SCRAM-SHA-1 + SCRAM-SHA-256 + SCRAM-SHA-512 + SCRAM-SHA3-512 supports

[Neustradamus]

Dear qxmpp-project team,

For more security, can you add supports of:

• SCRAM-SHA-1
• SCRAM-SHA-1-PLUS
• SCRAM-SHA-256
• SCRAM-SHA-256-PLUS
• SCRAM-SHA-512
• SCRAM-SHA-512-PLUS
• SCRAM-SHA3-512
• SCRAM-SHA3-512-PLUS

You can add too:

• SCRAM-SHA-224
• SCRAM-SHA-224-PLUS
• SCRAM-SHA-384
• SCRAM-SHA-384-PLUS

A "big" list has been done in last link of this ticket.

---

SCRAM-SHA-1(-PLUS):

• https://tools.ietf.org/html/rfc5802
• https://tools.ietf.org/html/rfc6120

SCRAM-SHA-256(-PLUS):

• https://tools.ietf.org/html/rfc7677 since 2015-11-02
• https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

SCRAM-SHA-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha-512

SCRAM-SHA3-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:

• https://tools.ietf.org/html/draft-melnikov-scram-bis

-PLUS variants:

• RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
• RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
• Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
• RFC9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

IMAP:

• RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051

LDAP:

• RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

• RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804

JMAP:

• RFC8621: The JSON Meta Application Protocol (JMAP) for Mail: https://tools.ietf.org/html/rfc8621

2FA:

• Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-melnikov-scram-2fa

IANA:

• Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Linked to:

• State of Play scram-sasl/info#1

[jlaine]

Do you plan to implement it or is this an "I would like this" issue? As there is no text in your issue it's hard to tell.

[Neustradamus]

For be simple: People request it ^^

[jlaine]

Good, then "people" can start coding.

[jlaine]

I have a work-in-progress PR in #183

[Neustradamus]

Nice :)
Maybe you can look for SCRAM-SHA-512 in the same time ^^

• https://xmpp.org/extensions/inbox/hash-recommendations.html from https://xmpp.org/extensions/xep-0300.html

[jlaine]

The XEPs you linked don't deal with authentication, nor do they mention SCRAM-SHA-512.

Instead of feeding me your shopping list, could you try the PR I linked against a server which supports SCRAM-SHA-1 and SCRAM-SHA-256 and confirm it actually works?

[Neustradamus]

List here: scram-sasl/info#1

[jlaine]

SCRAM-SHA-1 and SCRAM-SHA-256 are in master.

I was able to use SCRAM-SHA-1 on jabber.at, I haven't found a usable server for SCRAM-SHA-256 so I'll leave that up to you to test. As for the -PLUS variants I don't think QSslSocket has APIs allowing us to perform the required cryptographic binding.

[lnjX]

I can test the PR at the weekend.

[jlaine]

Cool. Some notes:

• I included test vectors from the RFCs in the test suite so I'm 99% sure it's correct
• we don't have an implementation of saslPrep so using weird Unicode codepoints will probably fail (but this was already true for other mechanisms)
• it's probably time to change the preferred SASL mechanism, which is currently DIGEST-MD5
• when the preferred SASL mechanism is not available we don't have an order of next-best mechanism, we take whatever the first supported mechanism offered by the server is. Not ideal

[Neustradamus]

@jlaine Please do not close it before -PLUS variant and 512 part too...

[jlaine]

@Neustradamus please try to be a more considerate community member. Your messages come across as orders, you haven't demonstrated you are willing to do any work yourself and didn't read what I wrote:

As for the -PLUS variants I don't think QSslSocket has APIs allowing us to perform the required cryptographic binding

The only difference of the -PLUS variants is that they establish a binding to the "channel" (in our case a TCP connection using TLS). As far as I can tell, the bindings we could use (see RFC 5929):

• tls-unique QSslSocket does not provide access to the TLS Finished message
• tls-server-end-point QSslCertificate does not provide the signatureAlgorithm

https://tools.ietf.org/html/rfc5929

Concerning SHA-384 and SHA-512 the only server which seems to support it is Metronome, and I'm getting an authentication error. In the absence of any test vectors, I cannot be sure whether the error is on my side or on the Metronome side.

[Neustradamus]

@maranda, can you look for the problem?

[maranda]

@Neustradamus please try to be a more considerate community member.

On that I lost every hope years ago already.
Otherwise what is the error you get? There were missing SHA-384/512 imports before 3.11.5 so those two algorithms didn't work while being advertised.
I would also like to point out that the IETF didn't officially approve usage of any algorithm beyond SHA-256 so while Metronome implements those it's rather unadvised to use/implement anything beyond SHA-256.

[Neustradamus]

SHA-512 is in the XEP-0300 split: https://xmpp.org/extensions/inbox/hash-recommendations.html from https://xmpp.org/extensions/xep-0300.html.

[jlaine]

@Neustradamus as stated before you are confused. These hash recommendations are totally unrelated to authentication.

@maranda right, I assumed as much, which is why we have no official test vectors to check whether our implementation is at fault or metronome. I performed I created a qxmpp account on lightwitch.org and ran my tests against that server:

Fri Jan 18 18:06:09 2019 RECEIVED <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='lightwitch.org' id='8cd3c743-99db-4aa2-bca1-46edc1daa8fb' xml:lang='en' xmlns='jabber:client'><stream:features><register xmlns='http://jabber.org/features/iq-register'/><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>SCRAM-SHA-512</mechanism><mechanism>SCRAM-SHA-512-PLUS</mechanism><mechanism>SCRAM-SHA-384</mechanism><mechanism>SCRAM-SHA-384-PLUS</mechanism><mechanism>SCRAM-SHA-256</mechanism><mechanism>SCRAM-SHA-256-PLUS</mechanism><mechanism>SCRAM-SHA-1</mechanism><mechanism>SCRAM-SHA-1-PLUS</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features>
Fri Jan 18 18:06:09 2019 INFO SASL mechanism 'SCRAM-SHA-512' selected
Fri Jan 18 18:06:09 2019 SENT <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="SCRAM-SHA-512">biwsbj1xeG1wcCxyPUtIQU9ybnRkQmF3TGJNdzlaS2YzMVpqRnNCc0lwMlA3djFReDMxME5YbGs9</auth>
Fri Jan 18 18:06:09 2019 RECEIVED <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cj1LSEFPcm50ZEJhd0xiTXc5WktmMzFaakZzQnNJcDJQN3YxUXgzMTBOWGxrPWExYWE4NWY4LWI3YmEtNGUzZi1hMWJkLTU4NzJkMjliYTVjZSxzPVltUTNOR1EwT1RNdE5UQmlPUzAwTVdRekxUazRNelF0TmpKaE56VXlNVEU0TTJJeixpPTQwOTY=</challenge>
Fri Jan 18 18:06:10 2019 SENT <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">Yz1iaXdzLHI9S0hBT3JudGRCYXdMYk13OVpLZjMxWmpGc0JzSXAyUDd2MVF4MzEwTlhsaz1hMWFhODVmOC1iN2JhLTRlM2YtYTFiZC01ODcyZDI5YmE1Y2UscD1oMFdEMXcyN0VXSW1ieFR3bUhVdU9PMEpsZjBJQlFlajNRQmxPT2lpSmVaYU13TkRlTFBjOHRES0ZuVlVRWU9EcUxuUjVGR2w4bEVjMzFBNU5OYW1CZz09</response>
Fri Jan 18 18:06:10 2019 RECEIVED <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/><text>The response provided by the client doesn&apos;t match the one we calculated</text></failure>
Fri Jan 18 18:06:10 2019 WARNING Authentication failure

As stated, SHA-1 and SHA-256 work fine.

[maranda]

@jlaine not home so I can't properly check and might be wrong, but the digest lengths in that authentication flow look fairly short at a first glance to myself for SHA-512 at least.

[jlaine]

Un-base64'ing the messages it looks like:

auth

n,,n=qxmpp,r=KHAOrntdBawLbMw9ZKf31ZjFsBsIp2P7v1Qx310NXlk=

challenge

r=KHAOrntdBawLbMw9ZKf31ZjFsBsIp2P7v1Qx310NXlk=a1aa85f8-b7ba-4e3f-a1bd-5872d29ba5ce,s=YmQ3NGQ0OTMtNTBiOS00MWQzLTk4MzQtNjJhNzUyMTE4M2Iz,i=4096

response (64 byte client proof)

c=biws,r=KHAOrntdBawLbMw9ZKf31ZjFsBsIp2P7v1Qx310NXlk=a1aa85f8-b7ba-4e3f-a1bd-5872d29ba5ce,p=h0WD1w27EWImbxTwmHUuOO0Jlf0IBQej3QBlOOiiJeZaMwNDeLPc8tDKFnVUQYODqLnR5FGl8lEc31A5NNamBg==

[maranda]

@jlaine the computed key from the client response doesn't match the one stored by Metronome, did run a manual test on the Lua interpreter, I think the provided proof might be incorrect:

authmessage="n=qxmpp,r=KHAOrntdBawLbMw9ZKf31ZjFsBsIp2P7v1Qx310NXlk="..",".."r=KHAOrntdBawLbMw9ZKf31ZjFsBsIp2P7v1Qx310NXlk=a1aa85f8-b7ba-4e3f-a1bd-5872d29ba5ce,s=YmQ3NGQ0OTMtNTBiOS00MWQzLTk4MzQtNjJhNzUyMTE4M2Iz,i=4096"..",".."c=biws,r=KHAOrntdBawLbMw9ZKf31ZjFsBsIp2P7v1Qx310NXlk=a1aa85f8-b7ba-4e3f-a1bd-5872d29ba5ce"

clientsig=hmac_sha512(from_hex("04d73c64fec6daf49840d4b51282cf1d1f70a675d4ee65a7a7737374d1ec1026b778ad518838465a8fa51c6a50472fcf0e4c89dc15fc708d0fc04882608e988c"),authmessage)
serversig=hmac_sha512(from_hex("447008be5d513472b66dc46e9fb7afbe0d3fe516cfffcdeaac4d77974d163ffa4e25827b4dadfa19ce96930d7e28ed09e9d2760e1246cad03362951707e0007a"),authmessage)

clientkey=binaryXOR(clientsig,decode("h0WD1w27EWImbxTwmHUuOO0Jlf0IBQej3QBlOOiiJeZaMwNDeLPc8tDKFnVUQYODqLnR5FGl8lEc31A5NNamBg=="))

=sha512(clientkey, true)
f635d29dd32bba8af657d275184f9016403e79439982976e26fcf497ed694ecccfb86c0512271269a02ddfa51fbf5c5083d3a1f387dadfc032babcc3e7883ddb

I did hastily replicate a test to check, the computed key hash by Metronome based on the response is f635d29dd32bba8af657d275184f9016403e79439982976e26fcf497ed694ecccfb86c0512271269a02ddfa51fbf5c5083d3a1f387dadfc032babcc3e7883ddb while it should really be 04d73c64fec6daf49840d4b51282cf1d1f70a675d4ee65a7a7737374d1ec1026b778ad518838465a8fa51c6a50472fcf0e4c89dc15fc708d0fc04882608e988c … I don't think Metronome is at fault here but should you figure otherwise feel free to open an issue and I'll fix it as soon as possible.

[jlaine]

Your test doesn't tell me anything new, we already know that qxmpp and metronome's code don't agree, running it manually won't change that! ;)

Edit: @maranda from what you pasted:

• we agree on authMessage
• we disagree on both storedKey and serverKey

storedKey(qxmpp) hex

32265993c8de82798ad6d2a24a138a2a25382f0dec9a8c331caffbbd8e322a58439a652b3cf8cb3b46fd0f90dd75fdcca602a87bd52149ec14f6c75d6ac28bf8

storedKey(metronome) hex

04d73c64fec6daf49840d4b51282cf1d1f70a675d4ee65a7a7737374d1ec1026b778ad518838465a8fa51c6a50472fcf0e4c89dc15fc708d0fc04882608e988c

serverKey(qxmpp) hex

8c649aaed019dce6472bf507c97827159206ae6acc0e816d54741d4780e45fc3fd7d753071aff3626842540a8bb84ad1bf9ff99bba64b7ac55bb2d6252521e77

serverKey(metronome) hex

447008be5d513472b66dc46e9fb7afbe0d3fe516cfffcdeaac4d77974d163ffa4e25827b4dadfa19ce96930d7e28ed09e9d2760e1246cad03362951707e0007a

=> I think things are diverging very early on, possibly during the PBKDF2 derivation. Here is my (hex) dump of saltedPassword could you let me know what you find?

76ed8c5958a12c829a06da4f4c0fe344002bbd3d534b9ad3bba8c48db7873c4d290da244f8fabcab48b69ec5fdbc1d637eeed9f70197155123ee2dd17831322e

[Neustradamus]

@jlaine and @maranda: Have you looked for the problem?

[Neustradamus]

@jlaine: Have you looked for -PLUS variants?
@maranda: Have you found for the 512 problem?

[jlaine]

@Neustradamus : re-read my comments, it is fundamentally not possible short of changing Qt

[Neustradamus]

RFC8600 has been published for SCRAM-SHA256(-PLUS) and for replace old SCRAM-SHA1(-PLUS)

• https://tools.ietf.org/html/rfc8600

State of Play: scram-sasl/info#1

[Neustradamus]

@jlaine, @maranda: Psi IM works now (not -PLUS variants because Qt problem).

SCRAM-SHA-1 to 512(-PLUS) have been integrated in Cyrus SASL.

For you information, and if you want to follow, to help...

• https://bugreports.qt.io/browse/QTBUG-77783
• https://bugs.kde.org/show_bug.cgi?id=411184

[Neustradamus]

@jlaine: Can you test QXmpp (SCRAM-SHA-1/SCRAM-SHA-256/SCRAM-SHA-512) with Jackal XMPP Server and confirm if the problem is in Metronome IM?

• https://github.com/ortuman/jackal
• jackal.im

Thanks a lot in advance.

cc: @ortuman

[Neustradamus]

@maranda: Can you look the Metronome IM fix from @pasis?
@jlaine: Now you can add a real support in QXmpp :)
@lnjX: Can you look for Kaidan and maybe directly for QXmpp?

A big thanks to @pasis :)

[Neustradamus]

Dear @qxmpp-project team, @lnjX, @jlaine, @tehnick, @0xd34df00d,

It is possible to comment this important Qt ticket about Channel Binding?

• https://bugreports.qt.io/browse/QTBUG-77783

It is to needed to have support of SCRAM-SHA-*-PLUS variants.

Recently, we have seen the jabber.ru MITM:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

Thanks in advance.