Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) supports #106

Open
Neustradamus opened this issue Sep 5, 2019 · 2 comments
Open

SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) supports #106

Neustradamus opened this issue Sep 5, 2019 · 2 comments

Comments

@Neustradamus
Copy link

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

SCRAM-SHA-1(-PLUS):

SCRAM-SHA-256(-PLUS):

I add SCRAM-SHA-512(-PLUS): https://xmpp.org/extensions/inbox/hash-recommendations.html

Linked to:
@genofire
Copy link
Contributor

genofire commented Sep 6, 2019
edited
Loading

@mremond could we use https://godoc.org/mellium.im/sasl
or should we implemented it on the own like https://github.com/ortuman/jackal/blob/master/auth/scram.go

i like the state machine of https://godoc.org/mellium.im/sasl with his more, resp, err as return value

@SamWhited
Copy link
Contributor

SamWhited commented Sep 6, 2019
edited
Loading

i like the state machine of https://godoc.org/mellium.im/sasl with his more,
resp, err as return value

Thanks; just FYI there is at least one major API overhaul that may be done at
some point to mellium.im/sasl to make credentials more flexible. Take into
consideration that I don't yet provide any API stability guarantees when using
it, and it may require a bit of work to upgrade later (that being said, that's
probably better than an unknown from some of the other projects, so maybe see
if you can convince them to tell people if the API is stable or not before
deciding what to move forward with).

If you do end up using it, I'd love to get your feedback on everything and how
it works for you.

I add SCRAM-SHA-512(-PLUS): https://xmpp.org/extensions/inbox/hash-recommendations.html

Note that SCRAM-SHA-512 is not an actual SCRAM mechanism defined by the IETF. Making one up will at best lead to interop problems, and at worst could cause security issues (this isn't likely if you're just changing the hash in the HMAC, but still, don't make up security mechanisms just to have a bigger number in a hash somewhere).

@alexanderadam alexanderadam mentioned this issue Sep 25, 2019
Open
@alexanderadam alexanderadam mentioned this issue Feb 6, 2020
Open
@alexanderadam alexanderadam mentioned this issue Apr 2, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Neustradamus @SamWhited @genofire