ALE-Rainbow / Sharp.Ws.Xmpp

Sharp.Ws.Xmpp has beend forked from pgstath/Sharp.Xmpp and it has been enhanced to support Web Socket.
Other
2 stars 2 forks source link

SCRAM-SHA-1(-PLUS) + SCRAM-SHA-224(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-384(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports #9

Open Neustradamus opened 4 years ago

Neustradamus commented 4 years ago

Can you add supports of :

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

SCRAM-SHA-1(-PLUS):

SCRAM-SHA-256(-PLUS):

SCRAM-SHA-512(-PLUS):

SCRAM-SHA3-512(-PLUS):

SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:

-PLUS variants:

IMAP:

LDAP:

HTTP:

JMAP:

2FA:

IANA:

Linked to:

filipnavara commented 3 years ago

Just a sidenote: SHA-224 and SHA3 are not implemented in .NET so it's unlikely the support for them would be easy to add. The other ones are pretty simple for the basic username/password login situation. We are currently using a different XMPP implementation in our project but we are looking into the possibility to switch to this library. SCRAM-SHA-1 is the only one that we saw in a more widespread use.

ChristopheI commented 3 years ago

Hi, I'm working and maintaining this library since I'm using it in business projects. I have not so much time to develop extra features and more specifically when it's necessary to configure server settings ... But ,iIf you have the opportunity to provide me an account so I can use a server with this kind of authentications it will help a lot ! And with a priority list of authentication mechanism too (I notice SCRAM-SHA-1 as first one) Thx.

PS: Which library are you using ?

filipnavara commented 3 years ago

Which library are you using?

We used a fork of Jabber-Net which was an old library ported over from Java. Since we forked it about 10 years ago it doesn't resemble much of the original code, or the last maintained fork at https://github.com/ForNeVeR/jabber-net. Specifically, for authentication we use our own SASL library that implements variety of the authentication mechanism and we share this library for IMAP, SMTP and other protocols. Structurally it's very similar to the SASL methods in this library. I am pondering whether there would be any point in open sourcing it.

For reference, here's a current source of our authentication classes (free to use under MIT license but not maintained): MailClient.Authentication.zip

If the original issue author doesn't come up with some test servers I can ask Alexey (the author of the RFCs) to see if he / Isode would be able to provide some.

Neustradamus commented 3 years ago

Hello all,

Thanks for your comment :)

XMPP servers, XMPP clients, XMPP librairies are listed with SCRAM possibilities here:

MailKit (https://github.com/jstedfast/MailKit) supports:

SHA3, linked to:

ChristopheI commented 3 years ago

Thank you for your inputs. I will take a deeper look at the end of the week.

Neustradamus commented 3 years ago

@filipnavara, @ChristopheI: I have added some linked repositories but not all: please look forks/commits:

3 supports SCRAM-SHA-1 (but not others):

Neustradamus commented 5 months ago

@filipnavara, @ChristopheI: Have you progressed on it?