Permalink
Browse files

fix CRAM-MD5 security issue

  • Loading branch information...
pjstevns committed Dec 19, 2014
1 parent 4d53272 commit a0c2d6fe4684d3abde76d6428237feafdbe07ba9
Showing with 9 additions and 0 deletions.
  1. +1 −0 jenkins/Makefile
  2. +2 −0 src/dm_db.c
  3. +6 −0 test-scripts/testimap.py
View
@@ -27,6 +27,7 @@ run-test:
(cd ../ && CK_FORK=no make check)
sbin/dbmail-users -c testuser1 -w test -p plaintext || true
sbin/dbmail-users -a testuser2 -w test -p plaintext || true
sbin/dbmail-users -a testuser3 -w test -p sha256 || true
sbin/dbmail-users -y -e testuser1 || true
bin/py ../contrib/mailbox2dbmail/mailbox2dbmail -u testuser1 -m ../test-scripts/testbox -t mbox -p sbin/dbmail-deliver
timeout 300 imaptest user=testuser1 pass=test port=10143 test=../test-scripts/imap
View
@@ -3695,6 +3695,8 @@ int db_user_validate(ClientBase_T *ci, const char *pwfield, uint64_t *user_idnr,
else
is_validated = (strcmp(dbpass, password) == 0) ? 1 : 0;
}
else if (ci && ci->auth) // CRAM-MD5 auth but storage is encrypted
is_validated = 0;
else if (SMATCH(encode, "crypt")) {
TRACE(TRACE_DEBUG, "validating using crypt() encryption");
View
@@ -589,6 +589,12 @@ def testLogin_cram_md5(self):
self.failUnlessRaises(Exception, o.login_cram_md5,
"fakeuser", "wrongpassword")
o = getsock()
o.debug = DEBUG
# testuser3 password stored as sha256 so this must fail
self.failUnlessRaises(Exception, o.login_cram_md5,
"testuser3", "password123")
def testLogout(self):
"""
logout()

0 comments on commit a0c2d6f

Please sign in to comment.