Skip to content

Commit

Permalink
Add option to enforce usage of SCRAM-*-PLUS variants
Browse files Browse the repository at this point in the history
Signed-off-by: Steffen Jaeckel <[email protected]>
  • Loading branch information
sjaeckel committed Nov 9, 2023
1 parent 5e25c05 commit bf475ff
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 2 deletions.
4 changes: 3 additions & 1 deletion src/auth.c
Original file line number Diff line number Diff line change
Expand Up @@ -775,7 +775,9 @@ static void _auth(xmpp_conn_t *conn)
conn->ctx, "auth",
"Password hasn't been set, and SASL ANONYMOUS unsupported.");
xmpp_disconnect(conn);
} else if (conn->sasl_support & SASL_MASK_SCRAM) {
} else if ((conn->sasl_support & SASL_MASK_SCRAM_PLUS) ||
((conn->sasl_support & SASL_MASK_SCRAM_WEAK) &&
!conn->only_strong_auth)) {
size_t n;
scram_ctx = strophe_alloc(conn->ctx, sizeof(*scram_ctx));
memset(scram_ctx, 0, sizeof(*scram_ctx));
Expand Down
1 change: 1 addition & 0 deletions src/common.h
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,7 @@ struct _xmpp_conn_t {
mechanisms */
int auth_legacy_enabled;
int weak_auth_enabled;
int only_strong_auth;
int secured; /* set when stream is secured with TLS */
xmpp_certfail_handler certfail_handler;
xmpp_password_callback password_callback;
Expand Down
4 changes: 3 additions & 1 deletion src/conn.c
Original file line number Diff line number Diff line change
Expand Up @@ -1112,7 +1112,8 @@ long xmpp_conn_get_flags(const xmpp_conn_t *conn)
XMPP_CONN_FLAG_TRUST_TLS * conn->tls_trust |
XMPP_CONN_FLAG_DISABLE_SM * conn->sm_disable |
XMPP_CONN_FLAG_LEGACY_AUTH * conn->auth_legacy_enabled |
XMPP_CONN_FLAG_WEAK_AUTH * conn->weak_auth_enabled;
XMPP_CONN_FLAG_WEAK_AUTH * conn->weak_auth_enabled |
XMPP_CONN_FLAG_STRONG_AUTH * conn->only_strong_auth;

return flags;
}
Expand Down Expand Up @@ -1162,6 +1163,7 @@ int xmpp_conn_set_flags(xmpp_conn_t *conn, long flags)
conn->auth_legacy_enabled = (flags & XMPP_CONN_FLAG_LEGACY_AUTH) ? 1 : 0;
conn->sm_disable = (flags & XMPP_CONN_FLAG_DISABLE_SM) ? 1 : 0;
conn->weak_auth_enabled = (flags & XMPP_CONN_FLAG_WEAK_AUTH) ? 1 : 0;
conn->only_strong_auth = (flags & XMPP_CONN_FLAG_STRONG_AUTH) ? 1 : 0;

return 0;
}
Expand Down
4 changes: 4 additions & 0 deletions strophe.h
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,10 @@ typedef struct _xmpp_sm_t xmpp_sm_state_t;
* Allow weak authentication methods (DIGEST-MD5 and PLAIN).
*/
#define XMPP_CONN_FLAG_WEAK_AUTH (1UL << 6)
/** @def XMPP_CONN_FLAG_STRONG_AUTH
* Only allow strong authentication methods (Only the SCRAM-*-PLUS variants).
*/
#define XMPP_CONN_FLAG_STRONG_AUTH (1UL << 7)

/* connect callback */
typedef enum {
Expand Down

0 comments on commit bf475ff

Please sign in to comment.