2 Commits

Author SHA1 Message Date
Steffen Jaeckel
460e34552b Add option to enforce usage of SCRAM-*-PLUS variants
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2024-01-31 23:52:51 +01:00
Steffen Jaeckel
fac1900c3f Disable weak authentication methods per default
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2024-01-31 23:50:13 +01:00
4 changed files with 23 additions and 4 deletions

View File

@@ -799,7 +799,9 @@ static void _auth(xmpp_conn_t *conn)
conn->ctx, "auth", conn->ctx, "auth",
"Password hasn't been set, and SASL ANONYMOUS unsupported."); "Password hasn't been set, and SASL ANONYMOUS unsupported.");
xmpp_disconnect(conn); xmpp_disconnect(conn);
} else if (conn->sasl_support & SASL_MASK_SCRAM) { } else if ((conn->sasl_support & SASL_MASK_SCRAM_PLUS) ||
((conn->sasl_support & SASL_MASK_SCRAM_WEAK) &&
!conn->only_strong_auth)) {
size_t n; size_t n;
scram_ctx = strophe_alloc(conn->ctx, sizeof(*scram_ctx)); scram_ctx = strophe_alloc(conn->ctx, sizeof(*scram_ctx));
memset(scram_ctx, 0, sizeof(*scram_ctx)); memset(scram_ctx, 0, sizeof(*scram_ctx));
@@ -857,7 +859,8 @@ static void _auth(xmpp_conn_t *conn)
/* SASL algorithm was tried, unset flag */ /* SASL algorithm was tried, unset flag */
conn->sasl_support &= ~scram_ctx->alg->mask; conn->sasl_support &= ~scram_ctx->alg->mask;
} else if (conn->sasl_support & SASL_MASK_DIGESTMD5) { } else if ((conn->sasl_support & SASL_MASK_DIGESTMD5) &&
conn->weak_auth_enabled) {
auth = _make_sasl_auth(conn, "DIGEST-MD5"); auth = _make_sasl_auth(conn, "DIGEST-MD5");
if (!auth) { if (!auth) {
disconnect_mem_error(conn); disconnect_mem_error(conn);
@@ -871,7 +874,8 @@ static void _auth(xmpp_conn_t *conn)
/* SASL DIGEST-MD5 was tried, unset flag */ /* SASL DIGEST-MD5 was tried, unset flag */
conn->sasl_support &= ~SASL_MASK_DIGESTMD5; conn->sasl_support &= ~SASL_MASK_DIGESTMD5;
} else if (conn->sasl_support & SASL_MASK_PLAIN) { } else if ((conn->sasl_support & SASL_MASK_PLAIN) &&
conn->weak_auth_enabled) {
auth = _make_sasl_auth(conn, "PLAIN"); auth = _make_sasl_auth(conn, "PLAIN");
if (!auth) { if (!auth) {
disconnect_mem_error(conn); disconnect_mem_error(conn);

View File

@@ -259,6 +259,8 @@ struct _xmpp_conn_t {
int sasl_support; /* if true, field is a bitfield of supported int sasl_support; /* if true, field is a bitfield of supported
mechanisms */ mechanisms */
int auth_legacy_enabled; int auth_legacy_enabled;
int weak_auth_enabled;
int only_strong_auth;
int secured; /* set when stream is secured with TLS */ int secured; /* set when stream is secured with TLS */
xmpp_certfail_handler certfail_handler; xmpp_certfail_handler certfail_handler;
xmpp_password_callback password_callback; xmpp_password_callback password_callback;

View File

@@ -1133,6 +1133,8 @@ long xmpp_conn_get_flags(const xmpp_conn_t *conn)
XMPP_CONN_FLAG_DISABLE_SM * conn->sm_disable | XMPP_CONN_FLAG_DISABLE_SM * conn->sm_disable |
XMPP_CONN_FLAG_ENABLE_COMPRESSION * conn->compression.allowed | XMPP_CONN_FLAG_ENABLE_COMPRESSION * conn->compression.allowed |
XMPP_CONN_FLAG_COMPRESSION_DONT_RESET * conn->compression.dont_reset | XMPP_CONN_FLAG_COMPRESSION_DONT_RESET * conn->compression.dont_reset |
XMPP_CONN_FLAG_WEAK_AUTH * conn->weak_auth_enabled |
XMPP_CONN_FLAG_STRONG_AUTH * conn->only_strong_auth |
XMPP_CONN_FLAG_LEGACY_AUTH * conn->auth_legacy_enabled; XMPP_CONN_FLAG_LEGACY_AUTH * conn->auth_legacy_enabled;
return flags; return flags;
@@ -1188,11 +1190,14 @@ int xmpp_conn_set_flags(xmpp_conn_t *conn, long flags)
(flags & XMPP_CONN_FLAG_ENABLE_COMPRESSION) ? 1 : 0; (flags & XMPP_CONN_FLAG_ENABLE_COMPRESSION) ? 1 : 0;
conn->compression.dont_reset = conn->compression.dont_reset =
(flags & XMPP_CONN_FLAG_COMPRESSION_DONT_RESET) ? 1 : 0; (flags & XMPP_CONN_FLAG_COMPRESSION_DONT_RESET) ? 1 : 0;
conn->weak_auth_enabled = (flags & XMPP_CONN_FLAG_WEAK_AUTH) ? 1 : 0;
conn->only_strong_auth = (flags & XMPP_CONN_FLAG_STRONG_AUTH) ? 1 : 0;
flags &= ~(XMPP_CONN_FLAG_DISABLE_TLS | XMPP_CONN_FLAG_MANDATORY_TLS | flags &= ~(XMPP_CONN_FLAG_DISABLE_TLS | XMPP_CONN_FLAG_MANDATORY_TLS |
XMPP_CONN_FLAG_LEGACY_SSL | XMPP_CONN_FLAG_TRUST_TLS | XMPP_CONN_FLAG_LEGACY_SSL | XMPP_CONN_FLAG_TRUST_TLS |
XMPP_CONN_FLAG_LEGACY_AUTH | XMPP_CONN_FLAG_DISABLE_SM | XMPP_CONN_FLAG_LEGACY_AUTH | XMPP_CONN_FLAG_DISABLE_SM |
XMPP_CONN_FLAG_ENABLE_COMPRESSION | XMPP_CONN_FLAG_ENABLE_COMPRESSION |
XMPP_CONN_FLAG_COMPRESSION_DONT_RESET); XMPP_CONN_FLAG_COMPRESSION_DONT_RESET |
XMPP_CONN_FLAG_WEAK_AUTH | XMPP_CONN_FLAG_STRONG_AUTH);
if (flags) { if (flags) {
strophe_error(conn->ctx, "conn", "Flags 0x%04lx unknown", flags); strophe_error(conn->ctx, "conn", "Flags 0x%04lx unknown", flags);
return XMPP_EINVOP; return XMPP_EINVOP;

View File

@@ -208,6 +208,14 @@ typedef struct _xmpp_sm_t xmpp_sm_state_t;
* Only enable this flag if you know what you're doing. * Only enable this flag if you know what you're doing.
*/ */
#define XMPP_CONN_FLAG_COMPRESSION_DONT_RESET (1UL << 7) #define XMPP_CONN_FLAG_COMPRESSION_DONT_RESET (1UL << 7)
/** @def XMPP_CONN_FLAG_WEAK_AUTH
* Allow weak authentication methods (DIGEST-MD5 and PLAIN).
*/
#define XMPP_CONN_FLAG_WEAK_AUTH (1UL << 8)
/** @def XMPP_CONN_FLAG_STRONG_AUTH
* Only allow strong authentication methods (Only the SCRAM-*-PLUS variants).
*/
#define XMPP_CONN_FLAG_STRONG_AUTH (1UL << 9)
/* connect callback */ /* connect callback */
typedef enum { typedef enum {