From 822f3f4d22437c60cc64d3e8ee2a7f17343ee00e Mon Sep 17 00:00:00 2001 From: Daniel Gultsch Date: Sat, 21 Oct 2023 14:21:29 +0200 Subject: [PATCH] consider going from unique or exporter to endpoint a downgrade --- .../conversations/crypto/sasl/ChannelBinding.java | 10 ++++++++++ .../crypto/sasl/ChannelBindingMechanism.java | 9 +++++++++ .../siacs/conversations/crypto/sasl/ScramSha1Plus.java | 2 +- .../conversations/crypto/sasl/ScramSha256Plus.java | 2 +- .../conversations/crypto/sasl/ScramSha512Plus.java | 2 +- 5 files changed, 22 insertions(+), 3 deletions(-) diff --git a/src/main/java/eu/siacs/conversations/crypto/sasl/ChannelBinding.java b/src/main/java/eu/siacs/conversations/crypto/sasl/ChannelBinding.java index 216f3d7f81f834b02d5e8640e5b1ba57ff6e62cb..2eb5e39fb2999e47a6c97c9691838c195a26c43d 100644 --- a/src/main/java/eu/siacs/conversations/crypto/sasl/ChannelBinding.java +++ b/src/main/java/eu/siacs/conversations/crypto/sasl/ChannelBinding.java @@ -117,4 +117,14 @@ public enum ChannelBinding { throw new AssertionError("Missing short name for " + channelBinding); } } + + public static int priority(final ChannelBinding channelBinding) { + if (Arrays.asList(TLS_EXPORTER,TLS_UNIQUE).contains(channelBinding)) { + return 2; + } else if (channelBinding == ChannelBinding.TLS_SERVER_END_POINT) { + return 1; + } else { + return 0; + } + } } diff --git a/src/main/java/eu/siacs/conversations/crypto/sasl/ChannelBindingMechanism.java b/src/main/java/eu/siacs/conversations/crypto/sasl/ChannelBindingMechanism.java index b94210a60d5ead030bf78db758a6ad34b349111d..7343eb86e82b5a065882d6bc49552b4b20222a67 100644 --- a/src/main/java/eu/siacs/conversations/crypto/sasl/ChannelBindingMechanism.java +++ b/src/main/java/eu/siacs/conversations/crypto/sasl/ChannelBindingMechanism.java @@ -97,4 +97,13 @@ public interface ChannelBindingMechanism { messageDigest.update(encodedCertificate); return messageDigest.digest(); } + + static int getPriority(final SaslMechanism mechanism) { + if (mechanism instanceof ChannelBindingMechanism) { + final ChannelBindingMechanism channelBindingMechanism = (ChannelBindingMechanism) mechanism; + return ChannelBinding.priority(channelBindingMechanism.getChannelBinding()); + } else { + return 0; + } + } } diff --git a/src/main/java/eu/siacs/conversations/crypto/sasl/ScramSha1Plus.java b/src/main/java/eu/siacs/conversations/crypto/sasl/ScramSha1Plus.java index 2ca27570f79e8108b447f5fe7deef8ec09e21bc6..4490d7621cc3dad1ecde4128b6874adaba58c316 100644 --- a/src/main/java/eu/siacs/conversations/crypto/sasl/ScramSha1Plus.java +++ b/src/main/java/eu/siacs/conversations/crypto/sasl/ScramSha1Plus.java @@ -27,7 +27,7 @@ public class ScramSha1Plus extends ScramPlusMechanism { @Override public int getPriority() { - return 35; // higher than SCRAM-SHA512 (30) + return 35 + ChannelBinding.priority(this.channelBinding); // higher than SCRAM-SHA512 (30) } @Override diff --git a/src/main/java/eu/siacs/conversations/crypto/sasl/ScramSha256Plus.java b/src/main/java/eu/siacs/conversations/crypto/sasl/ScramSha256Plus.java index 4db33a2fa08566a3ea5c3abb882ab5bf6b7a9255..eafc86fbcfd137b43e1ecf514a3b97b9dc06fd89 100644 --- a/src/main/java/eu/siacs/conversations/crypto/sasl/ScramSha256Plus.java +++ b/src/main/java/eu/siacs/conversations/crypto/sasl/ScramSha256Plus.java @@ -27,7 +27,7 @@ public class ScramSha256Plus extends ScramPlusMechanism { @Override public int getPriority() { - return 40; + return 40 + ChannelBinding.priority(this.channelBinding); } @Override diff --git a/src/main/java/eu/siacs/conversations/crypto/sasl/ScramSha512Plus.java b/src/main/java/eu/siacs/conversations/crypto/sasl/ScramSha512Plus.java index 5d846197314d713ac5b47d6ab721f078ad6bfd35..d110e77082380e8c151dbe4d68981b447a6cce4c 100644 --- a/src/main/java/eu/siacs/conversations/crypto/sasl/ScramSha512Plus.java +++ b/src/main/java/eu/siacs/conversations/crypto/sasl/ScramSha512Plus.java @@ -27,7 +27,7 @@ public class ScramSha512Plus extends ScramPlusMechanism { @Override public int getPriority() { - return 45; + return 45 + ChannelBinding.priority(this.channelBinding); } @Override