# HG changeset patch
# User Tobias Markmann <tm@ayena.de>
# Date 1258541990 -3600
# Node ID 08a6b91bfe7b0e11231c544812f467f50b21b9f8
# Parent  d18b4d22b8dad8e9d450b3c8c63549a705b6ad31
SASLprep usernames and passwords.

diff -r d18b4d22b8da -r 08a6b91bfe7b util/sasl/scram.lua
--- a/util/sasl/scram.lua	Tue Nov 17 22:39:18 2009 +0100
+++ b/util/sasl/scram.lua	Wed Nov 18 11:59:50 2009 +0100
@@ -19,6 +19,8 @@
 local hmac_sha1 = require "util.hmac".sha1;
 local sha1 = require "util.hashes".sha1;
 local generate_uuid = require "util.uuid".generate;
+local saslprep = require "util.encodings".stringprep.saslprep;
+local log = require "util.logger".init("sasl");
 
 module "plain"
 
@@ -70,6 +72,7 @@
 	-- replace =2D with , and =3D with =
 	
 	-- apply SASLprep
+	username = saslprep(username);
 	return username;
 end
 
@@ -83,10 +86,16 @@
 		self.state["name"] = client_first_message:match("n=(.+),r=")
 		self.state["clientnonce"] = client_first_message:match("r=([^,]+)")
 		
-		self.state.name = validate_username(self.state.name);
 		if not self.state.name or not self.state.clientnonce then
 			return "failure", "malformed-request";
 		end
+		
+		self.state.name = validate_username(self.state.name);
+		if not self.state.name then
+			log("debug", "Username violates either SASLprep or contains forbidden character sequences.")
+			return "failure", "malformed-request";
+		end
+		
 		self.state["servernonce"] = generate_uuid();
 		self.state["salt"] = generate_uuid();
 		
@@ -110,6 +119,11 @@
 			password, state = self.profile.plain(self.state.name, self.realm)
 			if state == nil then return "failure", "not-authorized"
 			elseif state == false then return "failure", "account-disabled" end
+			password = saslprep(password);
+			if not password then
+				log("debug", "Password violates SASLprep.");
+				return "failure", "not-authorized"
+			end
 		end
 		
 		local SaltedPassword = Hi(hmac_sha1, password, self.state.salt, default_i)