prosody
646af16a3f32

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Changeset

10912:646af16a3f32 0.11

util.sasl.scram: Apply saslprep before hashing password, fixes #1560
author Kim Alvefur <zash@zash.se>
date Fri, 22 May 2020 20:59:01 +0200
parents 10843:8fcd46ee9bf5
children 10913:54953b5a214b
files util/sasl/scram.lua
diffstat 1 files changed, 4 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/util/sasl/scram.lua	Fri May 15 21:22:35 2020 +0200
+++ b/util/sasl/scram.lua	Fri May 22 20:59:01 2020 +0200
@@ -106,6 +106,10 @@
 	if iteration_count < 4096 then
 		log("warn", "Iteration count < 4096 which is the suggested minimum according to RFC 5802.")
 	end
+	password = saslprep(password);
+	if not password then
+		return false, "password fails SASLprep";
+	end
 	local salted_password = Hi(password, salt, iteration_count);
 	local stored_key = sha1(hmac_sha1(salted_password, "Client Key"))
 	local server_key = hmac_sha1(salted_password, "Server Key");