diff --git a/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch b/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch new file mode 100644 index 0000000..af88e81 --- /dev/null +++ b/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch @@ -0,0 +1,51 @@ +commit 26dcfb2d7176b78e70757aa5d01951a28ca217c7 +Author: Alexey Melnikov +Date: Fri Jul 5 16:37:59 2013 +0100 + + Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN when selecting the best client side SASL mechanism + + Both SCRAM-SHA-1 & DIGEST-MD5 are lacking SASL_SEC_PASS_CREDENTIALS security + flag, which prevented them from being chosen over PLAIN when PLAIN is selected + as the best mechanism first. For example the problem can be observed when + the server advertises "PLAIN DIGEST-MD5 SCRAM-SHA-1" (PLAIN just has to be + returned before SCRAM/DIGEST.) + + Cyrus SASL bug # 3793 + +diff --git a/lib/client.c b/lib/client.c +index 62dfb0b..31fe346 100644 +--- a/lib/client.c ++++ b/lib/client.c +@@ -658,6 +658,20 @@ _sasl_cbinding_disp(sasl_client_params_t *cparams, + return SASL_OK; + } + ++static int ++_sasl_are_current_security_flags_worse_then_best(unsigned best_security_flags, ++ unsigned current_security_flags) ++{ ++ /* We don't qualify SASL_SEC_PASS_CREDENTIALS as "secure" flag */ ++ best_security_flags &= ~SASL_SEC_PASS_CREDENTIALS; ++ ++ if ((current_security_flags ^ best_security_flags) & best_security_flags) { ++ return 1; ++ } else { ++ return 0; ++ } ++} ++ + /* select a mechanism for a connection + * mechlist -- mechanisms server has available (punctuation ignored) + * secret -- optional secret from previous session +@@ -823,8 +837,9 @@ int sasl_client_start(sasl_conn_t *conn, + */ + + if (bestm && +- ((m->m.plug->security_flags ^ bestm->m.plug->security_flags) & +- bestm->m.plug->security_flags)) { ++ _sasl_are_current_security_flags_worse_then_best( ++ bestm->m.plug->security_flags, ++ m->m.plug->security_flags)) { + break; + } + diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec index 9d1d377..c40c488 100644 --- a/cyrus-sasl.spec +++ b/cyrus-sasl.spec @@ -52,6 +52,8 @@ Patch50: cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b Patch51: cyrus-sasl-2.1.26-sql.patch # improve configuration error message Patch52: cyrus-sasl-2.1.26-config-error.patch +# Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718) +Patch53: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf, automake, libtool, gdbm-devel, groff @@ -195,6 +197,8 @@ chmod -x include/*.h %patch50 -p1 -b .gssapi %patch51 -p1 -b .sql %patch52 -p1 -b .configerr +%patch53 -p1 -b .sha1vsplain + %build # Find Kerberos.