python-nbxmpp: Detect downgrade attacks from SCRAM-SHA-1-PLUS to...

Fedor Brunner Wed, 26 Feb 2014 02:24:07 -0800

changeset c79cbe36a94e in /home/hg/repos/python-nbxmpp

details:http://hg.gajim.org/python-nbxmpp?cmd=changeset;node=c79cbe36a94e
description: Detect downgrade attacks from SCRAM-SHA-1-PLUS to SCRAM-SHA-1.


        Fixes #16

diffstat:

 nbxmpp/auth_nb.py |  7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diffs (17 lines):

diff -r 1f3eb954483c -r c79cbe36a94e nbxmpp/auth_nb.py
--- a/nbxmpp/auth_nb.py Wed Feb 26 10:18:08 2014 +0100
+++ b/nbxmpp/auth_nb.py Wed Feb 26 11:22:41 2014 +0100
@@ -456,7 +456,12 @@
             self.client_nonce = '%x' % rndg.getrandbits(196)
             self.scram_soup = 'n=' + self.username + ',r=' + self.client_nonce
             if self.mechanism == 'SCRAM-SHA-1':
-                self.scram_gs2 = 'n,,' # No CB.
+                if self.channel_binding == None:
+                    # Client doesn't support Channel Binding
+                    self.scram_gs2 = 'n,,'
+                else:
+                    # Client supports CB, but server doesn't support CB
+                    self.scram_gs2 = 'y,,'               
             else:
                 self.scram_gs2 = 'p=tls-unique,,'
             sasl_data = (self.scram_gs2 + self.scram_soup).encode('base64').\
_______________________________________________
Commits mailing list
[email protected]
http://lists.gajim.org/cgi-bin/listinfo/commits

python-nbxmpp: Detect downgrade attacks from SCRAM-SHA-1-PLUS to...

Reply via email to