From 2a34abcd74d8d8369d81d9e4131d34185d9154a5 Mon Sep 17 00:00:00 2001
From: Jeremy Lainé <jeremy.laine@m4x.org>
Date: Thu, 17 Jan 2019 23:25:37 +0100
Subject: [sasl] order mechanisms to prefer the most secure

The previous logic was:

- use the preferred SASL mechanism if available
- otherwise use the first supported mechanism offered by the server

However RFC 6120, section 6.3.3 states:

"The initiating entity MUST maintain its own preference order independent
of the preference order of the receiving entity."

The new logic is:

- order our supported mechanisms from most secure to least secure
- if the user sets QXmppConfiguration::saslMechanism, put it first
- use the best mechanism supported by the server
---
 src/base/QXmppSasl.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/base/QXmppSasl.cpp')

diff --git a/src/base/QXmppSasl.cpp b/src/base/QXmppSasl.cpp
index b47886f7..6d57ee09 100644
--- a/src/base/QXmppSasl.cpp
+++ b/src/base/QXmppSasl.cpp
@@ -272,8 +272,8 @@ QXmppSaslClient::~QXmppSaslClient()
 
 QStringList QXmppSaslClient::availableMechanisms()
 {
-    return QStringList() << "PLAIN" << "DIGEST-MD5" << "ANONYMOUS"
-                         << "SCRAM-SHA-1" << "SCRAM-SHA-256"
+    return QStringList() << "SCRAM-SHA-256" << "SCRAM-SHA-1" << "DIGEST-MD5"
+                         << "PLAIN" << "ANONYMOUS"
                          << "X-FACEBOOK-PLATFORM" << "X-MESSENGER-OAUTH2" << "X-OAUTH2";
 }
 
-- 
cgit v1.2.3