WIP: SCRAM: Restrict tls-unique to TLSv1.2

Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>

slixmpp/features/feature_mechanisms/mechanisms.py

@@ -37,7 +37,8 @@ class FeatureMechanisms(BasePlugin):
         'unencrypted_digest': False,
         'unencrypted_cram': False,
         'unencrypted_scram': True,
-        'order': 100
+        'order': 100,
+        'tls_version': None,
     }
 
     def plugin_init(self):
@@ -178,6 +179,9 @@ class FeatureMechanisms(BasePlugin):
             log.exception("A credential value did not pass SASLprep.")
             self.xmpp.disconnect()
 
+        if 'tls_version' in self.mech.security:
+            self.tls_version = self.xmpp.socket.version()
+
         resp = stanza.Auth(self.xmpp)
         resp['mechanism'] = self.mech.name
         try:

slixmpp/util/sasl/mechanisms.py

@@ -181,12 +181,13 @@ class SCRAM(Mech):
     channel_binding = True
     required_credentials = {'username', 'password'}
     optional_credentials = {'authzid', 'channel_binding'}
-    security = {'encrypted', 'unencrypted_scram'}
+    security = {'tls_version', 'encrypted', 'unencrypted_scram'}
 
     def setup(self, name):
         self.use_channel_binding = False
         if name[-5:] == '-PLUS':
             name = name[:-5]
+            if self.security_settings['tls_version'] == 'TLSv1.2':
                 self.use_channel_binding = True
 
         self.hash_name = name[6:]
@@ -244,7 +245,8 @@ class SCRAM(Mech):
         self.cnonce = bytes(('%s' % random.random())[2:])
 
         gs2_cbind_flag = b'n'
-        if self.credentials['channel_binding']:
+        if self.credentials['channel_binding'] and \
+           self.security_settings['tls_version'] == 'TLSv1.2':
             if self.use_channel_binding:
                 gs2_cbind_flag = b'p=tls-unique'
             else: