diff --git a/src/auth.c b/src/auth.c index 261e63a8..4ea9526d 100644 --- a/src/auth.c +++ b/src/auth.c @@ -799,7 +799,9 @@ static void _auth(xmpp_conn_t *conn) conn->ctx, "auth", "Password hasn't been set, and SASL ANONYMOUS unsupported."); xmpp_disconnect(conn); - } else if (conn->sasl_support & SASL_MASK_SCRAM) { + } else if ((conn->sasl_support & SASL_MASK_SCRAM_PLUS) || + ((conn->sasl_support & SASL_MASK_SCRAM_WEAK) && + !conn->only_strong_auth)) { size_t n; scram_ctx = strophe_alloc(conn->ctx, sizeof(*scram_ctx)); memset(scram_ctx, 0, sizeof(*scram_ctx)); @@ -857,7 +859,8 @@ static void _auth(xmpp_conn_t *conn) /* SASL algorithm was tried, unset flag */ conn->sasl_support &= ~scram_ctx->alg->mask; - } else if (conn->sasl_support & SASL_MASK_DIGESTMD5) { + } else if ((conn->sasl_support & SASL_MASK_DIGESTMD5) && + conn->weak_auth_enabled) { auth = _make_sasl_auth(conn, "DIGEST-MD5"); if (!auth) { disconnect_mem_error(conn); @@ -871,7 +874,8 @@ static void _auth(xmpp_conn_t *conn) /* SASL DIGEST-MD5 was tried, unset flag */ conn->sasl_support &= ~SASL_MASK_DIGESTMD5; - } else if (conn->sasl_support & SASL_MASK_PLAIN) { + } else if ((conn->sasl_support & SASL_MASK_PLAIN) && + conn->weak_auth_enabled) { auth = _make_sasl_auth(conn, "PLAIN"); if (!auth) { disconnect_mem_error(conn); diff --git a/src/common.h b/src/common.h index 0cba0328..4641d92b 100644 --- a/src/common.h +++ b/src/common.h @@ -259,6 +259,8 @@ struct _xmpp_conn_t { int sasl_support; /* if true, field is a bitfield of supported mechanisms */ int auth_legacy_enabled; + int weak_auth_enabled; + int only_strong_auth; int secured; /* set when stream is secured with TLS */ xmpp_certfail_handler certfail_handler; xmpp_password_callback password_callback; diff --git a/src/conn.c b/src/conn.c index 549b26f3..75132a35 100644 --- a/src/conn.c +++ b/src/conn.c @@ -1133,6 +1133,8 @@ long xmpp_conn_get_flags(const xmpp_conn_t *conn) XMPP_CONN_FLAG_DISABLE_SM * conn->sm_disable | XMPP_CONN_FLAG_ENABLE_COMPRESSION * conn->compression.allowed | XMPP_CONN_FLAG_COMPRESSION_DONT_RESET * conn->compression.dont_reset | + XMPP_CONN_FLAG_WEAK_AUTH * conn->weak_auth_enabled | + XMPP_CONN_FLAG_STRONG_AUTH * conn->only_strong_auth | XMPP_CONN_FLAG_LEGACY_AUTH * conn->auth_legacy_enabled; return flags; @@ -1188,11 +1190,14 @@ int xmpp_conn_set_flags(xmpp_conn_t *conn, long flags) (flags & XMPP_CONN_FLAG_ENABLE_COMPRESSION) ? 1 : 0; conn->compression.dont_reset = (flags & XMPP_CONN_FLAG_COMPRESSION_DONT_RESET) ? 1 : 0; + conn->weak_auth_enabled = (flags & XMPP_CONN_FLAG_WEAK_AUTH) ? 1 : 0; + conn->only_strong_auth = (flags & XMPP_CONN_FLAG_STRONG_AUTH) ? 1 : 0; flags &= ~(XMPP_CONN_FLAG_DISABLE_TLS | XMPP_CONN_FLAG_MANDATORY_TLS | XMPP_CONN_FLAG_LEGACY_SSL | XMPP_CONN_FLAG_TRUST_TLS | XMPP_CONN_FLAG_LEGACY_AUTH | XMPP_CONN_FLAG_DISABLE_SM | XMPP_CONN_FLAG_ENABLE_COMPRESSION | - XMPP_CONN_FLAG_COMPRESSION_DONT_RESET); + XMPP_CONN_FLAG_COMPRESSION_DONT_RESET | + XMPP_CONN_FLAG_WEAK_AUTH | XMPP_CONN_FLAG_STRONG_AUTH); if (flags) { strophe_error(conn->ctx, "conn", "Flags 0x%04lx unknown", flags); return XMPP_EINVOP; diff --git a/strophe.h b/strophe.h index e3b9b104..c26d2175 100644 --- a/strophe.h +++ b/strophe.h @@ -208,6 +208,14 @@ typedef struct _xmpp_sm_t xmpp_sm_state_t; * Only enable this flag if you know what you're doing. */ #define XMPP_CONN_FLAG_COMPRESSION_DONT_RESET (1UL << 7) +/** @def XMPP_CONN_FLAG_WEAK_AUTH + * Allow weak authentication methods (DIGEST-MD5 and PLAIN). + */ +#define XMPP_CONN_FLAG_WEAK_AUTH (1UL << 8) +/** @def XMPP_CONN_FLAG_STRONG_AUTH + * Only allow strong authentication methods (Only the SCRAM-*-PLUS variants). + */ +#define XMPP_CONN_FLAG_STRONG_AUTH (1UL << 9) /* connect callback */ typedef enum {