prosody
72d49d1e2d11
util/sasl/scram.lua
Software / code / prosody
Comparison
util/sasl/scram.lua @ 5867:72d49d1e2d11
util.sasl.scram: Compare gs2-header to cbind-input (Thanks Tobias)
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 12 Oct 2013 21:15:36 +0200 |
| parent | 5856:e3e593eb81d1 |
| child | 5868:bc37c6758f3a |
comparison
equal
deleted
inserted
replaced
| 5865:b10ee87ac76a | 5867:72d49d1e2d11 |
|---|---|
| 111 -- we are processing client_first_message | 111 -- we are processing client_first_message |
| 112 local client_first_message = message; | 112 local client_first_message = message; |
| 113 | 113 |
| 114 -- TODO: fail if authzid is provided, since we don't support them yet | 114 -- TODO: fail if authzid is provided, since we don't support them yet |
| 115 self.state["client_first_message"] = client_first_message; | 115 self.state["client_first_message"] = client_first_message; |
| 116 self.state["gs2_cbind_flag"], self.state["gs2_cbind_name"], self.state["authzid"], self.state["name"], self.state["clientnonce"] | 116 self.state["gs2_header"], self.state["gs2_cbind_flag"], self.state["gs2_cbind_name"], self.state["authzid"], self.state["name"], self.state["clientnonce"] |
| 117 = client_first_message:match("^([ynp])=?([%a%-]*),(.*),n=(.*),r=([^,]*).*"); | 117 = client_first_message:match("^(([ynp])=?([%a%-]*),(.*),)n=(.*),r=([^,]*).*"); |
| 118 | 118 |
| 119 local gs2_cbind_flag = self.state.gs2_cbind_flag; | 119 local gs2_cbind_flag = self.state.gs2_cbind_flag; |
| 120 | 120 |
| 121 if not gs2_cbind_flag then | 121 if not gs2_cbind_flag then |
| 122 return "failure", "malformed-request"; | 122 return "failure", "malformed-request"; |
| 198 | 198 |
| 199 if not self.state.proof or not self.state.nonce or not self.state.channelbinding then | 199 if not self.state.proof or not self.state.nonce or not self.state.channelbinding then |
| 200 return "failure", "malformed-request", "Missing an attribute(p, r or c) in SASL message."; | 200 return "failure", "malformed-request", "Missing an attribute(p, r or c) in SASL message."; |
| 201 end | 201 end |
| 202 | 202 |
| 203 local client_gs2_header = base64.decode(self.state.channelbinding) | |
| 204 local our_client_gs2_header = self.state["gs2_header"] | |
| 203 if self.state.gs2_cbind_name then | 205 if self.state.gs2_cbind_name then |
| 204 -- we support channelbinding, so check if the value is valid | 206 -- we support channelbinding, so check if the value is valid |
| 205 local client_gs2_header = base64.decode(self.state.channelbinding) | 207 our_client_gs2_header = our_client_gs2_header .. self.profile.cb[self.state.gs2_cbind_name](self); |
| 206 local our_client_gs2_header = "p="..self.state.gs2_cbind_name..","..self.state["authzid"]..","..self.profile.cb[self.state.gs2_cbind_name](self); | 208 end |
| 207 | 209 if client_gs2_header ~= our_client_gs2_header then |
| 208 if client_gs2_header ~= our_client_gs2_header then | 210 return "failure", "malformed-request", "Invalid channel binding value."; |
| 209 return "failure", "malformed-request", "Invalid channel binding value."; | |
| 210 end | |
| 211 end | 211 end |
| 212 | 212 |
| 213 if self.state.nonce ~= self.state.clientnonce..self.state.servernonce then | 213 if self.state.nonce ~= self.state.clientnonce..self.state.servernonce then |
| 214 return "failure", "malformed-request", "Wrong nonce in client-final-message."; | 214 return "failure", "malformed-request", "Wrong nonce in client-final-message."; |
| 215 end | 215 end |
