diff options
author | Fedor Brunner <fedor.brunner@azet.sk> | 2014-02-25 19:36:56 +0400 |
---|---|---|
committer | Fedor Brunner <fedor.brunner@azet.sk> | 2014-02-25 19:36:56 +0400 |
commit | c936568623c9966803c357c0f6e77240a8b36d5a (patch) | |
tree | df7fc0980cc157fc58df318f01cb0d746cffb720 | |
parent | d3c23ce0cb90fb0834145ecc0384d56928819aa1 (diff) |
Check nonce returned from server during SCRAM-SHA-1 authentication.
The first part of server nonce muss be the nonce send by client.
Fixes #19
-rw-r--r-- | nbxmpp/auth_nb.py | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/nbxmpp/auth_nb.py b/nbxmpp/auth_nb.py index 3302f31..732a1ed 100644 --- a/nbxmpp/auth_nb.py +++ b/nbxmpp/auth_nb.py @@ -391,7 +391,11 @@ class SASL(PlugIn): self.scram_step = 1 self.scram_soup += ',' + data + ',' data = scram_parse(data) - # TODO: Should check cnonce here. + # Check server nonce here. + # The first part of server nonce muss be the nonce send by client. + if (data['r'][:len(self.client_nonce)] != self.client_nonce): + on_auth_fail('Server nonce is incorrect') + raise NodeProcessed # TODO: Channel binding data goes in here too. r = 'c=' + scram_base64(self.scram_gs2) r += ',r=' + data['r'] @@ -424,6 +428,7 @@ class SASL(PlugIn): self._owner.send(str(node)) raise NodeProcessed + # DIGEST-MD5 # magic foo... chal = challenge_splitter(data) if not self.realm and 'realm' in chal: @@ -468,8 +473,8 @@ class SASL(PlugIn): def set_password(self, password): self.password = '' if password is None else password if self.mechanism == 'SCRAM-SHA-1': - nonce = '%x' % rndg.getrandbits(196) - self.scram_soup = 'n=' + self.username + ',r=' + nonce + self.client_nonce = '%x' % rndg.getrandbits(196) + self.scram_soup = 'n=' + self.username + ',r=' + self.client_nonce self.scram_gs2 = 'n,,' # No CB yet. sasl_data = base64.b64encode((self.scram_gs2 + self.scram_soup).\ encode('utf-8')).decode('utf-8').replace('\n', '') |