[SERVER-26586] SCRAM client mechanism should preemptively validate server provided nonces Created: 11/Oct/16 Updated: 19/Nov/16 Resolved: 18/Oct/16 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 3.4.0-rc1 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Backwards Compatibility: | Fully Compatible | ||||
| Operating System: | ALL | ||||
| Participants: | |||||
| Linked BF Score: | 25 | ||||
| Description |
|
The client side SCRAM mechanism sends a nonce to the server as a part of Client Step 1. The server takes this nonce, and appends its own random data, and returns this to the client in Server Step 1. The client should validate that its original nonce is a prefix to this nonce. Not doing so could cause an error message to be emitted in Server Step 2, rather than in Client Step 2 when the problem was first detectable. Fixing this will improve the usefulness of these messages. |
| Comments |
| Comment by Githook User [ 18/Oct/16 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: |