#1845 mod_sasl_ssdp: Wrong calculation of hash if PLAIN is disabled

Reporter Martin
Owner Nobody
Stars ★★ (2)
  • Status-New
  • Type-Defect
  • Priority-Medium
  • Component-Community
  1. Martin on

    With PLAIN auth enabled prosody and my client calculate the same downgrade protection hash (calc is calculated by my client, recv is what my client receives from prosody): ``` raw: OAUTHBEARER,PLAIN,SCRAM-SHA-1,SCRAM-SHA-1-PLUS|tls-exporter calc: fXNRzKJ3ccSa9fGXEJotLadWM5g= recv: fXNRzKJ3ccSa9fGXEJotLadWM5g= ``` If I disable PLAIN auth by setting `disable_sasl_mechanisms = { "PLAIN" } ` there is a discrepancy between the downgrade protection hashes: ``` raw: OAUTHBEARER,SCRAM-SHA-1,SCRAM-SHA-1-PLUS|tls-exporter calc: KLdxyd14RVfso6sao6+8+xGr/Lc= recv: fXNRzKJ3ccSa9fGXEJotLadWM5g= ``` As the downgrade protection hash sent from prosody is identical in both cases it seems that mod_sasl_ssdp ignores the deactivation of PLAIN.

  2. Zash on

    Thanks for the report I think we discussed this in the chat. Was this a problem with mod_sasl_ssdp not taking disable_sasl_mechanisms etc into account?

    • tags Component-Community
  3. Martin on

    Yes, exactly.

New comment

Not published. Used for spam prevention and optional update notifications.