Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)

This commit is contained in:
Petr Lautrbach 2013-11-15 14:16:32 +01:00
parent 21e60e40c2
commit 58097f5a54
2 changed files with 55 additions and 0 deletions

View File

@ -0,0 +1,51 @@
commit 26dcfb2d7176b78e70757aa5d01951a28ca217c7
Author: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Fri Jul 5 16:37:59 2013 +0100
Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN when selecting the best client side SASL mechanism
Both SCRAM-SHA-1 & DIGEST-MD5 are lacking SASL_SEC_PASS_CREDENTIALS security
flag, which prevented them from being chosen over PLAIN when PLAIN is selected
as the best mechanism first. For example the problem can be observed when
the server advertises "PLAIN DIGEST-MD5 SCRAM-SHA-1" (PLAIN just has to be
returned before SCRAM/DIGEST.)
Cyrus SASL bug # 3793
diff --git a/lib/client.c b/lib/client.c
index 62dfb0b..31fe346 100644
--- a/lib/client.c
+++ b/lib/client.c
@@ -658,6 +658,20 @@ _sasl_cbinding_disp(sasl_client_params_t *cparams,
return SASL_OK;
}
+static int
+_sasl_are_current_security_flags_worse_then_best(unsigned best_security_flags,
+ unsigned current_security_flags)
+{
+ /* We don't qualify SASL_SEC_PASS_CREDENTIALS as "secure" flag */
+ best_security_flags &= ~SASL_SEC_PASS_CREDENTIALS;
+
+ if ((current_security_flags ^ best_security_flags) & best_security_flags) {
+ return 1;
+ } else {
+ return 0;
+ }
+}
+
/* select a mechanism for a connection
* mechlist -- mechanisms server has available (punctuation ignored)
* secret -- optional secret from previous session
@@ -823,8 +837,9 @@ int sasl_client_start(sasl_conn_t *conn,
*/
if (bestm &&
- ((m->m.plug->security_flags ^ bestm->m.plug->security_flags) &
- bestm->m.plug->security_flags)) {
+ _sasl_are_current_security_flags_worse_then_best(
+ bestm->m.plug->security_flags,
+ m->m.plug->security_flags)) {
break;
}

View File

@ -52,6 +52,8 @@ Patch50: cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b
Patch51: cyrus-sasl-2.1.26-sql.patch Patch51: cyrus-sasl-2.1.26-sql.patch
# improve configuration error message # improve configuration error message
Patch52: cyrus-sasl-2.1.26-config-error.patch Patch52: cyrus-sasl-2.1.26-config-error.patch
# Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)
Patch53: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf, automake, libtool, gdbm-devel, groff BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
@ -195,6 +197,8 @@ chmod -x include/*.h
%patch50 -p1 -b .gssapi %patch50 -p1 -b .gssapi
%patch51 -p1 -b .sql %patch51 -p1 -b .sql
%patch52 -p1 -b .configerr %patch52 -p1 -b .configerr
%patch53 -p1 -b .sha1vsplain
%build %build
# Find Kerberos. # Find Kerberos.