[sasl] order mechanisms to prefer the most secure

The previous logic was: - use the preferred SASL mechanism if available - otherwise use the first supported mechanism offered by the server However RFC 6120, section 6.3.3 states: "The initiating entity MUST maintain its own preference order independent of the preference order of the receiving entity." The new logic is: - order our supported mechanisms from most secure to least secure - if the user sets QXmppConfiguration::saslMechanism, put it first - use the best mechanism supported by the server
author: Jeremy Lainé <jeremy.laine@m4x.org> 2019-01-17 23:25:37 +0100
committer: Jeremy Lainé <jeremy.laine@m4x.org> 2019-01-18 14:02:50 +0100
commit: 2a34abcd74d8d8369d81d9e4131d34185d9154a5 (patch)
tree: 1e4eaba43ff49bc34a317601b978bc2296eee2be /src
parent: bce9ca477709ae0876e7b7682034f49cdd010f27 (diff)
download: qxmpp-2a34abcd74d8d8369d81d9e4131d34185d9154a5.tar.gz
3 files changed, 12 insertions, 13 deletions
diff --git a/src/base/QXmppSasl.cpp b/src/base/QXmppSasl.cpp
index b47886f7..6d57ee09 100644
--- a/src/base/QXmppSasl.cpp
+++ b/src/base/QXmppSasl.cpp
@@ -272,8 +272,8 @@ QXmppSaslClient::~QXmppSaslClient()
 
 QStringList QXmppSaslClient::availableMechanisms()
 {
-    return QStringList() << "PLAIN" << "DIGEST-MD5" << "ANONYMOUS"
-                         << "SCRAM-SHA-1" << "SCRAM-SHA-256"
+    return QStringList() << "SCRAM-SHA-256" << "SCRAM-SHA-1" << "DIGEST-MD5"
+                         << "PLAIN" << "ANONYMOUS"
                          << "X-FACEBOOK-PLATFORM" << "X-MESSENGER-OAUTH2" << "X-OAUTH2";
 }
 
diff --git a/src/client/QXmppConfiguration.cpp b/src/client/QXmppConfiguration.cpp
index 817e8ee6..9b56b7c5 100644
--- a/src/client/QXmppConfiguration.cpp
+++ b/src/client/QXmppConfiguration.cpp
@@ -90,7 +90,6 @@ QXmppConfigurationPrivate::QXmppConfigurationPrivate()
     , ignoreSslErrors(false)
     , streamSecurityMode(QXmppConfiguration::TLSEnabled)
     , nonSASLAuthMechanism(QXmppConfiguration::NonSASLDigest)
-    , saslAuthMechanism("DIGEST-MD5")
 {
 }
 
@@ -501,8 +500,6 @@ void QXmppConfiguration::setNonSASLAuthMechanism(
 }
 
 /// Returns the preferred SASL authentication mechanism.
-///
-/// Default value: "DIGEST-MD5"
 
 QString QXmppConfiguration::saslAuthMechanism() const
 {
@@ -511,7 +508,8 @@ QString QXmppConfiguration::saslAuthMechanism() const
 
 /// Sets the preferred SASL authentication \a mechanism.
 ///
-/// Valid values: "PLAIN", "DIGEST-MD5", "ANONYMOUS", "X-FACEBOOK-PLATFORM"
+/// Valid values: "SCRAM-SHA-256", "SCRAM-SHA-1", "DIGEST-MD5", "PLAIN", "ANONYMOUS",
+//                "X-FACEBOOK-PLATFORM", "X-MESSENGER-OAUTH2", "X-OAUTH2"
 
 void QXmppConfiguration::setSaslAuthMechanism(const QString &mechanism)
 {
diff --git a/src/client/QXmppOutgoingClient.cpp b/src/client/QXmppOutgoingClient.cpp
index 1fcb7c28..aef68070 100644
--- a/src/client/QXmppOutgoingClient.cpp
+++ b/src/client/QXmppOutgoingClient.cpp
@@ -451,8 +451,12 @@ void QXmppOutgoingClient::handleStanza(const QDomElement &nodeRecv)
         if (saslAvailable && configuration().useSASLAuthentication())
         {
             // supported and preferred SASL auth mechanisms
-            QStringList supportedMechanisms = QXmppSaslClient::availableMechanisms();
             const QString preferredMechanism = configuration().saslAuthMechanism();
+            QStringList supportedMechanisms = QXmppSaslClient::availableMechanisms();
+            if (supportedMechanisms.contains(preferredMechanism)) {
+                supportedMechanisms.removeAll(preferredMechanism);
+                supportedMechanisms.prepend(preferredMechanism);
+            }
             if (configuration().facebookAppId().isEmpty() || configuration().facebookAccessToken().isEmpty())
                 supportedMechanisms.removeAll("X-FACEBOOK-PLATFORM");
             if (configuration().windowsLiveAccessToken().isEmpty())
@@ -463,19 +467,16 @@ void QXmppOutgoingClient::handleStanza(const QDomElement &nodeRecv)
             // determine SASL Authentication mechanism to use
             QStringList commonMechanisms;
             QString usedMechanism;
-            foreach (const QString &mechanism, features.authMechanisms()) {
-                if (supportedMechanisms.contains(mechanism))
+            foreach (const QString &mechanism, supportedMechanisms) {
+                if (features.authMechanisms().contains(mechanism))
                     commonMechanisms << mechanism;
             }
             if (commonMechanisms.isEmpty()) {
                 warning("No supported SASL Authentication mechanism available");
                 disconnectFromHost();
                 return;
-            } else if (!commonMechanisms.contains(preferredMechanism)) {
-                info(QString("Desired SASL Auth mechanism '%1' is not available, selecting first available one").arg(preferredMechanism));
-                usedMechanism = commonMechanisms.first();
             } else {
-                usedMechanism = preferredMechanism;
+                usedMechanism = commonMechanisms.first();
             }
 
             d->saslClient = QXmppSaslClient::create(usedMechanism, this);
author	Jeremy Lainé <jeremy.laine@m4x.org>	2019-01-17 23:25:37 +0100
committer	Jeremy Lainé <jeremy.laine@m4x.org>	2019-01-18 14:02:50 +0100
commit	2a34abcd74d8d8369d81d9e4131d34185d9154a5 (patch)
tree	1e4eaba43ff49bc34a317601b978bc2296eee2be /src
parent	bce9ca477709ae0876e7b7682034f49cdd010f27 (diff)
download	qxmpp-2a34abcd74d8d8369d81d9e4131d34185d9154a5.tar.gz