Commit b36583ba authored by fedor.brunner's avatar fedor.brunner
Browse files

Check nonce returned from server during SCRAM-SHA-1 authentication.

The first part of server nonce muss be the nonce send by client.

Fixes #19
parent 28207b6a
......@@ -358,7 +358,11 @@ class SASL(PlugIn):
self.scram_step = 1
self.scram_soup += ',' + data + ','
data = _scram_parse(data)
# TODO: Should check cnonce here.
# Check server nonce here.
# The first part of server nonce muss be the nonce send by client.
if (data['r'][:len(self.client_nonce)] != self.client_nonce):
on_auth_fail('Server nonce is incorrect')
raise NodeProcessed
# TODO: Channel binding data goes in here too.
r = 'c=' + scram_base64(self.scram_gs2)
r += ',r=' + data['r']
......@@ -389,6 +393,7 @@ class SASL(PlugIn):
self._owner.send(str(node))
raise NodeProcessed
# DIGEST-MD5
# magic foo...
chal = _challenge_splitter(data)
if not self.realm and 'realm' in chal:
......@@ -433,8 +438,8 @@ class SASL(PlugIn):
def set_password(self, password):
self.password = '' if password is None else password
if self.mechanism == 'SCRAM-SHA-1':
nonce = '%x' % rndg.getrandbits(196)
self.scram_soup = 'n=' + self.username + ',r=' + nonce
self.client_nonce = '%x' % rndg.getrandbits(196)
self.scram_soup = 'n=' + self.username + ',r=' + self.client_nonce
self.scram_gs2 = 'n,,' # No CB yet.
sasl_data = (self.scram_gs2 + self.scram_soup).encode('base64').\
replace('\n', '')
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment