Verify that the server constructed the SCRAM nonce correctly.

hlinnaka · hlinnaka · commit 1c9b6e818f04 · 2017-05-23T05:55:19.000-04:00
The nonce consists of client and server nonces concatenated together. The
client checks the nonce contained the client nonce, but it would get fooled
if the server sent a truncated or even empty nonce.

Reported by Steven Fackler to security@postgresql.org. Neither me or Steven
are sure what harm a malicious server could do with this, but let's fix it.
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
@@ -430,7 +430,8 @@ read_server_first_message(fe_scram_state *state, char *input,
 	}
 
 	/* Verify immediately that the server used our part of the nonce */
-	if (strncmp(nonce, state->client_nonce, strlen(state->client_nonce)) != 0)
+	if (strlen(nonce) < strlen(state->client_nonce) ||
+		memcmp(nonce, state->client_nonce, strlen(state->client_nonce)) != 0)
 	{
 		printfPQExpBuffer(errormessage,
 				 libpq_gettext("invalid SCRAM response (nonce mismatch)\n"));

Original file line number	Diff line number	Diff line change
`@@ -430,7 +430,8 @@ read_server_first_message(fe_scram_state state, char input,`
`430`	`430`	`}`
`431`	`431`
`432`	`432`	`/* Verify immediately that the server used our part of the nonce */`
`433`		`- if (strncmp(nonce, state->client_nonce, strlen(state->client_nonce)) != 0)`
	`433`	`+ if (strlen(nonce) < strlen(state->client_nonce) \|\|`
	`434`	`+ memcmp(nonce, state->client_nonce, strlen(state->client_nonce)) != 0)`
`434`	`435`	`{`
`435`	`436`	`printfPQExpBuffer(errormessage,`
`436`	`437`	`libpq_gettext("invalid SCRAM response (nonce mismatch)\n"));`