fix tls 1.3 wip

WIP: SCRAM: Restrict tls-unique to TLSv1.2
Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>
2024-02-01 16:29:31 +01:00 · 2024-01-26 22:59:59 +01:00
2 changed files with 32 additions and 9 deletions
--- a/slixmpp/features/feature_mechanisms/mechanisms.py
+++ b/slixmpp/features/feature_mechanisms/mechanisms.py
@ -37,7 +37,8 @@ class FeatureMechanisms(BasePlugin):
        'unencrypted_digest': False,
        'unencrypted_cram': False,
        'unencrypted_scram': True,
-        'order': 100
+        'order': 100,
        'tls_version': None,
    }
    def plugin_init(self):
@ -96,7 +97,20 @@ class FeatureMechanisms(BasePlugin):
                result[value] = creds.get('email', jid)
            elif value == 'channel_binding':
                if isinstance(self.xmpp.socket, (ssl.SSLSocket, ssl.SSLObject)):
-                    result[value] = self.xmpp.socket.get_channel_binding()
+                    version = self.xmpp.socket.version()
                    # As of now, python does not implement anything else
                    # than tls-unique, which is forbidden on TLSv1.3
                    # see https://github.com/python/cpython/issues/95341
                    if version != 'TLSv1.3':
                        result[value] = self.xmpp.socket.get_channel_binding(
                            cb_type="tls-unique"
                        )
                    elif 'tls-exporter' in ssl.CHANNEL_BINDING_TYPES:
                        result[value] = self.xmpp.socket.get_channel_binding(
                            cb_type="tls-exporter"
                        )
                    else:
                        result[value] = None
                else:
                    result[value] = None
            elif value == 'host':
@ -121,6 +135,11 @@ class FeatureMechanisms(BasePlugin):
                    result[value] = True
                else:
                    result[value] = False
            elif value == 'tls_version':
                if isinstance(self.xmpp.socket, (ssl.SSLSocket, ssl.SSLObject)):
                    result[value] = self.xmpp.socket.version()
            elif value == 'binding_proposed':
                result[value] = any(x for x in self.mech_list if x.endswith('-PLUS'))
            else:
                result[value] = self.config.get(value, False)
        return result
--- a/slixmpp/util/sasl/mechanisms.py
+++ b/slixmpp/util/sasl/mechanisms.py
@ -181,7 +181,7 @@ class SCRAM(Mech):
    channel_binding = True
    required_credentials = {'username', 'password'}
    optional_credentials = {'authzid', 'channel_binding'}
-    security = {'encrypted', 'unencrypted_scram'}
+    security = {'tls_version', 'encrypted', 'unencrypted_scram', 'binding_proposed'}
    def setup(self, name):
        self.use_channel_binding = False
@ -244,9 +244,13 @@ class SCRAM(Mech):
        self.cnonce = bytes(('%s' % random.random())[2:])
        gs2_cbind_flag = b'n'
-        if self.credentials['channel_binding']:
+        if self.security_settings['binding_proposed']:
-            if self.use_channel_binding:
+            if self.credentials['channel_binding'] and \
                    self.use_channel_binding:
                if self.security_settings['tls_version'] != 'TLSv1.3':
                    gs2_cbind_flag = b'p=tls-unique'
                else:
                    gs2_cbind_flag = b'p=tls-exporter'
        else:
            gs2_cbind_flag = b'y'
@ -280,7 +284,7 @@ class SCRAM(Mech):
            raise SASLCancelled('Invalid nonce')
        cbind_data = b''
-        if self.use_channel_binding:
+        if self.use_channel_binding and self.credentials['channel_binding']:
            cbind_data = self.credentials['channel_binding']
        cbind_input = self.gs2_header + cbind_data
        channel_binding = b'c=' + b64encode(cbind_input).replace(b'\n', b'')
Author	SHA1	Message	Date
mathieui	51cbe87501	fix tls 1.3 wip	2024-02-01 16:29:31 +01:00
Maxime “pep” Buquet	ef02b3a596	WIP: SCRAM: Restrict tls-unique to TLSv1.2 Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>	2024-01-26 22:59:59 +01:00