procyberian/emacs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add GS2 authorization to sasl-scram-rfc

Browse source 
* lisp/net/sasl-scram-rfc.el (sasl-scram-gs2-header-function,
sasl-scram-construct-gs2-header): Add new variable and default
function for determining a SCRAM GSS-API message header.  This is
mainly intended for other libraries rather than end users.
(sasl-scram-client-first-message): Use gs2-header function.
(sasl-scram--client-final-message): Use dedicated gs2-header function.
Also remove whitespace when base64-encoding, as per RFC 5802.
(Bug#57956.)
This commit is contained in:
F. Jason Park 2022-09-19 21:28:52 -07:00 committed by Amin Bandali
parent d47e05219f
commit 71397175aa
No known key found for this signature in database
GPG key ID: 8B44A0CDC7B956F2
1 changed files with 14 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
lisp/net/sasl-scram-rfc.el
View file

@ -45,14 +45,21 @@
;;; Generic for SCRAM-*
(defvar sasl-scram-gs2-header-function 'sasl-scram-construct-gs2-header
"Function to create GS2 header.
See https://www.rfc-editor.org/rfc/rfc5801#section-4.")
(defun sasl-scram-construct-gs2-header (client)
;; The "n," means the client doesn't support channel binding, and
;; the trailing comma is included as per RFC 5801.
(let ((authzid (sasl-client-property client 'authenticator-name)))
(concat "n," (and authzid "a=") authzid ",")))
(defun sasl-scram-client-first-message (client _step)
(let ((c-nonce (sasl-unique-id)))
(sasl-client-set-property client 'c-nonce c-nonce))
(concat
;; n = client doesn't support channel binding
"n,"
;; TODO: where would we get authorization id from?
","
(funcall sasl-scram-gs2-header-function client)
(sasl-scram--client-first-message-bare client)))
(defun sasl-scram--client-first-message-bare (client)
@ -77,11 +84,11 @@
(c-nonce (sasl-client-property client 'c-nonce))
;; no channel binding, no authorization id
(cbind-input "n,,"))
(cbind-input (funcall sasl-scram-gs2-header-function client)))
(unless (string-prefix-p c-nonce nonce)
(sasl-error "Invalid nonce from server"))
(let* ((client-final-message-without-proof
(concat "c=" (base64-encode-string cbind-input) ","
(concat "c=" (base64-encode-string cbind-input t) ","
"r=" nonce))
(password
;; TODO: either apply saslprep or disallow non-ASCII characters
@ -113,7 +120,7 @@
(client-proof (funcall string-xor client-key client-signature))
(client-final-message
(concat client-final-message-without-proof ","
"p=" (base64-encode-string client-proof))))
"p=" (base64-encode-string client-proof t))))
(sasl-client-set-property client 'auth-message auth-message)
(sasl-client-set-property client 'salted-password salted-password)
client-final-message)))