diff options
author | Ruslan N. Marchenko <me@ruff.mobi> | 2020-05-30 09:46:46 +0200 |
---|---|---|
committer | Ruslan N. Marchenko <me@ruff.mobi> | 2020-09-25 19:29:50 +0200 |
commit | a02438ad6aec28c3d9fe16eac5fad83fdd3fb585 (patch) | |
tree | 31762469a6688810a2fec075cc5ef62078c92dae | |
parent | 0f46ce192f9d3809282813286c04fdff48b1619d (diff) |
Enable all SHA1 and SHA2 SCRAM algorithms, move to SHA256 default
* Enable all SHA1 and SHA2 Hashing algorithms in SCRAM mechanism
ordered from highest to lowest, with PLUS version above.
* Shift default SCRAM algorithm from SHA1 to SHA256.
* Upgrade tests to expect now preferred/default SHA256 method
-rw-r--r-- | tests/wocky-connector-test.c | 77 | ||||
-rw-r--r-- | tests/wocky-sasl-utils-test.c | 3 | ||||
-rw-r--r-- | tests/wocky-scram-sha1-test.c | 2 | ||||
-rw-r--r-- | wocky/wocky-auth-registry.c | 74 | ||||
-rw-r--r-- | wocky/wocky-auth-registry.h | 8 | ||||
-rw-r--r-- | wocky/wocky-sasl-scram.c | 7 | ||||
-rw-r--r-- | wocky/wocky-sasl-scram.h | 3 |
7 files changed, 106 insertions, 68 deletions
diff --git a/tests/wocky-connector-test.c b/tests/wocky-connector-test.c index e08710e..08d0267 100644 --- a/tests/wocky-connector-test.c +++ b/tests/wocky-connector-test.c @@ -63,6 +63,17 @@ #define PLAIN FALSE #define DIGEST TRUE +#ifdef HAVE_LIBSASL2 +#include <sasl/sasl.h> +#if SASL_VERSION_FULL >= 0x0002011B +#define DEFAULT_SASL_MECH "SCRAM-SHA-256" +#endif /* SASL_VERSION_FULL */ +#endif /* HAVE_LIBSASL2 */ + +#ifndef DEFAULT_SASL_MECH +#define DEFAULT_SASL_MECH "SCRAM-SHA-1" +#endif + #define PORT_XMPP 5222 #define PORT_NONE 0 @@ -584,7 +595,7 @@ test_t tests[] = { "/connector/auth/secure/no-tlsplain/notls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { NOTLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK }, { "moose", "something" }, @@ -608,7 +619,7 @@ test_t tests[] = { "/connector/auth/insecure/no-tlsplain/notls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { NOTLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK }, { "moose", "something" }, @@ -770,7 +781,7 @@ test_t tests[] = * these should all be digest auth successes */ { "/connector/auth/secure/no-tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK }, { "moose", "something" }, @@ -782,7 +793,7 @@ test_t tests[] = { "/connector/auth/secure/tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK }, { "moose", "something" }, @@ -794,7 +805,7 @@ test_t tests[] = { "/connector/auth/insecure/no-tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK }, { "moose", "something" }, @@ -806,7 +817,7 @@ test_t tests[] = { "/connector/auth/insecure/tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK }, { "moose", "something" }, @@ -818,7 +829,7 @@ test_t tests[] = { "/connector/tls+auth/secure/no-tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK }, { "moose", "something" }, @@ -830,7 +841,7 @@ test_t tests[] = { "/connector/tls+auth/secure/tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK }, { "moose", "something" }, @@ -842,7 +853,7 @@ test_t tests[] = { "/connector/tls+auth/insecure/no-tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK }, { "moose", "something" }, @@ -854,7 +865,7 @@ test_t tests[] = { "/connector/tls+auth/insecure/tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK }, { "moose", "something" }, @@ -985,7 +996,7 @@ test_t tests[] = /* we actually tolerate > 1.0 versions */ { "/connector/problem/xmpp/version/1.x", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL, "1.1" }, { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK }, { "moose", "something" }, @@ -1162,7 +1173,7 @@ test_t tests[] = { "/connector/problem/xmpp/bind/no-jid", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { OK, BIND_PROBLEM_NO_JID, OK, OK, OK } }, @@ -1175,7 +1186,7 @@ test_t tests[] = { "/connector/problem/xmpp/session/none", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_NO_SESSION, OK, OK, OK, OK } }, @@ -1323,7 +1334,7 @@ test_t tests[] = /* quirks */ { "/connector/google/domain-discovery/require", QUIET, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_REQUIRE_GOOGLE_JDD, CONNECTOR_OK }, { "moose", "something" }, @@ -1422,7 +1433,7 @@ test_t tests[] = { "/connector/xep77/register/email-arg-ok", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { OK, OK, OK, OK, OK, XEP77_PROBLEM_EMAIL_ARG } }, @@ -1499,7 +1510,7 @@ test_t tests[] = { "/connector/xep77/register/already/get", NOISY, - { S_NO_ERROR, 0 , 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0 , 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { OK, OK, OK, OK, OK, XEP77_PROBLEM_QUERY_ALREADY } }, @@ -1513,7 +1524,7 @@ test_t tests[] = { "/connector/xep77/register/already/set", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { OK, OK, OK, OK, OK, XEP77_PROBLEM_ALREADY } }, @@ -1772,7 +1783,7 @@ test_t tests[] = { "/connector/jabber/no-ssl/auth/old+sasl", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_AUTH_FEATURE, OK, OK, OK, OK } }, @@ -1964,7 +1975,7 @@ test_t tests[] = { "/connector/jabber/ssl/auth/old+sasl", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_AUTH_FEATURE|XMPP_PROBLEM_OLD_SSL, @@ -2006,7 +2017,7 @@ test_t tests[] = { "/connector+ssl/auth/secure/no-tlsplain/notls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { NOTLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, { "moose", "something" }, @@ -2030,7 +2041,7 @@ test_t tests[] = { "/connector+ssl/auth/insecure/no-tlsplain/notls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { NOTLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, { "moose", "something" }, @@ -2150,7 +2161,7 @@ test_t tests[] = * these should all be digest auth successes */ { "/connector+ssl/auth/secure/no-tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, { "moose", "something" }, @@ -2162,7 +2173,7 @@ test_t tests[] = { "/connector+ssl/auth/secure/tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, { "moose", "something" }, @@ -2174,7 +2185,7 @@ test_t tests[] = { "/connector+ssl/auth/insecure/no-tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, { "moose", "something" }, @@ -2186,7 +2197,7 @@ test_t tests[] = { "/connector+ssl/auth/insecure/tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, { "moose", "something" }, @@ -2198,7 +2209,7 @@ test_t tests[] = { "/connector+ssl/tls+auth/secure/no-tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, { "moose", "something" }, @@ -2210,7 +2221,7 @@ test_t tests[] = { "/connector+ssl/tls+auth/secure/tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, { "moose", "something" }, @@ -2222,7 +2233,7 @@ test_t tests[] = { "/connector+ssl/tls+auth/insecure/no-tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, { "moose", "something" }, @@ -2234,7 +2245,7 @@ test_t tests[] = { "/connector+ssl/tls+auth/insecure/tlsplain/tls/digest", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, { "moose", "something" }, @@ -2325,7 +2336,7 @@ test_t tests[] = /* we actually tolerate > 1.0 versions */ { "/connector+ssl/problem/xmpp/version/1.x", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL, "1.1" }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, { "moose", "something" }, @@ -2487,7 +2498,7 @@ test_t tests[] = { "/connector+ssl/problem/xmpp/bind/no-jid", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, BIND_PROBLEM_NO_JID, OK, OK, OK } }, @@ -2500,7 +2511,7 @@ test_t tests[] = { "/connector+ssl/problem/xmpp/session/none", NOISY, - { S_NO_ERROR, 0, 0, "SCRAM-SHA-1" }, + { S_NO_ERROR, 0, 0, DEFAULT_SASL_MECH }, { { TLS, NULL }, { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_NO_SESSION|XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, @@ -3771,7 +3782,7 @@ main (int argc, g_message ("libsasl2 not found: skipping SCRAM SASL tests"); for (i = 0; tests[i].desc != NULL; i++) { - if (!wocky_strdiff (tests[i].result.mech, "SCRAM-SHA-1")) + if (!wocky_strdiff (tests[i].result.mech, DEFAULT_SASL_MECH)) continue; g_test_add_data_func (tests[i].desc, &tests[i], (test_func)run_test); } diff --git a/tests/wocky-sasl-utils-test.c b/tests/wocky-sasl-utils-test.c index e384811..48ac3b1 100644 --- a/tests/wocky-sasl-utils-test.c +++ b/tests/wocky-sasl-utils-test.c @@ -135,7 +135,8 @@ digest_test hmac_sha1_tests[] = { static void test_sasl_utils_hmac_sha1 (digest_test *t) { - GByteArray *result = sasl_calculate_hmac_sha1 (t->key, t->key_len, + GByteArray *result = sasl_calculate_hmac (G_CHECKSUM_SHA1, + t->key, t->key_len, t->data, t->data_len); int i; diff --git a/tests/wocky-scram-sha1-test.c b/tests/wocky-scram-sha1-test.c index 54081cd..128fddf 100644 --- a/tests/wocky-scram-sha1-test.c +++ b/tests/wocky-scram-sha1-test.c @@ -49,6 +49,8 @@ test_scram_sha1 (testcase *test) scram = WOCKY_AUTH_HANDLER (wocky_sasl_scram_new ( test->server, test->user, test->password)); + g_object_set (scram, "hash-algo", G_CHECKSUM_SHA1, NULL); + g_assert (wocky_auth_handler_get_initial_response (scram, &out, &error)); diff --git a/wocky/wocky-auth-registry.c b/wocky/wocky-auth-registry.c index 7bba2ea..721dd64 100644 --- a/wocky/wocky-auth-registry.c +++ b/wocky/wocky-auth-registry.c @@ -269,6 +269,25 @@ wocky_auth_registry_select_handler (WockyAuthRegistry *self, { WockyAuthRegistryPrivate *priv = self->priv; GSList *k; + /* Define order of SCRAM hashing algorithm preferences according to ... * + * ... various recommendations */ + struct { + gchar *mech; + gboolean is_plus; + GChecksumType algo; + } scram_handlers[] = { + { WOCKY_AUTH_MECH_SASL_SCRAM_SHA_512_PLUS, TRUE, G_CHECKSUM_SHA512 }, + { WOCKY_AUTH_MECH_SASL_SCRAM_SHA_512, FALSE, G_CHECKSUM_SHA512 }, +#ifdef WOCKY_AUTH_MECH_SASL_SCRAM_SHA_384 + { WOCKY_AUTH_MECH_SASL_SCRAM_SHA_384_PLUS, TRUE, G_CHECKSUM_SHA384 }, + { WOCKY_AUTH_MECH_SASL_SCRAM_SHA_384, FALSE, G_CHECKSUM_SHA384 }, +#endif + { WOCKY_AUTH_MECH_SASL_SCRAM_SHA_256_PLUS, TRUE, G_CHECKSUM_SHA256 }, + { WOCKY_AUTH_MECH_SASL_SCRAM_SHA_256, FALSE, G_CHECKSUM_SHA256 }, + { WOCKY_AUTH_MECH_SASL_SCRAM_SHA_1_PLUS, TRUE, G_CHECKSUM_SHA1 }, + { WOCKY_AUTH_MECH_SASL_SCRAM_SHA_1, FALSE, G_CHECKSUM_SHA1 }, + { NULL, FALSE, G_CHECKSUM_SHA1 } + }; for (k = priv->handlers; k != NULL; k = k->next) { @@ -287,40 +306,35 @@ wocky_auth_registry_select_handler (WockyAuthRegistry *self, } } - /* FIXME: should we skip PLUS if cb is disabled? Works with Prosody */ - if (wocky_auth_registry_has_mechanism (mechanisms, - WOCKY_AUTH_MECH_SASL_SCRAM_SHA_1_PLUS)) - { - if (out_handler != NULL) - { - /* XXX: check for username and password here? */ - DEBUG ("Choosing SCRAM-SHA-1-PLUS as auth mechanism"); - *out_handler = WOCKY_AUTH_HANDLER (wocky_sasl_scram_new ( - server, username, password)); - WOCKY_AUTH_HANDLER_GET_IFACE (*out_handler)->mechanism = - WOCKY_AUTH_MECH_SASL_SCRAM_SHA_1_PLUS; - g_object_set (G_OBJECT (*out_handler), - "cb-type", priv->cb_type, - "cb-data", priv->cb_data, - NULL); - } - return TRUE; - } + /* All the below mechanisms require password so if we have none + * let's just stop here */ + g_return_val_if_fail (out_handler == NULL || password != NULL, FALSE); - if (wocky_auth_registry_has_mechanism (mechanisms, - WOCKY_AUTH_MECH_SASL_SCRAM_SHA_1)) + for (int i = 0; scram_handlers[i].mech != NULL ; i++) { - if (out_handler != NULL) + if (wocky_auth_registry_has_mechanism (mechanisms, + scram_handlers[i].mech)) { - /* XXX: check for username and password here? */ - DEBUG ("Choosing SCRAM-SHA-1 as auth mechanism"); - *out_handler = WOCKY_AUTH_HANDLER (wocky_sasl_scram_new ( - server, username, password)); - g_object_set (G_OBJECT (*out_handler), - "cb-type", MIN (priv->cb_type, WOCKY_TLS_BINDING_NONE), - NULL); + if (out_handler != NULL && username != NULL) + { + /* For PLUS it's whatever we found/support, otherwise NONE or * + * DISABLED. NONE is when we support some but server doesn't. */ + WockyTLSBindingType cb_type = (scram_handlers[i].is_plus ? + priv->cb_type + : MIN (priv->cb_type, WOCKY_TLS_BINDING_NONE)); + DEBUG ("Choosing %s as auth mechanism", scram_handlers[i].mech); + *out_handler = WOCKY_AUTH_HANDLER (wocky_sasl_scram_new ( + server, username, password)); + WOCKY_AUTH_HANDLER_GET_IFACE (*out_handler)->mechanism = + scram_handlers[i].mech; + g_object_set (G_OBJECT (*out_handler), + "hash-algo", scram_handlers[i].algo, + "cb-type", cb_type, + "cb-data", priv->cb_data, + NULL); + } + return TRUE; } - return TRUE; } if (wocky_auth_registry_has_mechanism (mechanisms, diff --git a/wocky/wocky-auth-registry.h b/wocky/wocky-auth-registry.h index 84fbb51..61cb171 100644 --- a/wocky/wocky-auth-registry.h +++ b/wocky/wocky-auth-registry.h @@ -60,6 +60,14 @@ typedef enum #define WOCKY_AUTH_MECH_SASL_PLAIN "PLAIN" #define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_1 "SCRAM-SHA-1" #define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_1_PLUS "SCRAM-SHA-1-PLUS" +#define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_256 "SCRAM-SHA-256" +#define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_256_PLUS "SCRAM-SHA-256-PLUS" +#define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_512 "SCRAM-SHA-512" +#define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_512_PLUS "SCRAM-SHA-512-PLUS" +#if GLIB_VERSION_CUR_STABLE >= GLIB_VERSION_2_52 +#define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_384 "SCRAM-SHA-384" +#define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_384_PLUS "SCRAM-SHA-384-PLUS" +#endif /** * WockyTLSBindingType diff --git a/wocky/wocky-sasl-scram.c b/wocky/wocky-sasl-scram.c index c267347..1db29b1 100644 --- a/wocky/wocky-sasl-scram.c +++ b/wocky/wocky-sasl-scram.c @@ -1,6 +1,7 @@ /* - * wocky-sasl-scram.c - SCRAM-SHA1 implementation (to be RFC 5802) + * wocky-sasl-scram.c - SCRAM-SHA-* implementation (RFC 5802, 7677) * Copyright (C) 2010 Sjoerd Simons <sjoerd@luon.net> + * Copyright (C) 2020 Ruslan N. Marchenko <me@ruff.mobi> * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -199,7 +200,7 @@ wocky_sasl_scram_class_init ( g_object_class_install_property (object_class, PROP_HASH_ALGO, g_param_spec_int ("hash-algo", "hash algorithm", "The type of the Hash Algorithm to use for HMAC from GChecksumType", - G_CHECKSUM_SHA1, G_CHECKSUM_SHA512, G_CHECKSUM_SHA1, + G_CHECKSUM_SHA1, G_CHECKSUM_SHA512, G_CHECKSUM_SHA256, G_PARAM_READWRITE | G_PARAM_CONSTRUCT)); g_object_class_install_property (object_class, PROP_CB_TYPE, @@ -247,7 +248,7 @@ sasl_handler_iface_init (gpointer g_iface) { WockyAuthHandlerIface *iface = g_iface; - iface->mechanism = "SCRAM-SHA-1"; + iface->mechanism = WOCKY_AUTH_MECH_SASL_SCRAM_SHA_256; iface->plain = FALSE; iface->initial_response_func = scram_initial_response; iface->auth_data_func = scram_handle_auth_data; diff --git a/wocky/wocky-sasl-scram.h b/wocky/wocky-sasl-scram.h index 204053b..65b5ca9 100644 --- a/wocky/wocky-sasl-scram.h +++ b/wocky/wocky-sasl-scram.h @@ -1,6 +1,7 @@ /* - * wocky-sasl-scram.h - SCRAM-SHA1 implementation (to be RFC 5802) + * wocky-sasl-scram.h - SCRAM-SHA1 implementation (RFC 5802, 7677) * Copyright (C) 2010 Sjoerd Simons <sjoerd@luon.net> + * Copyright (C) 2020 Ruslan N. Marchenko <me@ruff.mobi> * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public |