From 5e25c05e08b32fa08f198b446dc115c572cddf19 Mon Sep 17 00:00:00 2001
From: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
Date: Tue, 31 Oct 2023 13:13:48 +0100
Subject: [PATCH] Disable weak authentication methods per default

Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
---
 src/auth.c   | 6 ++++--
 src/common.h | 1 +
 src/conn.c   | 4 +++-
 strophe.h    | 4 ++++
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/auth.c b/src/auth.c
index 2f742177..0b1dee80 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -833,7 +833,8 @@ static void _auth(xmpp_conn_t *conn)
 
         /* SASL algorithm was tried, unset flag */
         conn->sasl_support &= ~scram_ctx->alg->mask;
-    } else if (conn->sasl_support & SASL_MASK_DIGESTMD5) {
+    } else if ((conn->sasl_support & SASL_MASK_DIGESTMD5) &&
+               conn->weak_auth_enabled) {
         auth = _make_sasl_auth(conn, "DIGEST-MD5");
         if (!auth) {
             disconnect_mem_error(conn);
@@ -847,7 +848,8 @@ static void _auth(xmpp_conn_t *conn)
 
         /* SASL DIGEST-MD5 was tried, unset flag */
         conn->sasl_support &= ~SASL_MASK_DIGESTMD5;
-    } else if (conn->sasl_support & SASL_MASK_PLAIN) {
+    } else if ((conn->sasl_support & SASL_MASK_PLAIN) &&
+               conn->weak_auth_enabled) {
         auth = _make_sasl_auth(conn, "PLAIN");
         if (!auth) {
             disconnect_mem_error(conn);
diff --git a/src/common.h b/src/common.h
index 3e521ced..6534eb40 100644
--- a/src/common.h
+++ b/src/common.h
@@ -232,6 +232,7 @@ struct _xmpp_conn_t {
     int sasl_support; /* if true, field is a bitfield of supported
                          mechanisms */
     int auth_legacy_enabled;
+    int weak_auth_enabled;
     int secured; /* set when stream is secured with TLS */
     xmpp_certfail_handler certfail_handler;
     xmpp_password_callback password_callback;
diff --git a/src/conn.c b/src/conn.c
index e9bf0afc..5328497d 100644
--- a/src/conn.c
+++ b/src/conn.c
@@ -1111,7 +1111,8 @@ long xmpp_conn_get_flags(const xmpp_conn_t *conn)
             XMPP_CONN_FLAG_LEGACY_SSL * conn->tls_legacy_ssl |
             XMPP_CONN_FLAG_TRUST_TLS * conn->tls_trust |
             XMPP_CONN_FLAG_DISABLE_SM * conn->sm_disable |
-            XMPP_CONN_FLAG_LEGACY_AUTH * conn->auth_legacy_enabled;
+            XMPP_CONN_FLAG_LEGACY_AUTH * conn->auth_legacy_enabled |
+            XMPP_CONN_FLAG_WEAK_AUTH * conn->weak_auth_enabled;
 
     return flags;
 }
@@ -1160,6 +1161,7 @@ int xmpp_conn_set_flags(xmpp_conn_t *conn, long flags)
     conn->tls_trust = (flags & XMPP_CONN_FLAG_TRUST_TLS) ? 1 : 0;
     conn->auth_legacy_enabled = (flags & XMPP_CONN_FLAG_LEGACY_AUTH) ? 1 : 0;
     conn->sm_disable = (flags & XMPP_CONN_FLAG_DISABLE_SM) ? 1 : 0;
+    conn->weak_auth_enabled = (flags & XMPP_CONN_FLAG_WEAK_AUTH) ? 1 : 0;
 
     return 0;
 }
diff --git a/strophe.h b/strophe.h
index 8f347bb3..8035d07c 100644
--- a/strophe.h
+++ b/strophe.h
@@ -191,6 +191,10 @@ typedef struct _xmpp_sm_t xmpp_sm_state_t;
  *  Disable Stream-Management XEP-0198.
  */
 #define XMPP_CONN_FLAG_DISABLE_SM (1UL << 5)
+/** @def XMPP_CONN_FLAG_WEAK_AUTH
+ *  Allow weak authentication methods (DIGEST-MD5 and PLAIN).
+ */
+#define XMPP_CONN_FLAG_WEAK_AUTH (1UL << 6)
 
 /* connect callback */
 typedef enum {