Make non-standard SCRAM SHA algos opt-in

.github/workflows/main.yml

@@ -16,7 +16,7 @@ jobs:
         libsoup2.4-dev libsasl2-modules-gssapi-mit libsqlite3-dev libssl-dev libgnutls28-dev \
         gnutls-bin gobject-introspection libgirepository1.0-dev gtk-doc-tools
     - name: Bootstrap
-      run: meson _b -Dgoogle-relay=true -Dintrospection=enabled -Dgtk_doc=true
+      run: meson _b -Dgoogle-relay=true -Dintrospection=enabled -Dgtk_doc=true -Dnonstandard-scram=true
     - name: Syntax
       run: ninja -C _b check
     - name: Build

meson.build

@@ -109,6 +109,10 @@ if get_option('debug')
   defines += 'ENABLE_DEBUG'
 endif
 
+if get_option('nonstandard-scram')
+  defines += 'WOCKY_SCRAM_NONSTANDARD'
+endif
+
 if get_option('google-relay')
   defines += 'ENABLE_GOOGLE_RELAY'
 endif

meson_options.txt

@@ -4,3 +4,4 @@ option('code-style-check', type: 'boolean', description: 'enable coding style ch
 option('install-headers', type: 'string', description: 'install development headers here')
 option('libdir-suffix', type: 'string', description: 'install a shared library into project-specific subdir')
 option('google-relay', type: 'boolean', value: false, description: 'enable google jingle relay support', yield: true)
+option('nonstandard-scram', type: 'boolean', value: false, description: 'enable non-standard scram methods', yield: true)

tests/wocky-connector-test.c

@@ -74,6 +74,12 @@
 #define DEFAULT_SASL_MECH "SCRAM-SHA-1"
 #endif
 
+#ifdef WOCKY_SCRAM_NONSTANDARD
+#define BINDING_SCRAM_MECH "SCRAM-SHA-512-PLUS"
+#else
+#define BINDING_SCRAM_MECH "SCRAM-SHA-256-PLUS"
+#endif
+
 #define PORT_XMPP 5222
 #define PORT_NONE 0
 
@@ -944,7 +950,7 @@ test_t tests[] =
      { "/connector/auth/sasl/binding",
       NOISY,
       { S_NO_ERROR },
-      { { TLS, "SCRAM-SHA-512-PLUS" },
+      { { TLS, BINDING_SCRAM_MECH },
         { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK },
         { "moose", "something" },
         PORT_XMPP },
@@ -956,7 +962,7 @@ test_t tests[] =
      { "/connector/auth/sasl/bad-binding-data",
       NOISY,
       { S_WOCKY_AUTH_ERROR, WOCKY_AUTH_ERROR_FAILURE, -1 },
-      { { TLS, "SCRAM-SHA-512-PLUS" },
+      { { TLS, BINDING_SCRAM_MECH },
         { SERVER_PROBLEM_MANGLED_BINDING_DATA, CONNECTOR_OK },
         { "moose", "something" },
         PORT_XMPP },
@@ -968,7 +974,7 @@ test_t tests[] =
      { "/connector/auth/sasl/bad-binding-flag",
       NOISY,
       { S_WOCKY_AUTH_ERROR, WOCKY_AUTH_ERROR_FAILURE, -1 },
-      { { TLS, "SCRAM-SHA-512-PLUS" },
+      { { TLS, BINDING_SCRAM_MECH },
         { SERVER_PROBLEM_MANGLED_BINDING_FLAG, CONNECTOR_OK },
         { "moose", "something" },
         PORT_XMPP },
@@ -980,7 +986,7 @@ test_t tests[] =
      { "/connector/auth/sasl/scrambled-binding",
       NOISY,
       { S_WOCKY_AUTH_ERROR, WOCKY_AUTH_ERROR_INVALID_REPLY, -1 },
-      { { TLS, "SCRAM-SHA-512-PLUS" },
+      { { TLS, BINDING_SCRAM_MECH },
         { SERVER_PROBLEM_SCRAMBLED_BINDING, CONNECTOR_OK },
         { "moose", "something" },
         PORT_XMPP },

tests/wocky-test-sasl-auth-server.c

@@ -68,6 +68,14 @@ G_STMT_START   {                                       \
 
 #endif
 
+#ifdef WOCKY_SCRAM_NONSTANDARD
+#define BINDING_SCRAM_MECH "SCRAM-SHA-512-PLUS"
+#define BINDING_SCRAM_ALGO G_CHECKSUM_SHA512
+#else
+#define BINDING_SCRAM_MECH "SCRAM-SHA-256-PLUS"
+#define BINDING_SCRAM_ALGO G_CHECKSUM_SHA256
+#endif
+
 #if 0
 /* signal enum */
 enum
@@ -770,7 +778,7 @@ handle_auth (TestSaslAuthServer *self, WockyStanza *stanza)
       ret = wocky_strdiff ((gchar *) response, priv->password) ?
           SASL_BADAUTH : SASL_OK;
     }
-  else if (!wocky_strdiff ("SCRAM-SHA-512-PLUS", priv->selected_mech))
+  else if (!wocky_strdiff (BINDING_SCRAM_MECH, priv->selected_mech))
     {
       ScramRes res = { self, NULL, FALSE };
       GIOStream *ios = NULL;
@@ -1057,7 +1065,7 @@ handle_response (TestSaslAuthServer *self, WockyStanza *stanza)
           &response_len);
     }
 
-  if (!wocky_strdiff ("SCRAM-SHA-512-PLUS", priv->selected_mech))
+  if (!wocky_strdiff (BINDING_SCRAM_MECH, priv->selected_mech))
     {
       ScramRes res = { self, NULL, FALSE };
 
@@ -1324,10 +1332,10 @@ test_sasl_auth_server_new (GIOStream *stream, gchar *mech,
   priv->mech = g_strdup (mech);
   priv->problem = problem;
 
-  if (!wocky_strdiff ("SCRAM-SHA-512-PLUS", mech))
+  if (!wocky_strdiff (BINDING_SCRAM_MECH, mech))
     {
       priv->scram = g_object_new (WOCKY_TYPE_SASL_SCRAM, "server", servername,
-          "hash-algo", G_CHECKSUM_SHA512, NULL);
+          "hash-algo", BINDING_SCRAM_ALGO, NULL);
     }
 
   if (start)

tests/wocky-test-sasl-auth.c

@@ -11,6 +11,12 @@
 
 #include <wocky/wocky.h>
 
+#ifdef WOCKY_SCRAM_NONSTANDARD
+#define BINDING_SCRAM_MECH "SCRAM-SHA-512-PLUS"
+#else
+#define BINDING_SCRAM_MECH "SCRAM-SHA-256-PLUS"
+#endif
+
 typedef struct {
   gchar *description;
   gchar *mech;
@@ -280,8 +286,8 @@ main (int argc,
        0, 0, SERVER_PROBLEM_FINAL_DATA_IN_SUCCESS, FALSE, FALSE,
        "test", "test123", NULL },
 
-    SUCCESS("/xmpp-sasl/scram-sha2-plus-multistep", "SCRAM-SHA-512-PLUS", TRUE),
-    { "/xmpp-sasl/scram-sha2-final-data-in-success", "SCRAM-SHA-512-PLUS", TRUE,
+    SUCCESS("/xmpp-sasl/scram-sha2-plus-multistep", BINDING_SCRAM_MECH, TRUE),
+    { "/xmpp-sasl/scram-sha2-final-data-in-success", BINDING_SCRAM_MECH, TRUE,
        0, 0, SERVER_PROBLEM_FINAL_DATA_IN_SUCCESS, FALSE, FALSE,
        "test", "test123", NULL },
 
@@ -301,7 +307,7 @@ main (int argc,
     { "/xmpp-sasl/wrong-username-md5", "DIGEST-MD5", TRUE,
        WOCKY_AUTH_ERROR, WOCKY_AUTH_ERROR_FAILURE,
        SERVER_PROBLEM_INVALID_USERNAME, TRUE, FALSE, "test", "test123" },
-    { "/xmpp-sasl/wrong-username-sha2", "SCRAM-SHA-512-PLUS", TRUE,
+    { "/xmpp-sasl/wrong-username-sha2", BINDING_SCRAM_MECH, TRUE,
        WOCKY_AUTH_ERROR, WOCKY_AUTH_ERROR_FAILURE,
        SERVER_PROBLEM_INVALID_USERNAME, TRUE, FALSE, "test", "test123" },
 
@@ -311,7 +317,7 @@ main (int argc,
     { "/xmpp-sasl/wrong-password-md5", "DIGEST-MD5", TRUE,
        WOCKY_AUTH_ERROR, WOCKY_AUTH_ERROR_FAILURE,
        SERVER_PROBLEM_INVALID_PASSWORD, FALSE, TRUE, "test", "test123" },
-    { "/xmpp-sasl/wrong-password-sha2", "SCRAM-SHA-512-PLUS", TRUE,
+    { "/xmpp-sasl/wrong-password-sha2", BINDING_SCRAM_MECH, TRUE,
        WOCKY_AUTH_ERROR, WOCKY_AUTH_ERROR_FAILURE,
        SERVER_PROBLEM_INVALID_PASSWORD, FALSE, TRUE, "test", "test123" },
 

wocky/wocky-auth-registry.c

@@ -309,8 +309,10 @@ wocky_auth_registry_select_handler (WockyAuthRegistry *self,
     gboolean is_plus;
     GChecksumType algo;
   } scram_handlers[] = {
+#ifdef WOCKY_AUTH_MECH_SASL_SCRAM_SHA_512
     { WOCKY_AUTH_MECH_SASL_SCRAM_SHA_512_PLUS, TRUE, G_CHECKSUM_SHA512 },
     { WOCKY_AUTH_MECH_SASL_SCRAM_SHA_512, FALSE, G_CHECKSUM_SHA512 },
+#endif
 #ifdef WOCKY_AUTH_MECH_SASL_SCRAM_SHA_384
     { WOCKY_AUTH_MECH_SASL_SCRAM_SHA_384_PLUS, TRUE, G_CHECKSUM_SHA384 },
     { WOCKY_AUTH_MECH_SASL_SCRAM_SHA_384, FALSE, G_CHECKSUM_SHA384 },

wocky/wocky-auth-registry.h

@@ -62,12 +62,14 @@ typedef enum
 #define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_1_PLUS "SCRAM-SHA-1-PLUS"
 #define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_256 "SCRAM-SHA-256"
 #define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_256_PLUS "SCRAM-SHA-256-PLUS"
+#ifdef WOCKY_SCRAM_NONSTANDARD
 #define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_512 "SCRAM-SHA-512"
 #define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_512_PLUS "SCRAM-SHA-512-PLUS"
 #if GLIB_VERSION_CUR_STABLE >= GLIB_VERSION_2_52
 #define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_384 "SCRAM-SHA-384"
 #define WOCKY_AUTH_MECH_SASL_SCRAM_SHA_384_PLUS "SCRAM-SHA-384-PLUS"
 #endif
+#endif
 
 /**
  * WockyTLSBindingType