sbonazzo / rpms / cyrus-sasl

Forked from rpms/cyrus-sasl 2 years ago
Clone

Blame SOURCES/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch

296055
commit 26dcfb2d7176b78e70757aa5d01951a28ca217c7
296055
Author: Alexey Melnikov <alexey.melnikov@isode.com>
296055
Date:   Fri Jul 5 16:37:59 2013 +0100
296055
296055
    Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN when selecting the best client side SASL mechanism
296055
    
296055
    Both SCRAM-SHA-1 & DIGEST-MD5 are lacking SASL_SEC_PASS_CREDENTIALS security
296055
    flag, which prevented them from being chosen over PLAIN when PLAIN is selected
296055
    as the best mechanism first. For example the problem can be observed when
296055
    the server advertises "PLAIN DIGEST-MD5 SCRAM-SHA-1" (PLAIN just has to be
296055
    returned before SCRAM/DIGEST.)
296055
    
296055
    Cyrus SASL bug # 3793
296055
296055
diff --git a/lib/client.c b/lib/client.c
296055
index 62dfb0b..31fe346 100644
296055
--- a/lib/client.c
296055
+++ b/lib/client.c
296055
@@ -658,6 +658,20 @@ _sasl_cbinding_disp(sasl_client_params_t *cparams,
296055
     return SASL_OK;
296055
 }
296055
 
296055
+static int
296055
+_sasl_are_current_security_flags_worse_then_best(unsigned best_security_flags,
296055
+						 unsigned current_security_flags)
296055
+{
296055
+    /* We don't qualify SASL_SEC_PASS_CREDENTIALS as "secure" flag */
296055
+    best_security_flags &= ~SASL_SEC_PASS_CREDENTIALS;
296055
+
296055
+    if ((current_security_flags ^ best_security_flags) & best_security_flags) {
296055
+	return 1;
296055
+    } else {
296055
+	return 0;
296055
+    }
296055
+}
296055
+
296055
 /* select a mechanism for a connection
296055
  *  mechlist      -- mechanisms server has available (punctuation ignored)
296055
  *  secret        -- optional secret from previous session
296055
@@ -823,8 +837,9 @@ int sasl_client_start(sasl_conn_t *conn,
296055
 	     */
296055
 
296055
 	    if (bestm &&
296055
-		((m->m.plug->security_flags ^ bestm->m.plug->security_flags) &
296055
-		 bestm->m.plug->security_flags)) {
296055
+		_sasl_are_current_security_flags_worse_then_best(
296055
+		    bestm->m.plug->security_flags,
296055
+		    m->m.plug->security_flags)) {
296055
 		break;
296055
 	    }
296055