mirror of
https://github.com/processone/ejabberd.git
synced 2024-12-20 17:27:00 +01:00
Add option to disable XEP-0474: SASL SCRAM Downgrade Protection support
Looks like clients using strophejs aren't able to authenticate when we add data required by that spec to scram packets, so at least give a way to disable this until clients will be fixed.
This commit is contained in:
parent
6c691a73bd
commit
29ec5bff60
2
mix.exs
2
mix.exs
@ -114,7 +114,7 @@ defmodule Ejabberd.MixProject do
|
||||
{:p1_utils, "~> 1.0"},
|
||||
{:pkix, "~> 1.0"},
|
||||
{:stringprep, ">= 1.0.26"},
|
||||
{:xmpp, git: "https://github.com/processone/xmpp.git", ref: "26dd833dcf66ebb790d9afe212b7a26f3a6c2328", override: true},
|
||||
{:xmpp, git: "https://github.com/processone/xmpp.git", ref: "db6d730f0e1cd36645c32d7c7e89e19bb27642e3", override: true},
|
||||
{:yconf, "~> 1.0"}]
|
||||
++ cond_deps()
|
||||
end
|
||||
|
2
mix.lock
2
mix.lock
@ -43,6 +43,6 @@
|
||||
"stringprep": {:hex, :stringprep, "1.0.29", "02f23e8c3a219a3dfe40a22e908bece3a2f68af0ff599ea8a7b714ecb21e62ee", [:rebar3], [{:p1_utils, "1.0.25", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "928eba304c3006eb1512110ebd7b87db163b00859a09375a1e4466152c6c462a"},
|
||||
"stun": {:hex, :stun, "1.2.10", "53f8be69e14f9476dcaf1dfb626b9dad2380f3fba8faf2c30bdf74311cfdc008", [:rebar3], [{:fast_tls, "1.1.16", [hex: :fast_tls, repo: "hexpm", optional: false]}, {:p1_utils, "1.0.25", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "19d3eecbfcc6935f0880f8ef7e77ff373900c604092937a1acda166ae3fb40e9"},
|
||||
"unicode_util_compat": {:hex, :unicode_util_compat, "0.4.1", "d869e4c68901dd9531385bb0c8c40444ebf624e60b6962d95952775cac5e90cd", [:rebar3], [], "hexpm", "1d1848c40487cdb0b30e8ed975e34e025860c02e419cb615d255849f3427439d"},
|
||||
"xmpp": {:git, "https://github.com/processone/xmpp.git", "ded8be8c169487688b11130eda566b1377ab3301", [ref: "ded8be8c169487688b11130eda566b1377ab3301"]},
|
||||
"xmpp": {:git, "https://github.com/processone/xmpp.git", "db6d730f0e1cd36645c32d7c7e89e19bb27642e3", [ref: "db6d730f0e1cd36645c32d7c7e89e19bb27642e3"]},
|
||||
"yconf": {:hex, :yconf, "1.0.15", "e22998b3d7728270bdd06162a9515bd142b14fae8927cbdbd3ef639c32aa6f7a", [:rebar3], [{:fast_yaml, "1.0.36", [hex: :fast_yaml, repo: "hexpm", optional: false]}], "hexpm", "7ff2ab24d3c9833842716b9aaaa01a8f96641a7695cbb701b03445c4def01117"},
|
||||
}
|
||||
|
@ -77,7 +77,7 @@
|
||||
{stringprep, ".*", {git, "https://github.com/processone/stringprep", {tag, "1.0.29"}}},
|
||||
{if_var_true, stun,
|
||||
{stun, ".*", {git, "https://github.com/processone/stun", {tag, "1.2.10"}}}},
|
||||
{xmpp, ".*", {git, "https://github.com/processone/xmpp", "26dd833dcf66ebb790d9afe212b7a26f3a6c2328"}},
|
||||
{xmpp, ".*", {git, "https://github.com/processone/xmpp", "db6d730f0e1cd36645c32d7c7e89e19bb27642e3"}},
|
||||
{yconf, ".*", {git, "https://github.com/processone/yconf", {tag, "1.0.15"}}}
|
||||
]}.
|
||||
|
||||
|
@ -43,7 +43,7 @@
|
||||
handle_recv/3, handle_cdata/2, handle_unbinded_packet/2,
|
||||
inline_stream_features/1, handle_sasl2_inline/2,
|
||||
handle_sasl2_inline_post/3, handle_bind2_inline/2,
|
||||
handle_bind2_inline_post/3]).
|
||||
handle_bind2_inline_post/3, sasl_options/1]).
|
||||
%% Hooks
|
||||
-export([handle_unexpected_cast/2, handle_unexpected_call/3,
|
||||
process_auth_result/3, reject_unauthenticated_packet/2,
|
||||
@ -418,6 +418,12 @@ sasl_mechanisms(Mechs, #{lserver := LServer, stream_encrypted := Encrypted} = St
|
||||
(_) -> false
|
||||
end, Mechs -- Mechs1).
|
||||
|
||||
sasl_options(#{lserver := LServer}) ->
|
||||
case ejabberd_option:disable_sasl_scram_downgrade_protection(LServer) of
|
||||
true -> [{scram_downgrade_protection, false}];
|
||||
_ -> []
|
||||
end.
|
||||
|
||||
get_password_fun(_Mech, #{lserver := LServer}) ->
|
||||
fun(U) ->
|
||||
ejabberd_auth:get_password_with_authmodule(U, LServer)
|
||||
|
@ -40,6 +40,7 @@
|
||||
-export([default_ram_db/0, default_ram_db/1]).
|
||||
-export([define_macro/0, define_macro/1]).
|
||||
-export([disable_sasl_mechanisms/0, disable_sasl_mechanisms/1]).
|
||||
-export([disable_sasl_scram_downgrade_protection/0, disable_sasl_scram_downgrade_protection/1]).
|
||||
-export([domain_balancing/0]).
|
||||
-export([ext_api_headers/0, ext_api_headers/1]).
|
||||
-export([ext_api_http_pool_size/0, ext_api_http_pool_size/1]).
|
||||
@ -384,6 +385,13 @@ disable_sasl_mechanisms() ->
|
||||
disable_sasl_mechanisms(Host) ->
|
||||
ejabberd_config:get_option({disable_sasl_mechanisms, Host}).
|
||||
|
||||
-spec disable_sasl_scram_downgrade_protection() -> boolean().
|
||||
disable_sasl_scram_downgrade_protection() ->
|
||||
disable_sasl_scram_downgrade_protection(global).
|
||||
-spec disable_sasl_scram_downgrade_protection(global | binary()) -> boolean().
|
||||
disable_sasl_scram_downgrade_protection(Host) ->
|
||||
ejabberd_config:get_option({disable_sasl_scram_downgrade_protection, Host}).
|
||||
|
||||
-spec domain_balancing() -> #{binary()=>#{'component_number'=>1..1114111, 'type'=>'bare_destination' | 'bare_source' | 'destination' | 'random' | 'source'}}.
|
||||
domain_balancing() ->
|
||||
ejabberd_config:get_option({domain_balancing, global}).
|
||||
|
@ -140,6 +140,8 @@ opt_type(default_ram_db) ->
|
||||
econf:enum([mnesia, sql, redis]);
|
||||
opt_type(define_macro) ->
|
||||
econf:any();
|
||||
opt_type(disable_sasl_scram_downgrade_protection) ->
|
||||
econf:bool();
|
||||
opt_type(disable_sasl_mechanisms) ->
|
||||
econf:list_or_single(
|
||||
econf:and_then(
|
||||
@ -563,6 +565,7 @@ options() ->
|
||||
{cluster_backend, mnesia},
|
||||
{cluster_nodes, []},
|
||||
{define_macro, []},
|
||||
{disable_sasl_scram_downgrade_protection, false},
|
||||
{disable_sasl_mechanisms, []},
|
||||
{domain_balancing, #{}},
|
||||
{ext_api_headers, <<>>},
|
||||
|
@ -552,6 +552,16 @@ doc() ->
|
||||
"",
|
||||
"acl:",
|
||||
" admin: USERBOB"]}},
|
||||
{disable_sasl_scram_downgrade_protection,
|
||||
#{value => "true | false",
|
||||
desc =>
|
||||
?T("Allows to disable sending data required by "
|
||||
"'XEP-0474: SASL SCRAM Downgrade Protection'. "
|
||||
"There are known buggy clients (like those that use strophejs 1.6.2) "
|
||||
"which will not be able to authenticatate when servers sends data from "
|
||||
"that specification. This options allows server to disable it to allow "
|
||||
"even buggy clients connects, but in exchange decrease MITM protection. "
|
||||
"The default value of this option is 'false' which enables this extension.")}},
|
||||
{disable_sasl_mechanisms,
|
||||
#{value => "[Mechanism, ...]",
|
||||
desc =>
|
||||
|
Loading…
Reference in New Issue
Block a user