Opened 5 years ago

Closed 5 years ago

#6940 closed enhancement (fixed)

improve SCRAM implementation

Reported by: asterix Owned by:
Priority: normal Milestone: 0.15
Component: None Version:
Severity: normal Keywords:
Cc: Blocked By:
Blocking: OS: All


ServerSignature? isn't checked when authenticating. If server gives a wrong ServerSignature?, Gajim still connect, while it should not.

RFC says:

The client then authenticates the server by computing the
ServerSignature and comparing it to the value sent by the server.  If
the two are different, the client MUST consider the authentication
exchange to be unsuccessful and it might have to drop the connection.

Change History (1)

comment:1 Changed 5 years ago by Yann Leboulanger <asterix@…>

  • Resolution set to fixed
  • Status changed from new to closed

(In [80d2f71e364c]) check DIGEST-MD% and SCRAM-SHA-1 latest answer from server before accepting authentication. Fixes #6940

Note: See TracTickets for help on using tickets.