Force SASL2+SCRAM for yax.im (already forced for conversations.im)

Author: tmolitor-stud-tu

Monal/Classes/MLXMPPManager.m

@@ -789,6 +789,7 @@ -(NSNumber*) login:(NSString*) jid password:(NSString*) password
     MLAssert([elements count] > 1, @"Got invalid jid", (@{@"jid": nilWrapper(jid), @"elements": elements}));
     NSString* domain = ((NSString*)[elements objectAtIndex:1]).lowercaseString;
 
+    //THE FOLLOWING ARE OUTDATED THOUGHTS, WE CURRENTLY WANT TO ALLOW PLAIN AND ONLY BLOCK PLAIN FOR KNOWN PLAIN-OFF SERVERS
     //we don't want to set kPlainActivated (not even according to our preload list) and default to plain_activated=false,
     //because the error message will warn the user and direct them to the advanced account creation menu to activate PLAIN
     //if they still want to connect to this server
@@ -798,7 +799,7 @@ -(NSNumber*) login:(NSString*) jid password:(NSString*) password
     //TODO: use preload list and allow PLAIN for all others once enough domains are on this list
     //allow plain for all servers not on preload list, since prosody with SASL2 wasn't even released yet
     BOOL defaultPlainActivated = YES;
-    BOOL plainActivated = ([domain isEqualToString:@"yax.im"] || [domain isEqualToString:@"quicksy.im"]) ? YES : defaultPlainActivated;
+    BOOL plainActivated = ([domain isEqualToString:@"yax.im"] || [domain isEqualToString:@"quicksy.im"] || [domain isEqualToString:@"conversations.im"]) ? NO : defaultPlainActivated;
 
     return [self login:jid password:password hardcodedServer:nil hardcodedPort:nil forceDirectTLS:NO allowPlainAuth:plainActivated];
 }

Monal/Classes/OneClickRegistration.swift

@@ -110,11 +110,11 @@ struct OneClickRegistration: View {
                         kDirectTLS: false,
                         //creating an account involves transfering the password in cleartext only secured by TLS
                         //--> logging in directly afterwards using PLAIN doesn't make the situation any worse ==> allow it
-                        //conversations.im already supports sasl2 and scram ## TODO: use SCRAM preload list
+                        //conversations.im and yax.im already support sasl2 and scram ## TODO: use SCRAM preload list
                         //using the preload list in this case won't solve the situation, but increase the attack cost because
                         //stripping off SASL2 won't suffice anymore (the attacker will have to use the password sniffed during account creation
                         //to fake the SCRAM HMAC sent to both client and server)
-                        kPlainActivated: self.actualServer == "conversations.im" ? false : true,
+                        kPlainActivated: !["yax.im", "conversations.im"].contains(self.actualServer),
                     ] as [String : Any]
 
                     let accountID = DataLayer.sharedInstance().addAccount(with: dic);

Monal/Classes/RegisterAccount.swift

@@ -184,11 +184,11 @@ struct RegisterAccount: View {
                         kDirectTLS: false,
                         //creating an account involves transfering the password in cleartext only secured by TLS
                         //--> logging in directly afterwards using PLAIN doesn't make the situation any worse ==> allow it
-                        //conversations.im already supports sasl2 and scram ## TODO: use SCRAM preload list
+                        //conversations.im and yax.im already support sasl2 and scram ## TODO: use SCRAM preload list
                         //using the preload list in this case won't solve the situation, but increase the attack cost because
                         //stripping off SASL2 won't suffice anymore (the attacker will have to use the password sniffed during account creation
                         //to fake the SCRAM HMAC sent to both client and server)
-                        kPlainActivated: self.actualServer == "conversations.im" ? false : true,
+                        kPlainActivated: !["yax.im", "conversations.im"].contains(self.actualServer),
                     ] as [String : Any]
 
                     let accountID = DataLayer.sharedInstance().addAccount(with: dic);

Monal/Classes/WelcomeLogIn.swift

@@ -241,9 +241,9 @@ struct WelcomeLogIn: View {
                                     Text("Allow MITM-prone PLAIN authentication")
                                 }
                                 // TODO: use the SCRAM preload list instead of hardcoding servers
-                                .disabled(["conversations.im"].contains(jidDomainPart.lowercased()))
+                                .disabled(["yax.im", "conversations.im"].contains(jidDomainPart.lowercased()))
                                 .onChange(of: jid) { _ in
-                                    if ["conversations.im"].contains(jidDomainPart.lowercased()) {
+                                    if ["yax.im", "conversations.im"].contains(jidDomainPart.lowercased()) {
                                         allowPlainAuth = false
                                     }
                                 }

Monal/Classes/XMPPEdit.m

@@ -340,8 +340,8 @@ -(IBAction) save:(id) sender
     if(self.statusMessage)
         [dic setObject:[self.statusMessage stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceCharacterSet]] forKey:@"statusMessage"];
 
-    //conversations.im already supports sasl2 and scram ## TODO: use SCRAM preload list
-    [dic setObject:([domain.lowercaseString isEqualToString:@"conversations.im"] ? @NO : @(self.plainActivated)) forKey:kPlainActivated];
+    //conversations.im and yax,im already support sasl2 and scram ## TODO: use SCRAM preload list
+    [dic setObject:([domain.lowercaseString isEqualToString:@"yax.im"] || [domain.lowercaseString isEqualToString:@"conversations.im"] ? @NO : @(self.plainActivated)) forKey:kPlainActivated];
 
     if(!self.editMode)
     {