25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-12-20 17:27:00 +01:00

Add option to disable XEP-0474: SASL SCRAM Downgrade Protection support

Looks like clients using strophejs aren't able to authenticate when we
add data required by that spec to scram packets, so at least give a way
to disable this until clients will be fixed.
This commit is contained in:
Paweł Chmielowski 2024-01-16 12:03:35 +01:00
parent 6c691a73bd
commit 29ec5bff60
7 changed files with 31 additions and 4 deletions

View File

@ -114,7 +114,7 @@ defmodule Ejabberd.MixProject do
{:p1_utils, "~> 1.0"},
{:pkix, "~> 1.0"},
{:stringprep, ">= 1.0.26"},
{:xmpp, git: "https://github.com/processone/xmpp.git", ref: "26dd833dcf66ebb790d9afe212b7a26f3a6c2328", override: true},
{:xmpp, git: "https://github.com/processone/xmpp.git", ref: "db6d730f0e1cd36645c32d7c7e89e19bb27642e3", override: true},
{:yconf, "~> 1.0"}]
++ cond_deps()
end

View File

@ -43,6 +43,6 @@
"stringprep": {:hex, :stringprep, "1.0.29", "02f23e8c3a219a3dfe40a22e908bece3a2f68af0ff599ea8a7b714ecb21e62ee", [:rebar3], [{:p1_utils, "1.0.25", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "928eba304c3006eb1512110ebd7b87db163b00859a09375a1e4466152c6c462a"},
"stun": {:hex, :stun, "1.2.10", "53f8be69e14f9476dcaf1dfb626b9dad2380f3fba8faf2c30bdf74311cfdc008", [:rebar3], [{:fast_tls, "1.1.16", [hex: :fast_tls, repo: "hexpm", optional: false]}, {:p1_utils, "1.0.25", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "19d3eecbfcc6935f0880f8ef7e77ff373900c604092937a1acda166ae3fb40e9"},
"unicode_util_compat": {:hex, :unicode_util_compat, "0.4.1", "d869e4c68901dd9531385bb0c8c40444ebf624e60b6962d95952775cac5e90cd", [:rebar3], [], "hexpm", "1d1848c40487cdb0b30e8ed975e34e025860c02e419cb615d255849f3427439d"},
"xmpp": {:git, "https://github.com/processone/xmpp.git", "ded8be8c169487688b11130eda566b1377ab3301", [ref: "ded8be8c169487688b11130eda566b1377ab3301"]},
"xmpp": {:git, "https://github.com/processone/xmpp.git", "db6d730f0e1cd36645c32d7c7e89e19bb27642e3", [ref: "db6d730f0e1cd36645c32d7c7e89e19bb27642e3"]},
"yconf": {:hex, :yconf, "1.0.15", "e22998b3d7728270bdd06162a9515bd142b14fae8927cbdbd3ef639c32aa6f7a", [:rebar3], [{:fast_yaml, "1.0.36", [hex: :fast_yaml, repo: "hexpm", optional: false]}], "hexpm", "7ff2ab24d3c9833842716b9aaaa01a8f96641a7695cbb701b03445c4def01117"},
}

View File

@ -77,7 +77,7 @@
{stringprep, ".*", {git, "https://github.com/processone/stringprep", {tag, "1.0.29"}}},
{if_var_true, stun,
{stun, ".*", {git, "https://github.com/processone/stun", {tag, "1.2.10"}}}},
{xmpp, ".*", {git, "https://github.com/processone/xmpp", "26dd833dcf66ebb790d9afe212b7a26f3a6c2328"}},
{xmpp, ".*", {git, "https://github.com/processone/xmpp", "db6d730f0e1cd36645c32d7c7e89e19bb27642e3"}},
{yconf, ".*", {git, "https://github.com/processone/yconf", {tag, "1.0.15"}}}
]}.

View File

@ -43,7 +43,7 @@
handle_recv/3, handle_cdata/2, handle_unbinded_packet/2,
inline_stream_features/1, handle_sasl2_inline/2,
handle_sasl2_inline_post/3, handle_bind2_inline/2,
handle_bind2_inline_post/3]).
handle_bind2_inline_post/3, sasl_options/1]).
%% Hooks
-export([handle_unexpected_cast/2, handle_unexpected_call/3,
process_auth_result/3, reject_unauthenticated_packet/2,
@ -418,6 +418,12 @@ sasl_mechanisms(Mechs, #{lserver := LServer, stream_encrypted := Encrypted} = St
(_) -> false
end, Mechs -- Mechs1).
sasl_options(#{lserver := LServer}) ->
case ejabberd_option:disable_sasl_scram_downgrade_protection(LServer) of
true -> [{scram_downgrade_protection, false}];
_ -> []
end.
get_password_fun(_Mech, #{lserver := LServer}) ->
fun(U) ->
ejabberd_auth:get_password_with_authmodule(U, LServer)

View File

@ -40,6 +40,7 @@
-export([default_ram_db/0, default_ram_db/1]).
-export([define_macro/0, define_macro/1]).
-export([disable_sasl_mechanisms/0, disable_sasl_mechanisms/1]).
-export([disable_sasl_scram_downgrade_protection/0, disable_sasl_scram_downgrade_protection/1]).
-export([domain_balancing/0]).
-export([ext_api_headers/0, ext_api_headers/1]).
-export([ext_api_http_pool_size/0, ext_api_http_pool_size/1]).
@ -384,6 +385,13 @@ disable_sasl_mechanisms() ->
disable_sasl_mechanisms(Host) ->
ejabberd_config:get_option({disable_sasl_mechanisms, Host}).
-spec disable_sasl_scram_downgrade_protection() -> boolean().
disable_sasl_scram_downgrade_protection() ->
disable_sasl_scram_downgrade_protection(global).
-spec disable_sasl_scram_downgrade_protection(global | binary()) -> boolean().
disable_sasl_scram_downgrade_protection(Host) ->
ejabberd_config:get_option({disable_sasl_scram_downgrade_protection, Host}).
-spec domain_balancing() -> #{binary()=>#{'component_number'=>1..1114111, 'type'=>'bare_destination' | 'bare_source' | 'destination' | 'random' | 'source'}}.
domain_balancing() ->
ejabberd_config:get_option({domain_balancing, global}).

View File

@ -140,6 +140,8 @@ opt_type(default_ram_db) ->
econf:enum([mnesia, sql, redis]);
opt_type(define_macro) ->
econf:any();
opt_type(disable_sasl_scram_downgrade_protection) ->
econf:bool();
opt_type(disable_sasl_mechanisms) ->
econf:list_or_single(
econf:and_then(
@ -563,6 +565,7 @@ options() ->
{cluster_backend, mnesia},
{cluster_nodes, []},
{define_macro, []},
{disable_sasl_scram_downgrade_protection, false},
{disable_sasl_mechanisms, []},
{domain_balancing, #{}},
{ext_api_headers, <<>>},

View File

@ -552,6 +552,16 @@ doc() ->
"",
"acl:",
" admin: USERBOB"]}},
{disable_sasl_scram_downgrade_protection,
#{value => "true | false",
desc =>
?T("Allows to disable sending data required by "
"'XEP-0474: SASL SCRAM Downgrade Protection'. "
"There are known buggy clients (like those that use strophejs 1.6.2) "
"which will not be able to authenticatate when servers sends data from "
"that specification. This options allows server to disable it to allow "
"even buggy clients connects, but in exchange decrease MITM protection. "
"The default value of this option is 'false' which enables this extension.")}},
{disable_sasl_mechanisms,
#{value => "[Mechanism, ...]",
desc =>