Apply SASLprep before storing/converting passwords

Fixes #996 and #1295
author: Evgeniy Khramtsov <ekhramtsov@process-one.net> 2017-02-12 10:06:30 +0300
committer: Evgeniy Khramtsov <ekhramtsov@process-one.net> 2017-02-12 10:06:30 +0300
commit: fd885d08186e6a1bce88139b76cdcf7e29d72fc1 (patch)
tree: 3d9181d0c25d97a1bc8cd22df37dd573f49e0916 /src/ejabberd_auth_riak.erl
parent: Use p1_server behaviour in xmpp_stream layer (diff)
1 files changed, 18 insertions, 7 deletions
diff --git a/src/ejabberd_auth_riak.erl b/src/ejabberd_auth_riak.erl
index 16468dea..67f2126b 100644
--- a/src/ejabberd_auth_riak.erl
+++ b/src/ejabberd_auth_riak.erl
@@ -120,9 +120,12 @@ check_password(User, AuthzId, Server, Password, Digest,
 set_password(User, Server, Password) ->
     LUser = jid:nodeprep(User),
     LServer = jid:nameprep(Server),
+    LPassword = jid:resourceprep(Password),
     US = {LUser, LServer},
     if (LUser == error) or (LServer == error) ->
 	   {error, invalid_jid};
+       LPassword == error ->
+	   {error, invalid_password};
        true ->
             Password2 = case is_scrammed() and is_binary(Password)
                         of
@@ -141,9 +144,12 @@ try_register(User, Server, PasswordList) ->
       iolist_to_binary(PasswordList);
       true -> PasswordList
     end,
+    LPassword = jid:resourceprep(Password),
     US = {LUser, LServer},
     if (LUser == error) or (LServer == error) ->
 	   {error, invalid_jid};
+       LPassword == error ->
+	   {error, invalid_password};
        true ->
             case ejabberd_riak:get(passwd, passwd_schema(), US) of
                 {error, notfound} ->
@@ -284,13 +290,18 @@ password_to_scram(Password, IterationCount) ->
 	   iterationcount = IterationCount}.
 
 is_password_scram_valid(Password, Scram) ->
-    IterationCount = Scram#scram.iterationcount,
-    Salt = jlib:decode_base64(Scram#scram.salt),
-    SaltedPassword = scram:salted_password(Password, Salt,
-					   IterationCount),
-    StoredKey =
-	scram:stored_key(scram:client_key(SaltedPassword)),
-    jlib:decode_base64(Scram#scram.storedkey) == StoredKey.
+    case jid:resourceprep(Password) of
+	error ->
+	    false;
+	_ ->
+	    IterationCount = Scram#scram.iterationcount,
+	    Salt = jlib:decode_base64(Scram#scram.salt),
+	    SaltedPassword = scram:salted_password(Password, Salt,
+						   IterationCount),
+	    StoredKey =
+		scram:stored_key(scram:client_key(SaltedPassword)),
+	    jlib:decode_base64(Scram#scram.storedkey) == StoredKey
+    end.
 
 export(_Server) ->
     [{passwd,
author	Evgeniy Khramtsov <ekhramtsov@process-one.net>	2017-02-12 10:06:30 +0300
committer	Evgeniy Khramtsov <ekhramtsov@process-one.net>	2017-02-12 10:06:30 +0300
commit	fd885d08186e6a1bce88139b76cdcf7e29d72fc1 (patch)
tree	3d9181d0c25d97a1bc8cd22df37dd573f49e0916 /src/ejabberd_auth_riak.erl
parent	Use p1_server behaviour in xmpp_stream layer (diff)