed. Reason: %s", self.state.salted_password);
+					log("error", "Generating authentication database failed. Reason: %s", self.state.stored_key);
 					return "failure", "temporary-auth-failure";
 				end
 			elseif self.profile["scram_"..hashprep(hash_name)] then
-				local salted_password, iteration_count, salt, state = self.profile["scram_"..hashprep(hash_name)](self.state.name, self.realm);
+				local stored_key, server_key, iteration_count, salt, state = self.profile["scram_"..hashprep(hash_name)](self.state.name, self.realm);
 				if state == nil then return "failure", "not-authorized"
 				elseif state == false then return "failure", "account-disabled" end
 				
-				self.state.salted_password = salted_password;
+				self.state.stored_key = stored_key;
+				self.state.server_key = server_key;
 				self.state.iteration_count = iteration_count;
 				self.state.salt = salt
 			end
@@ -189,16 +190,15 @@ local function scram_gen(hash_name, H_f, HMAC_f)
 				return "failure", "malformed-request", "Wrong nonce in client-final-message.";
 			end
 			
-			local SaltedPassword = self.state.salted_password;
-			local ClientKey = HMAC_f(SaltedPassword, "Client Key")
-			local ServerKey = HMAC_f(SaltedPassword, "Server Key")
-			local StoredKey = H_f(ClientKey)
+			local ServerKey = self.state.server_key;
+			local StoredKey = self.state.stored_key;
+			
 			local AuthMessage = "n=" .. s_match(self.state.client_first_message,"n=(.+)") .. "," .. self.state.server_first_message .. "," .. s_match(client_final_message, "(.+),p=.+")
 			local ClientSignature = HMAC_f(StoredKey, AuthMessage)
-			local ClientProof     = binaryXOR(ClientKey, ClientSignature)
+			local ClientKey = binaryXOR(ClientSignature, base64.decode(self.state.proof))
 			local ServerSignature = HMAC_f(ServerKey, AuthMessage)
 
-			if base64.encode(ClientProof) == self.state.proof then
+			if StoredKey == H_f(ClientKey) then
 				local server_final_message = "v="..base64.encode(ServerSignature);
 				self["username"] = self.state.name;
 				return "success", server_final_message;
-- 
cgit v1.2.3