Add option to enforce usage of SCRAM-*-PLUS variants
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
This commit is contained in:
@@ -799,7 +799,9 @@ static void _auth(xmpp_conn_t *conn)
|
||||
conn->ctx, "auth",
|
||||
"Password hasn't been set, and SASL ANONYMOUS unsupported.");
|
||||
xmpp_disconnect(conn);
|
||||
} else if (conn->sasl_support & SASL_MASK_SCRAM) {
|
||||
} else if ((conn->sasl_support & SASL_MASK_SCRAM_PLUS) ||
|
||||
((conn->sasl_support & SASL_MASK_SCRAM_WEAK) &&
|
||||
!conn->only_strong_auth)) {
|
||||
size_t n;
|
||||
scram_ctx = strophe_alloc(conn->ctx, sizeof(*scram_ctx));
|
||||
memset(scram_ctx, 0, sizeof(*scram_ctx));
|
||||
|
||||
@@ -260,6 +260,7 @@ struct _xmpp_conn_t {
|
||||
mechanisms */
|
||||
int auth_legacy_enabled;
|
||||
int weak_auth_enabled;
|
||||
int only_strong_auth;
|
||||
int secured; /* set when stream is secured with TLS */
|
||||
xmpp_certfail_handler certfail_handler;
|
||||
xmpp_password_callback password_callback;
|
||||
|
||||
14
src/conn.c
14
src/conn.c
@@ -1134,6 +1134,7 @@ long xmpp_conn_get_flags(const xmpp_conn_t *conn)
|
||||
XMPP_CONN_FLAG_ENABLE_COMPRESSION * conn->compression.allowed |
|
||||
XMPP_CONN_FLAG_COMPRESSION_DONT_RESET * conn->compression.dont_reset |
|
||||
XMPP_CONN_FLAG_WEAK_AUTH * conn->weak_auth_enabled |
|
||||
XMPP_CONN_FLAG_STRONG_AUTH * conn->only_strong_auth |
|
||||
XMPP_CONN_FLAG_LEGACY_AUTH * conn->auth_legacy_enabled;
|
||||
|
||||
return flags;
|
||||
@@ -1190,12 +1191,13 @@ int xmpp_conn_set_flags(xmpp_conn_t *conn, long flags)
|
||||
conn->compression.dont_reset =
|
||||
(flags & XMPP_CONN_FLAG_COMPRESSION_DONT_RESET) ? 1 : 0;
|
||||
conn->weak_auth_enabled = (flags & XMPP_CONN_FLAG_WEAK_AUTH) ? 1 : 0;
|
||||
flags &=
|
||||
~(XMPP_CONN_FLAG_DISABLE_TLS | XMPP_CONN_FLAG_MANDATORY_TLS |
|
||||
XMPP_CONN_FLAG_LEGACY_SSL | XMPP_CONN_FLAG_TRUST_TLS |
|
||||
XMPP_CONN_FLAG_LEGACY_AUTH | XMPP_CONN_FLAG_DISABLE_SM |
|
||||
XMPP_CONN_FLAG_ENABLE_COMPRESSION |
|
||||
XMPP_CONN_FLAG_COMPRESSION_DONT_RESET | XMPP_CONN_FLAG_WEAK_AUTH);
|
||||
conn->only_strong_auth = (flags & XMPP_CONN_FLAG_STRONG_AUTH) ? 1 : 0;
|
||||
flags &= ~(XMPP_CONN_FLAG_DISABLE_TLS | XMPP_CONN_FLAG_MANDATORY_TLS |
|
||||
XMPP_CONN_FLAG_LEGACY_SSL | XMPP_CONN_FLAG_TRUST_TLS |
|
||||
XMPP_CONN_FLAG_LEGACY_AUTH | XMPP_CONN_FLAG_DISABLE_SM |
|
||||
XMPP_CONN_FLAG_ENABLE_COMPRESSION |
|
||||
XMPP_CONN_FLAG_COMPRESSION_DONT_RESET |
|
||||
XMPP_CONN_FLAG_WEAK_AUTH | XMPP_CONN_FLAG_STRONG_AUTH);
|
||||
if (flags) {
|
||||
strophe_error(conn->ctx, "conn", "Flags 0x%04lx unknown", flags);
|
||||
return XMPP_EINVOP;
|
||||
|
||||
@@ -212,6 +212,10 @@ typedef struct _xmpp_sm_t xmpp_sm_state_t;
|
||||
* Allow weak authentication methods (DIGEST-MD5 and PLAIN).
|
||||
*/
|
||||
#define XMPP_CONN_FLAG_WEAK_AUTH (1UL << 8)
|
||||
/** @def XMPP_CONN_FLAG_STRONG_AUTH
|
||||
* Only allow strong authentication methods (Only the SCRAM-*-PLUS variants).
|
||||
*/
|
||||
#define XMPP_CONN_FLAG_STRONG_AUTH (1UL << 9)
|
||||
|
||||
/* connect callback */
|
||||
typedef enum {
|
||||
|
||||
Reference in New Issue
Block a user