Verify that the server constructed the SCRAM nonce correctly.

The nonce consists of client and server nonces concatenated together. The
client checks the nonce contained the client nonce, but it would get fooled
if the server sent a truncated or even empty nonce.

Reported by Steven Fackler to security@postgresql.org. Neither me or Steven
are sure what harm a malicious server could do with this, but let's fix it.

diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index fbb44b3f852f168af20655723d872983edea9684..d2e355a8b8db5255cb21f60abf7eb5ad292b6f0b 100644 (file)
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -430,7 +430,8 @@ read_server_first_message(fe_scram_state *state, char *input,
    }
 
    /* Verify immediately that the server used our part of the nonce */
-   if (strncmp(nonce, state->client_nonce, strlen(state->client_nonce)) != 0)
+   if (strlen(nonce) < strlen(state->client_nonce) ||
+       memcmp(nonce, state->client_nonce, strlen(state->client_nonce)) != 0)
    {
        printfPQExpBuffer(errormessage,
                 libpq_gettext("invalid SCRAM response (nonce mismatch)\n"));