Add option to enforce usage of SCRAM-*-PLUS variants

sjaeckel · sjaeckel · commit 723977980b4b · 2023-11-08T13:25:41.000+01:00
Signed-off-by: Steffen Jaeckel &lt;jaeckel-floss@eyet-services.de&gt;
diff --git a/src/auth.c b/src/auth.c
@@ -765,7 +765,9 @@ static void _auth(xmpp_conn_t *conn)
             conn->ctx, "auth",
             "Password hasn't been set, and SASL ANONYMOUS unsupported.");
         xmpp_disconnect(conn);
-    } else if (conn->sasl_support & SASL_MASK_SCRAM) {
+    } else if ((conn->sasl_support & SASL_MASK_SCRAM_PLUS) ||
+               ((conn->sasl_support & SASL_MASK_SCRAM_WEAK) &&
+                !conn->only_strong_auth)) {
         scram_ctx = strophe_alloc(conn->ctx, sizeof(*scram_ctx));
         memset(scram_ctx, 0, sizeof(*scram_ctx));
         if (conn->sasl_support & SASL_MASK_SCRAMSHA256_PLUS) {
diff --git a/src/common.h b/src/common.h
@@ -233,6 +233,7 @@ struct _xmpp_conn_t {
                          mechanisms */
     int auth_legacy_enabled;
     int weak_auth_enabled;
+    int only_strong_auth;
     int secured; /* set when stream is secured with TLS */
     xmpp_certfail_handler certfail_handler;
     xmpp_password_callback password_callback;
diff --git a/src/conn.c b/src/conn.c
@@ -1113,7 +1113,8 @@ long xmpp_conn_get_flags(const xmpp_conn_t *conn)
             XMPP_CONN_FLAG_TRUST_TLS * conn->tls_trust |
             XMPP_CONN_FLAG_DISABLE_SM * conn->sm_disable |
             XMPP_CONN_FLAG_LEGACY_AUTH * conn->auth_legacy_enabled |
-            XMPP_CONN_FLAG_WEAK_AUTH * conn->weak_auth_enabled;
+            XMPP_CONN_FLAG_WEAK_AUTH * conn->weak_auth_enabled |
+            XMPP_CONN_FLAG_STRONG_AUTH * conn->only_strong_auth;
 
     return flags;
 }
@@ -1163,6 +1164,7 @@ int xmpp_conn_set_flags(xmpp_conn_t *conn, long flags)
     conn->auth_legacy_enabled = (flags & XMPP_CONN_FLAG_LEGACY_AUTH) ? 1 : 0;
     conn->sm_disable = (flags & XMPP_CONN_FLAG_DISABLE_SM) ? 1 : 0;
     conn->weak_auth_enabled = (flags & XMPP_CONN_FLAG_WEAK_AUTH) ? 1 : 0;
+    conn->only_strong_auth = (flags & XMPP_CONN_FLAG_STRONG_AUTH) ? 1 : 0;
 
     return 0;
 }
diff --git a/strophe.h b/strophe.h
@@ -195,6 +195,10 @@ typedef struct _xmpp_sm_t xmpp_sm_state_t;
  *  Allow weak authentication methods (DIGEST-MD5 and PLAIN).
  */
 #define XMPP_CONN_FLAG_WEAK_AUTH (1UL << 6)
+/** @def XMPP_CONN_FLAG_STRONG_AUTH
+ *  Only allow strong authentication methods (Only the SCRAM-*-PLUS variants).
+ */
+#define XMPP_CONN_FLAG_STRONG_AUTH (1UL << 7)
 
 /* connect callback */
 typedef enum {
