diff --git a/src/auth.c b/src/auth.c index 261e63a..f9914d4 100644 --- a/src/auth.c +++ b/src/auth.c @@ -857,7 +857,8 @@ static void _auth(xmpp_conn_t *conn) /* SASL algorithm was tried, unset flag */ conn->sasl_support &= ~scram_ctx->alg->mask; - } else if (conn->sasl_support & SASL_MASK_DIGESTMD5) { + } else if ((conn->sasl_support & SASL_MASK_DIGESTMD5) && + conn->weak_auth_enabled) { auth = _make_sasl_auth(conn, "DIGEST-MD5"); if (!auth) { disconnect_mem_error(conn); @@ -871,7 +872,8 @@ static void _auth(xmpp_conn_t *conn) /* SASL DIGEST-MD5 was tried, unset flag */ conn->sasl_support &= ~SASL_MASK_DIGESTMD5; - } else if (conn->sasl_support & SASL_MASK_PLAIN) { + } else if ((conn->sasl_support & SASL_MASK_PLAIN) && + conn->weak_auth_enabled) { auth = _make_sasl_auth(conn, "PLAIN"); if (!auth) { disconnect_mem_error(conn); diff --git a/src/common.h b/src/common.h index 0cba032..a0d82b5 100644 --- a/src/common.h +++ b/src/common.h @@ -259,6 +259,7 @@ struct _xmpp_conn_t { int sasl_support; /* if true, field is a bitfield of supported mechanisms */ int auth_legacy_enabled; + int weak_auth_enabled; int secured; /* set when stream is secured with TLS */ xmpp_certfail_handler certfail_handler; xmpp_password_callback password_callback; diff --git a/src/conn.c b/src/conn.c index 549b26f..477957b 100644 --- a/src/conn.c +++ b/src/conn.c @@ -1133,6 +1133,7 @@ long xmpp_conn_get_flags(const xmpp_conn_t *conn) XMPP_CONN_FLAG_DISABLE_SM * conn->sm_disable | XMPP_CONN_FLAG_ENABLE_COMPRESSION * conn->compression.allowed | XMPP_CONN_FLAG_COMPRESSION_DONT_RESET * conn->compression.dont_reset | + XMPP_CONN_FLAG_WEAK_AUTH * conn->weak_auth_enabled | XMPP_CONN_FLAG_LEGACY_AUTH * conn->auth_legacy_enabled; return flags; @@ -1188,11 +1189,13 @@ int xmpp_conn_set_flags(xmpp_conn_t *conn, long flags) (flags & XMPP_CONN_FLAG_ENABLE_COMPRESSION) ? 1 : 0; conn->compression.dont_reset = (flags & XMPP_CONN_FLAG_COMPRESSION_DONT_RESET) ? 1 : 0; - flags &= ~(XMPP_CONN_FLAG_DISABLE_TLS | XMPP_CONN_FLAG_MANDATORY_TLS | - XMPP_CONN_FLAG_LEGACY_SSL | XMPP_CONN_FLAG_TRUST_TLS | - XMPP_CONN_FLAG_LEGACY_AUTH | XMPP_CONN_FLAG_DISABLE_SM | - XMPP_CONN_FLAG_ENABLE_COMPRESSION | - XMPP_CONN_FLAG_COMPRESSION_DONT_RESET); + conn->weak_auth_enabled = (flags & XMPP_CONN_FLAG_WEAK_AUTH) ? 1 : 0; + flags &= + ~(XMPP_CONN_FLAG_DISABLE_TLS | XMPP_CONN_FLAG_MANDATORY_TLS | + XMPP_CONN_FLAG_LEGACY_SSL | XMPP_CONN_FLAG_TRUST_TLS | + XMPP_CONN_FLAG_LEGACY_AUTH | XMPP_CONN_FLAG_DISABLE_SM | + XMPP_CONN_FLAG_ENABLE_COMPRESSION | + XMPP_CONN_FLAG_COMPRESSION_DONT_RESET | XMPP_CONN_FLAG_WEAK_AUTH); if (flags) { strophe_error(conn->ctx, "conn", "Flags 0x%04lx unknown", flags); return XMPP_EINVOP; diff --git a/strophe.h b/strophe.h index e3b9b10..09d9c2c 100644 --- a/strophe.h +++ b/strophe.h @@ -208,6 +208,10 @@ typedef struct _xmpp_sm_t xmpp_sm_state_t; * Only enable this flag if you know what you're doing. */ #define XMPP_CONN_FLAG_COMPRESSION_DONT_RESET (1UL << 7) +/** @def XMPP_CONN_FLAG_WEAK_AUTH + * Allow weak authentication methods (DIGEST-MD5 and PLAIN). + */ +#define XMPP_CONN_FLAG_WEAK_AUTH (1UL << 8) /* connect callback */ typedef enum {