Add option to disable XEP-0474: SASL SCRAM Downgrade Protection support

Looks like clients using strophejs aren't able to authenticate when we add data required by that spec to scram packets, so at least give a way to disable this until clients will be fixed.
2024-01-16 12:03:35 +01:00 · 2024-01-16 12:03:35 +01:00 · 29ec5bff60
parent 6c691a73bd
commit 29ec5bff60
7 changed files with 31 additions and 4 deletions
--- a/mix.exs
+++ b/mix.exs
@ -114,7 +114,7 @@ defmodule Ejabberd.MixProject do
     {:p1_utils, "~> 1.0"},
     {:pkix, "~> 1.0"},
     {:stringprep, ">= 1.0.26"},
-     {:xmpp, git: "https://github.com/processone/xmpp.git", ref: "26dd833dcf66ebb790d9afe212b7a26f3a6c2328", override: true},
+     {:xmpp, git: "https://github.com/processone/xmpp.git", ref: "db6d730f0e1cd36645c32d7c7e89e19bb27642e3", override: true},
     {:yconf, "~> 1.0"}]
    ++ cond_deps()
  end
--- a/mix.lock
+++ b/mix.lock
@ -43,6 +43,6 @@
  "stringprep": {:hex, :stringprep, "1.0.29", "02f23e8c3a219a3dfe40a22e908bece3a2f68af0ff599ea8a7b714ecb21e62ee", [:rebar3], [{:p1_utils, "1.0.25", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "928eba304c3006eb1512110ebd7b87db163b00859a09375a1e4466152c6c462a"},
  "stun": {:hex, :stun, "1.2.10", "53f8be69e14f9476dcaf1dfb626b9dad2380f3fba8faf2c30bdf74311cfdc008", [:rebar3], [{:fast_tls, "1.1.16", [hex: :fast_tls, repo: "hexpm", optional: false]}, {:p1_utils, "1.0.25", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "19d3eecbfcc6935f0880f8ef7e77ff373900c604092937a1acda166ae3fb40e9"},
  "unicode_util_compat": {:hex, :unicode_util_compat, "0.4.1", "d869e4c68901dd9531385bb0c8c40444ebf624e60b6962d95952775cac5e90cd", [:rebar3], [], "hexpm", "1d1848c40487cdb0b30e8ed975e34e025860c02e419cb615d255849f3427439d"},
-  "xmpp": {:git, "https://github.com/processone/xmpp.git", "ded8be8c169487688b11130eda566b1377ab3301", [ref: "ded8be8c169487688b11130eda566b1377ab3301"]},
+  "xmpp": {:git, "https://github.com/processone/xmpp.git", "db6d730f0e1cd36645c32d7c7e89e19bb27642e3", [ref: "db6d730f0e1cd36645c32d7c7e89e19bb27642e3"]},
  "yconf": {:hex, :yconf, "1.0.15", "e22998b3d7728270bdd06162a9515bd142b14fae8927cbdbd3ef639c32aa6f7a", [:rebar3], [{:fast_yaml, "1.0.36", [hex: :fast_yaml, repo: "hexpm", optional: false]}], "hexpm", "7ff2ab24d3c9833842716b9aaaa01a8f96641a7695cbb701b03445c4def01117"},
 }
--- a/rebar.config
+++ b/rebar.config
@ -77,7 +77,7 @@
        {stringprep, ".*", {git, "https://github.com/processone/stringprep", {tag, "1.0.29"}}},
        {if_var_true, stun,
         {stun, ".*", {git, "https://github.com/processone/stun", {tag, "1.2.10"}}}},
-        {xmpp, ".*", {git, "https://github.com/processone/xmpp", "26dd833dcf66ebb790d9afe212b7a26f3a6c2328"}},
+        {xmpp, ".*", {git, "https://github.com/processone/xmpp", "db6d730f0e1cd36645c32d7c7e89e19bb27642e3"}},
        {yconf, ".*", {git, "https://github.com/processone/yconf", {tag, "1.0.15"}}}
       ]}.

--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@ -43,7 +43,7 @@
 	 handle_recv/3, handle_cdata/2, handle_unbinded_packet/2,
 	 inline_stream_features/1, handle_sasl2_inline/2,
 	 handle_sasl2_inline_post/3, handle_bind2_inline/2,
-	 handle_bind2_inline_post/3]).
+	 handle_bind2_inline_post/3, sasl_options/1]).
 %% Hooks
 -export([handle_unexpected_cast/2, handle_unexpected_call/3,
 	 process_auth_result/3, reject_unauthenticated_packet/2,
@ -418,6 +418,12 @@ sasl_mechanisms(Mechs, #{lserver := LServer, stream_encrypted := Encrypted} = St
 	 (_) -> false
      end, Mechs -- Mechs1).

+sasl_options(#{lserver := LServer}) ->
+    case ejabberd_option:disable_sasl_scram_downgrade_protection(LServer) of
+	true -> [{scram_downgrade_protection, false}];
+	_ -> []
+    end.
+
 get_password_fun(_Mech, #{lserver := LServer}) ->
    fun(U) ->
 	    ejabberd_auth:get_password_with_authmodule(U, LServer)
--- a/src/ejabberd_option.erl
+++ b/src/ejabberd_option.erl
@ -40,6 +40,7 @@
 -export([default_ram_db/0, default_ram_db/1]).
 -export([define_macro/0, define_macro/1]).
 -export([disable_sasl_mechanisms/0, disable_sasl_mechanisms/1]).
+-export([disable_sasl_scram_downgrade_protection/0, disable_sasl_scram_downgrade_protection/1]).
 -export([domain_balancing/0]).
 -export([ext_api_headers/0, ext_api_headers/1]).
 -export([ext_api_http_pool_size/0, ext_api_http_pool_size/1]).
@ -384,6 +385,13 @@ disable_sasl_mechanisms() ->
 disable_sasl_mechanisms(Host) ->
    ejabberd_config:get_option({disable_sasl_mechanisms, Host}).

+-spec disable_sasl_scram_downgrade_protection() -> boolean().
+disable_sasl_scram_downgrade_protection() ->
+    disable_sasl_scram_downgrade_protection(global).
+-spec disable_sasl_scram_downgrade_protection(global | binary()) -> boolean().
+disable_sasl_scram_downgrade_protection(Host) ->
+    ejabberd_config:get_option({disable_sasl_scram_downgrade_protection, Host}).
+
 -spec domain_balancing() -> #{binary()=>#{'component_number'=>1..1114111, 'type'=>'bare_destination' | 'bare_source' | 'destination' | 'random' | 'source'}}.
 domain_balancing() ->
    ejabberd_config:get_option({domain_balancing, global}).
--- a/src/ejabberd_options.erl
+++ b/src/ejabberd_options.erl
@ -140,6 +140,8 @@ opt_type(default_ram_db) ->
    econf:enum([mnesia, sql, redis]);
 opt_type(define_macro) ->
    econf:any();
+opt_type(disable_sasl_scram_downgrade_protection) ->
+    econf:bool();
 opt_type(disable_sasl_mechanisms) ->
    econf:list_or_single(
      econf:and_then(
@ -563,6 +565,7 @@ options() ->
     {cluster_backend, mnesia},
     {cluster_nodes, []},
     {define_macro, []},
+     {disable_sasl_scram_downgrade_protection, false},
     {disable_sasl_mechanisms, []},
     {domain_balancing, #{}},
     {ext_api_headers, <<>>},
--- a/src/ejabberd_options_doc.erl
+++ b/src/ejabberd_options_doc.erl
@ -552,6 +552,16 @@ doc() ->
             "",
             "acl:",
             "  admin: USERBOB"]}},
+      {disable_sasl_scram_downgrade_protection,
+          #{value => "true | false",
+              desc =>
+                ?T("Allows to disable sending data required by "
+                "'XEP-0474: SASL SCRAM Downgrade Protection'. "
+                "There are known buggy clients (like those that use strophejs 1.6.2) "
+                "which will not be able to authenticatate when servers sends data from "
+                "that specification. This options allows server to disable it to allow "
+                "even buggy clients connects, but in exchange decrease MITM protection. "
+                "The default value of this option is 'false' which enables this extension.")}},
     {disable_sasl_mechanisms,
      #{value => "[Mechanism, ...]",
        desc =>