This MR should enable latest recommended hashing algorithms for SASL SCRAM authentication methods (SHA-(512|384|256|1)(-PLUS)?) with experimental TLS Channel Binding support.
Default SCRAM method is uplifted to SCRAM-SHA-256.
Algorithms are ordered from highest (512) to lowest (1), each having -PLUS version above.
TLS Channel Binding (-PLUS) currently only supports tls-server-end-point binding type due to lack of binding retrieval implementation in GIO-TLS [1]. As per RFC 5802 Section 6.1 [2] implementation MUST support tls-unique which is to be default method. Due to above mentioned limitation, by default -PLUS mechanisms will be negotiated without any binding (binding disabled). Binding type tls-server-end-point may be selected by setting environment variable WOCKY_CHANNEL_BINDING_TYPE to that value. Once binding negotiation (see f.i. [3], [4]) is approved by XMPP council it might then be dynamically selected based on advertised binding support.
To summarise TODOs:
Implement TLS_UNIQUE binding type once [1] is resolved
Implement dynamic binding type selection once [3], [4] or similar is approved.
This MR should enable latest recommended hashing algorithms for SASL SCRAM authentication methods (SHA-(512|384|256|1)(-PLUS)?) with experimental TLS Channel Binding support. Default SCRAM method is uplifted to SCRAM-SHA-256. Algorithms are ordered from highest (512) to lowest (1), each having -PLUS version above.
TLS Channel Binding (-PLUS) currently only supports tls-server-end-point binding type due to lack of binding retrieval implementation in GIO-TLS [1]. As per RFC 5802 Section 6.1 [2] implementation MUST support tls-unique which is to be default method. Due to above mentioned limitation, by default -PLUS mechanisms will be negotiated without any binding (binding disabled). Binding type tls-server-end-point may be selected by setting environment variable WOCKY_CHANNEL_BINDING_TYPE to that value. Once binding negotiation (see f.i. [3], [4]) is approved by XMPP council it might then be dynamically selected based on advertised binding support.
To summarise TODOs:
Closes #2
[1] - https://gitlab.gnome.org/GNOME/glib-networking/-/issues/31 [2] - https://tools.ietf.org/html/rfc5802#section-6.1 [3] - https://xmpp.org/extensions/inbox/cb-pseudomechanisms.html [4] - https://xmpp.org/extensions/inbox/xep-sasl-cb-types.html