From f01c62c9689aacfbf456435333634f9858c1057f Mon Sep 17 00:00:00 2001 From: George Hazan Date: Wed, 29 Jan 2014 10:58:59 +0000 Subject: fixes #557 (SCRAM-SHA-1 fails for salts longer than 16 bytes) git-svn-id: http://svn.miranda-ng.org/main/trunk@7944 1316c22d-e87f-b044-9b9b-93d7a3e3ba9c --- protocols/JabberG/src/jabber_secur.cpp | 46 ++++++++++++---------------------- 1 file changed, 16 insertions(+), 30 deletions(-) diff --git a/protocols/JabberG/src/jabber_secur.cpp b/protocols/JabberG/src/jabber_secur.cpp index df736ea7d9..b2158cb410 100644 --- a/protocols/JabberG/src/jabber_secur.cpp +++ b/protocols/JabberG/src/jabber_secur.cpp @@ -246,41 +246,27 @@ void TScramAuth::Hi(BYTE* res, char* passw, size_t passwLen, char* salt, size_t char* TScramAuth::getChallenge(const TCHAR *challenge) { - unsigned chlLen; - ptrA chl((char*)mir_base64_decode(_T2A(challenge), &chlLen)); - - char *r = strstr(chl, "r="); - if (!r) - return NULL; - - char *e = strchr(r, ','); if (e) *e = 0; - ptrA snonce(mir_strdup(r + 2)); - if (e) *e = ','; - - size_t cnlen = strlen(cnonce); - if (strncmp(cnonce, snonce, cnlen)) - return NULL; + unsigned chlLen, saltLen; + ptrA snonce, salt; + int ind = -1; - char *s = strstr(chl, "s="); - if (!s) - return NULL; - e = strchr(s, ','); if (e) *e = 0; + ptrA chl((char*)mir_base64_decode(_T2A(challenge), &chlLen)); - unsigned saltLen; - ptrA salt((char*)mir_base64_decode(s + 2, &saltLen)); - if (e) *e = ','; - if (saltLen > 16) - return NULL; + for (char *p = strtok(chl, ","); p != NULL; p = strtok(NULL, ",")) { + if (*p == 'r' && p[1] == '=') { // snonce + if (strncmp(cnonce, p + 2, strlen(cnonce))) + return NULL; + snonce = mir_strdup(p + 2); + } + else if (*p == 's' && p[1] == '=') // salt + salt = (char*)mir_base64_decode(p + 2, &saltLen); + else if (*p == 'i' && p[1] == '=') + ind = atoi(p + 2); + } - char *in = strstr(chl, "i="); - if (!in) + if (snonce == NULL || salt == NULL || ind == -1) return NULL; - e = strchr(in, ','); if (e) *e = 0; - int ind = atoi(in + 2); - if (e) - *e = ','; - ptrA passw(mir_utf8encodeT(info->password)); size_t passwLen = strlen(passw); -- cgit v1.2.3