On 04-12-2020 15:10, Dimitry Sibiryakov wrote:
04.12.2020 14:38, Mark Rotteveel wrote:
This obviously means that there is something wrong in Jaybird's SRP implementation, but so far I have no clue as to what.

  SRP allows definitely distinguish cases of unknown user and wrong password. You could start from finding out which part of handshaking has failed.

It reaches phase 2 of the authentication, so the user exists (with a user that doesn't exist, it ends after phase 1). The server response is a op_cont_auth suggesting to try Legacy_Auth next.

This behaviour is a security issue, it leaks existence or non-existence of the user.

Mark
--
Mark Rotteveel


Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to