From ef02b3a596a07a432b223773eaae9bc18e852337 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maxime=20=E2=80=9Cpep=E2=80=9D=20Buquet?= <pep@bouah.net>
Date: Fri, 26 Jan 2024 22:58:00 +0100
Subject: [PATCH] WIP: SCRAM: Restrict tls-unique to TLSv1.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>
---
 slixmpp/features/feature_mechanisms/mechanisms.py | 6 +++++-
 slixmpp/util/sasl/mechanisms.py                   | 8 +++++---
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/slixmpp/features/feature_mechanisms/mechanisms.py b/slixmpp/features/feature_mechanisms/mechanisms.py
index db2d73d0..8e2074f7 100644
--- a/slixmpp/features/feature_mechanisms/mechanisms.py
+++ b/slixmpp/features/feature_mechanisms/mechanisms.py
@@ -37,7 +37,8 @@ class FeatureMechanisms(BasePlugin):
         'unencrypted_digest': False,
         'unencrypted_cram': False,
         'unencrypted_scram': True,
-        'order': 100
+        'order': 100,
+        'tls_version': None,
     }
 
     def plugin_init(self):
@@ -178,6 +179,9 @@ class FeatureMechanisms(BasePlugin):
             log.exception("A credential value did not pass SASLprep.")
             self.xmpp.disconnect()
 
+        if 'tls_version' in self.mech.security:
+            self.tls_version = self.xmpp.socket.version()
+
         resp = stanza.Auth(self.xmpp)
         resp['mechanism'] = self.mech.name
         try:
diff --git a/slixmpp/util/sasl/mechanisms.py b/slixmpp/util/sasl/mechanisms.py
index d53caec8..00213143 100644
--- a/slixmpp/util/sasl/mechanisms.py
+++ b/slixmpp/util/sasl/mechanisms.py
@@ -181,13 +181,14 @@ class SCRAM(Mech):
     channel_binding = True
     required_credentials = {'username', 'password'}
     optional_credentials = {'authzid', 'channel_binding'}
-    security = {'encrypted', 'unencrypted_scram'}
+    security = {'tls_version', 'encrypted', 'unencrypted_scram'}
 
     def setup(self, name):
         self.use_channel_binding = False
         if name[-5:] == '-PLUS':
             name = name[:-5]
-            self.use_channel_binding = True
+            if self.security_settings['tls_version'] == 'TLSv1.2':
+                self.use_channel_binding = True
 
         self.hash_name = name[6:]
         self.hash = hash(self.hash_name)
@@ -244,7 +245,8 @@ class SCRAM(Mech):
         self.cnonce = bytes(('%s' % random.random())[2:])
 
         gs2_cbind_flag = b'n'
-        if self.credentials['channel_binding']:
+        if self.credentials['channel_binding'] and \
+           self.security_settings['tls_version'] == 'TLSv1.2':
             if self.use_channel_binding:
                 gs2_cbind_flag = b'p=tls-unique'
             else: