Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)
This commit is contained in:
parent
21e60e40c2
commit
58097f5a54
51
cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
Normal file
51
cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
Normal file
@ -0,0 +1,51 @@
|
||||
commit 26dcfb2d7176b78e70757aa5d01951a28ca217c7
|
||||
Author: Alexey Melnikov <alexey.melnikov@isode.com>
|
||||
Date: Fri Jul 5 16:37:59 2013 +0100
|
||||
|
||||
Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN when selecting the best client side SASL mechanism
|
||||
|
||||
Both SCRAM-SHA-1 & DIGEST-MD5 are lacking SASL_SEC_PASS_CREDENTIALS security
|
||||
flag, which prevented them from being chosen over PLAIN when PLAIN is selected
|
||||
as the best mechanism first. For example the problem can be observed when
|
||||
the server advertises "PLAIN DIGEST-MD5 SCRAM-SHA-1" (PLAIN just has to be
|
||||
returned before SCRAM/DIGEST.)
|
||||
|
||||
Cyrus SASL bug # 3793
|
||||
|
||||
diff --git a/lib/client.c b/lib/client.c
|
||||
index 62dfb0b..31fe346 100644
|
||||
--- a/lib/client.c
|
||||
+++ b/lib/client.c
|
||||
@@ -658,6 +658,20 @@ _sasl_cbinding_disp(sasl_client_params_t *cparams,
|
||||
return SASL_OK;
|
||||
}
|
||||
|
||||
+static int
|
||||
+_sasl_are_current_security_flags_worse_then_best(unsigned best_security_flags,
|
||||
+ unsigned current_security_flags)
|
||||
+{
|
||||
+ /* We don't qualify SASL_SEC_PASS_CREDENTIALS as "secure" flag */
|
||||
+ best_security_flags &= ~SASL_SEC_PASS_CREDENTIALS;
|
||||
+
|
||||
+ if ((current_security_flags ^ best_security_flags) & best_security_flags) {
|
||||
+ return 1;
|
||||
+ } else {
|
||||
+ return 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/* select a mechanism for a connection
|
||||
* mechlist -- mechanisms server has available (punctuation ignored)
|
||||
* secret -- optional secret from previous session
|
||||
@@ -823,8 +837,9 @@ int sasl_client_start(sasl_conn_t *conn,
|
||||
*/
|
||||
|
||||
if (bestm &&
|
||||
- ((m->m.plug->security_flags ^ bestm->m.plug->security_flags) &
|
||||
- bestm->m.plug->security_flags)) {
|
||||
+ _sasl_are_current_security_flags_worse_then_best(
|
||||
+ bestm->m.plug->security_flags,
|
||||
+ m->m.plug->security_flags)) {
|
||||
break;
|
||||
}
|
||||
|
@ -52,6 +52,8 @@ Patch50: cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b
|
||||
Patch51: cyrus-sasl-2.1.26-sql.patch
|
||||
# improve configuration error message
|
||||
Patch52: cyrus-sasl-2.1.26-config-error.patch
|
||||
# Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)
|
||||
Patch53: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
|
||||
|
||||
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
|
||||
@ -195,6 +197,8 @@ chmod -x include/*.h
|
||||
%patch50 -p1 -b .gssapi
|
||||
%patch51 -p1 -b .sql
|
||||
%patch52 -p1 -b .configerr
|
||||
%patch53 -p1 -b .sha1vsplain
|
||||
|
||||
|
||||
%build
|
||||
# Find Kerberos.
|
||||
|
Loading…
Reference in New Issue
Block a user