#1845 mod_sasl_ssdp: Wrong calculation of hash if PLAIN is disabled
Reporter
Martin
Owner
Nobody
Created
Updated
Stars
★ (1)
Tags
Status-New
Type-Defect
Priority-Medium
Component-Community
Martin
on
With PLAIN auth enabled prosody and my client calculate the same downgrade protection hash (calc is calculated by my client, recv is what my client receives from prosody):
```
raw: OAUTHBEARER,PLAIN,SCRAM-SHA-1,SCRAM-SHA-1-PLUS|tls-exporter
calc: fXNRzKJ3ccSa9fGXEJotLadWM5g=
recv: fXNRzKJ3ccSa9fGXEJotLadWM5g=
```
If I disable PLAIN auth by setting `disable_sasl_mechanisms = { "PLAIN" } ` there is a discrepancy between the downgrade protection hashes:
```
raw: OAUTHBEARER,SCRAM-SHA-1,SCRAM-SHA-1-PLUS|tls-exporter
calc: KLdxyd14RVfso6sao6+8+xGr/Lc=
recv: fXNRzKJ3ccSa9fGXEJotLadWM5g=
```
As the downgrade protection hash sent from prosody is identical in both cases it seems that mod_sasl_ssdp ignores the deactivation of PLAIN.
Zash
on
Thanks for the report
I think we discussed this in the chat. Was this a problem with mod_sasl_ssdp not taking disable_sasl_mechanisms etc into account?
With PLAIN auth enabled prosody and my client calculate the same downgrade protection hash (calc is calculated by my client, recv is what my client receives from prosody): ``` raw: OAUTHBEARER,PLAIN,SCRAM-SHA-1,SCRAM-SHA-1-PLUS|tls-exporter calc: fXNRzKJ3ccSa9fGXEJotLadWM5g= recv: fXNRzKJ3ccSa9fGXEJotLadWM5g= ``` If I disable PLAIN auth by setting `disable_sasl_mechanisms = { "PLAIN" } ` there is a discrepancy between the downgrade protection hashes: ``` raw: OAUTHBEARER,SCRAM-SHA-1,SCRAM-SHA-1-PLUS|tls-exporter calc: KLdxyd14RVfso6sao6+8+xGr/Lc= recv: fXNRzKJ3ccSa9fGXEJotLadWM5g= ``` As the downgrade protection hash sent from prosody is identical in both cases it seems that mod_sasl_ssdp ignores the deactivation of PLAIN.
Thanks for the report I think we discussed this in the chat. Was this a problem with mod_sasl_ssdp not taking disable_sasl_mechanisms etc into account?
ChangesYes, exactly.