[cyrus-sasl] Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)

Fri Nov 15 13:55:42 UTC 2013

commit 58097f5a54e227893f7ab05fc76cc8288d0190b7
Author: Petr Lautrbach <plautrba at redhat.com>
Date:   Fri Nov 15 14:16:32 2013 +0100

    Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)

 ...sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch |   51 ++++++++++++++++++++
 cyrus-sasl.spec                                    |    4 ++
 2 files changed, 55 insertions(+), 0 deletions(-)
---

diff --git a/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch b/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
new file mode 100644
index 0000000..af88e81
--- /dev/null
+++ b/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
@@ -0,0 +1,51 @@
+commit 26dcfb2d7176b78e70757aa5d01951a28ca217c7
+Author: Alexey Melnikov <alexey.melnikov at isode.com>
+Date:   Fri Jul 5 16:37:59 2013 +0100
+
+    Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN when selecting the best client side SASL mechanism
+    
+    Both SCRAM-SHA-1 & DIGEST-MD5 are lacking SASL_SEC_PASS_CREDENTIALS security
+    flag, which prevented them from being chosen over PLAIN when PLAIN is selected
+    as the best mechanism first. For example the problem can be observed when
+    the server advertises "PLAIN DIGEST-MD5 SCRAM-SHA-1" (PLAIN just has to be
+    returned before SCRAM/DIGEST.)
+    
+    Cyrus SASL bug # 3793
+
+diff --git a/lib/client.c b/lib/client.c
+index 62dfb0b..31fe346 100644
+--- a/lib/client.c
++++ b/lib/client.c
+@@ -658,6 +658,20 @@ _sasl_cbinding_disp(sasl_client_params_t *cparams,
+     return SASL_OK;
+ }
+ 
++static int
++_sasl_are_current_security_flags_worse_then_best(unsigned best_security_flags,
++						 unsigned current_security_flags)
++{
++    /* We don't qualify SASL_SEC_PASS_CREDENTIALS as "secure" flag */
++    best_security_flags &= ~SASL_SEC_PASS_CREDENTIALS;
++
++    if ((current_security_flags ^ best_security_flags) & best_security_flags) {
++	return 1;
++    } else {
++	return 0;
++    }
++}
++
+ /* select a mechanism for a connection
+  *  mechlist      -- mechanisms server has available (punctuation ignored)
+  *  secret        -- optional secret from previous session
+@@ -823,8 +837,9 @@ int sasl_client_start(sasl_conn_t *conn,
+ 	     */
+ 
+ 	    if (bestm &&
+-		((m->m.plug->security_flags ^ bestm->m.plug->security_flags) &
+-		 bestm->m.plug->security_flags)) {
++		_sasl_are_current_security_flags_worse_then_best(
++		    bestm->m.plug->security_flags,
++		    m->m.plug->security_flags)) {
+ 		break;
+ 	    }
+ 
diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec
index 9d1d377..c40c488 100644
--- a/cyrus-sasl.spec
+++ b/cyrus-sasl.spec
@@ -52,6 +52,8 @@ Patch50: cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b
 Patch51: cyrus-sasl-2.1.26-sql.patch
 # improve configuration error message
 Patch52: cyrus-sasl-2.1.26-config-error.patch
+# Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)
+Patch53: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
@@ -195,6 +197,8 @@ chmod -x include/*.h
 %patch50 -p1 -b .gssapi
 %patch51 -p1 -b .sql
 %patch52 -p1 -b .configerr
+%patch53 -p1 -b .sha1vsplain
+
 
 %build
 # Find Kerberos.
