Chapril/xmpp.chapril.org-ejabberd
25
1
Fork 0
mirror of https://github.com/processone/ejabberd.git synced 2024-11-20 16:15:59 +01:00
Code Releases Activity

Add option to disable XEP-0474: SASL SCRAM Downgrade Protection support

Browse Source 
Looks like clients using strophejs aren't able to authenticate when we
add data required by that spec to scram packets, so at least give a way
to disable this until clients will be fixed.
This commit is contained in:
Paweł Chmielowski 2024-01-16 12:03:35 +01:00
parent 6c691a73bd
commit 29ec5bff60
7 changed files with 31 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mix.exs
View File

@ -114,7 +114,7 @@ defmodule Ejabberd.MixProject do
{:p1_utils, "~> 1.0"}, {:p1_utils, "~> 1.0"},
{:pkix, "~> 1.0"}, {:pkix, "~> 1.0"},
{:stringprep, ">= 1.0.26"}, {:stringprep, ">= 1.0.26"},
{:xmpp, git: "https://github.com/processone/xmpp.git", ref: "26dd833dcf66ebb790d9afe212b7a26f3a6c2328", override: true}, {:xmpp, git: "https://github.com/processone/xmpp.git", ref: "db6d730f0e1cd36645c32d7c7e89e19bb27642e3", override: true},
{:yconf, "~> 1.0"}] {:yconf, "~> 1.0"}]
++ cond_deps() ++ cond_deps()
end end

2
mix.lock
View File

@ -43,6 +43,6 @@
"stringprep": {:hex, :stringprep, "1.0.29", "02f23e8c3a219a3dfe40a22e908bece3a2f68af0ff599ea8a7b714ecb21e62ee", [:rebar3], [{:p1_utils, "1.0.25", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "928eba304c3006eb1512110ebd7b87db163b00859a09375a1e4466152c6c462a"}, "stringprep": {:hex, :stringprep, "1.0.29", "02f23e8c3a219a3dfe40a22e908bece3a2f68af0ff599ea8a7b714ecb21e62ee", [:rebar3], [{:p1_utils, "1.0.25", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "928eba304c3006eb1512110ebd7b87db163b00859a09375a1e4466152c6c462a"},
"stun": {:hex, :stun, "1.2.10", "53f8be69e14f9476dcaf1dfb626b9dad2380f3fba8faf2c30bdf74311cfdc008", [:rebar3], [{:fast_tls, "1.1.16", [hex: :fast_tls, repo: "hexpm", optional: false]}, {:p1_utils, "1.0.25", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "19d3eecbfcc6935f0880f8ef7e77ff373900c604092937a1acda166ae3fb40e9"}, "stun": {:hex, :stun, "1.2.10", "53f8be69e14f9476dcaf1dfb626b9dad2380f3fba8faf2c30bdf74311cfdc008", [:rebar3], [{:fast_tls, "1.1.16", [hex: :fast_tls, repo: "hexpm", optional: false]}, {:p1_utils, "1.0.25", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "19d3eecbfcc6935f0880f8ef7e77ff373900c604092937a1acda166ae3fb40e9"},
"unicode_util_compat": {:hex, :unicode_util_compat, "0.4.1", "d869e4c68901dd9531385bb0c8c40444ebf624e60b6962d95952775cac5e90cd", [:rebar3], [], "hexpm", "1d1848c40487cdb0b30e8ed975e34e025860c02e419cb615d255849f3427439d"}, "unicode_util_compat": {:hex, :unicode_util_compat, "0.4.1", "d869e4c68901dd9531385bb0c8c40444ebf624e60b6962d95952775cac5e90cd", [:rebar3], [], "hexpm", "1d1848c40487cdb0b30e8ed975e34e025860c02e419cb615d255849f3427439d"},
"xmpp": {:git, "https://github.com/processone/xmpp.git", "ded8be8c169487688b11130eda566b1377ab3301", [ref: "ded8be8c169487688b11130eda566b1377ab3301"]}, "xmpp": {:git, "https://github.com/processone/xmpp.git", "db6d730f0e1cd36645c32d7c7e89e19bb27642e3", [ref: "db6d730f0e1cd36645c32d7c7e89e19bb27642e3"]},
"yconf": {:hex, :yconf, "1.0.15", "e22998b3d7728270bdd06162a9515bd142b14fae8927cbdbd3ef639c32aa6f7a", [:rebar3], [{:fast_yaml, "1.0.36", [hex: :fast_yaml, repo: "hexpm", optional: false]}], "hexpm", "7ff2ab24d3c9833842716b9aaaa01a8f96641a7695cbb701b03445c4def01117"}, "yconf": {:hex, :yconf, "1.0.15", "e22998b3d7728270bdd06162a9515bd142b14fae8927cbdbd3ef639c32aa6f7a", [:rebar3], [{:fast_yaml, "1.0.36", [hex: :fast_yaml, repo: "hexpm", optional: false]}], "hexpm", "7ff2ab24d3c9833842716b9aaaa01a8f96641a7695cbb701b03445c4def01117"},
} }

2
rebar.config
View File

@ -77,7 +77,7 @@
{stringprep, ".*", {git, "https://github.com/processone/stringprep", {tag, "1.0.29"}}}, {stringprep, ".*", {git, "https://github.com/processone/stringprep", {tag, "1.0.29"}}},
{if_var_true, stun, {if_var_true, stun,
{stun, ".*", {git, "https://github.com/processone/stun", {tag, "1.2.10"}}}}, {stun, ".*", {git, "https://github.com/processone/stun", {tag, "1.2.10"}}}},
{xmpp, ".*", {git, "https://github.com/processone/xmpp", "26dd833dcf66ebb790d9afe212b7a26f3a6c2328"}}, {xmpp, ".*", {git, "https://github.com/processone/xmpp", "db6d730f0e1cd36645c32d7c7e89e19bb27642e3"}},
{yconf, ".*", {git, "https://github.com/processone/yconf", {tag, "1.0.15"}}} {yconf, ".*", {git, "https://github.com/processone/yconf", {tag, "1.0.15"}}}
]}. ]}.

8
src/ejabberd_c2s.erl
View File

@ -43,7 +43,7 @@
handle_recv/3, handle_cdata/2, handle_unbinded_packet/2, handle_recv/3, handle_cdata/2, handle_unbinded_packet/2,
inline_stream_features/1, handle_sasl2_inline/2, inline_stream_features/1, handle_sasl2_inline/2,
handle_sasl2_inline_post/3, handle_bind2_inline/2, handle_sasl2_inline_post/3, handle_bind2_inline/2,
handle_bind2_inline_post/3]). handle_bind2_inline_post/3, sasl_options/1]).
%% Hooks %% Hooks
-export([handle_unexpected_cast/2, handle_unexpected_call/3, -export([handle_unexpected_cast/2, handle_unexpected_call/3,
process_auth_result/3, reject_unauthenticated_packet/2, process_auth_result/3, reject_unauthenticated_packet/2,
@ -418,6 +418,12 @@ sasl_mechanisms(Mechs, #{lserver := LServer, stream_encrypted := Encrypted} = St
(_) -> false (_) -> false
end, Mechs -- Mechs1). end, Mechs -- Mechs1).
sasl_options(#{lserver := LServer}) ->
case ejabberd_option:disable_sasl_scram_downgrade_protection(LServer) of
true -> [{scram_downgrade_protection, false}];
_ -> []
end.
get_password_fun(_Mech, #{lserver := LServer}) -> get_password_fun(_Mech, #{lserver := LServer}) ->
fun(U) -> fun(U) ->
ejabberd_auth:get_password_with_authmodule(U, LServer) ejabberd_auth:get_password_with_authmodule(U, LServer)

8
src/ejabberd_option.erl
View File

@ -40,6 +40,7 @@
-export([default_ram_db/0, default_ram_db/1]). -export([default_ram_db/0, default_ram_db/1]).
-export([define_macro/0, define_macro/1]). -export([define_macro/0, define_macro/1]).
-export([disable_sasl_mechanisms/0, disable_sasl_mechanisms/1]). -export([disable_sasl_mechanisms/0, disable_sasl_mechanisms/1]).
-export([disable_sasl_scram_downgrade_protection/0, disable_sasl_scram_downgrade_protection/1]).
-export([domain_balancing/0]). -export([domain_balancing/0]).
-export([ext_api_headers/0, ext_api_headers/1]). -export([ext_api_headers/0, ext_api_headers/1]).
-export([ext_api_http_pool_size/0, ext_api_http_pool_size/1]). -export([ext_api_http_pool_size/0, ext_api_http_pool_size/1]).
@ -384,6 +385,13 @@ disable_sasl_mechanisms() ->
disable_sasl_mechanisms(Host) -> disable_sasl_mechanisms(Host) ->
ejabberd_config:get_option({disable_sasl_mechanisms, Host}). ejabberd_config:get_option({disable_sasl_mechanisms, Host}).
-spec disable_sasl_scram_downgrade_protection() -> boolean().
disable_sasl_scram_downgrade_protection() ->
disable_sasl_scram_downgrade_protection(global).
-spec disable_sasl_scram_downgrade_protection(global | binary()) -> boolean().
disable_sasl_scram_downgrade_protection(Host) ->
ejabberd_config:get_option({disable_sasl_scram_downgrade_protection, Host}).
-spec domain_balancing() -> #{binary()=>#{'component_number'=>1..1114111, 'type'=>'bare_destination' | 'bare_source' | 'destination' | 'random' | 'source'}}. -spec domain_balancing() -> #{binary()=>#{'component_number'=>1..1114111, 'type'=>'bare_destination' | 'bare_source' | 'destination' | 'random' | 'source'}}.
domain_balancing() -> domain_balancing() ->
ejabberd_config:get_option({domain_balancing, global}). ejabberd_config:get_option({domain_balancing, global}).

3
src/ejabberd_options.erl
View File

@ -140,6 +140,8 @@ opt_type(default_ram_db) ->
econf:enum([mnesia, sql, redis]); econf:enum([mnesia, sql, redis]);
opt_type(define_macro) -> opt_type(define_macro) ->
econf:any(); econf:any();
opt_type(disable_sasl_scram_downgrade_protection) ->
econf:bool();
opt_type(disable_sasl_mechanisms) -> opt_type(disable_sasl_mechanisms) ->
econf:list_or_single( econf:list_or_single(
econf:and_then( econf:and_then(
@ -563,6 +565,7 @@ options() ->
{cluster_backend, mnesia}, {cluster_backend, mnesia},
{cluster_nodes, []}, {cluster_nodes, []},
{define_macro, []}, {define_macro, []},
{disable_sasl_scram_downgrade_protection, false},
{disable_sasl_mechanisms, []}, {disable_sasl_mechanisms, []},
{domain_balancing, #{}}, {domain_balancing, #{}},
{ext_api_headers, <<>>}, {ext_api_headers, <<>>},

10
src/ejabberd_options_doc.erl
View File

@ -552,6 +552,16 @@ doc() ->
"", "",
"acl:", "acl:",
" admin: USERBOB"]}}, " admin: USERBOB"]}},
{disable_sasl_scram_downgrade_protection,
#{value => "true | false",
desc =>
?T("Allows to disable sending data required by "
"'XEP-0474: SASL SCRAM Downgrade Protection'. "
"There are known buggy clients (like those that use strophejs 1.6.2) "
"which will not be able to authenticatate when servers sends data from "
"that specification. This options allows server to disable it to allow "
"even buggy clients connects, but in exchange decrease MITM protection. "
"The default value of this option is 'false' which enables this extension.")}},
{disable_sasl_mechanisms, {disable_sasl_mechanisms,
#{value => "[Mechanism, ...]", #{value => "[Mechanism, ...]",
desc => desc =>