25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-20 16:15:59 +01:00

ejabberd_c2s: Optionally allow unencrypted SASL2

XEP-0388 says: "SASL2 MUST only be used by Clients or offered by Servers
after TLS negotiation".  Therefore, we reject SASL2 negotiations over
unencrypted transports by default.  However, TLS might be terminated
outside of ejabberd.  Add the 'allow_unencrypted_sasl2' option to
support this use case.
This commit is contained in:
Holger Weiss 2024-09-29 20:40:01 +02:00
parent 36187e07d0
commit 4723283896
5 changed files with 22 additions and 14 deletions

View File

@ -144,7 +144,7 @@ defmodule Ejabberd.MixProject do
{:p1_utils, "~> 1.0"}, {:p1_utils, "~> 1.0"},
{:pkix, "~> 1.0"}, {:pkix, "~> 1.0"},
{:stringprep, ">= 1.0.26"}, {:stringprep, ">= 1.0.26"},
{:xmpp, git: "https://github.com/processone/xmpp.git", ref: "2a54443436dc8a942969f2ef7c5654d5acab7533", override: true}, {:xmpp, git: "https://github.com/processone/xmpp.git", ref: "ff0dd5390acc3c1ee8cd1c7e6dc60a0c3cb1d127", override: true},
{:yconf, "~> 1.0"}] {:yconf, "~> 1.0"}]
++ cond_deps() ++ cond_deps()
end end

View File

@ -32,6 +32,6 @@
"stringprep": {:hex, :stringprep, "1.0.30", "46cf0ff631b3e7328f61f20b454d59428d87738f25d709798b5dcbb9b83c23f1", [:rebar3], [{:p1_utils, "1.0.26", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "f6fc9b3384a03877830f89b2f38580caf3f4a27448a4a333d6a8c3975c220b9a"}, "stringprep": {:hex, :stringprep, "1.0.30", "46cf0ff631b3e7328f61f20b454d59428d87738f25d709798b5dcbb9b83c23f1", [:rebar3], [{:p1_utils, "1.0.26", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "f6fc9b3384a03877830f89b2f38580caf3f4a27448a4a333d6a8c3975c220b9a"},
"stun": {:hex, :stun, "1.2.14", "6f538ac80c842131dbd149055570d116bfabc9b5ebff4bd6af2e7888958c660c", [:rebar3], [{:fast_tls, "1.1.21", [hex: :fast_tls, repo: "hexpm", optional: false]}, {:p1_utils, "1.0.26", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "e134807b1b7a8dffd94e64eefee00e65c7b4042f3d14e16f8f43566d20371583"}, "stun": {:hex, :stun, "1.2.14", "6f538ac80c842131dbd149055570d116bfabc9b5ebff4bd6af2e7888958c660c", [:rebar3], [{:fast_tls, "1.1.21", [hex: :fast_tls, repo: "hexpm", optional: false]}, {:p1_utils, "1.0.26", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "e134807b1b7a8dffd94e64eefee00e65c7b4042f3d14e16f8f43566d20371583"},
"unicode_util_compat": {:hex, :unicode_util_compat, "0.7.0", "bc84380c9ab48177092f43ac89e4dfa2c6d62b40b8bd132b1059ecc7232f9a78", [:rebar3], [], "hexpm", "25eee6d67df61960cf6a794239566599b09e17e668d3700247bc498638152521"}, "unicode_util_compat": {:hex, :unicode_util_compat, "0.7.0", "bc84380c9ab48177092f43ac89e4dfa2c6d62b40b8bd132b1059ecc7232f9a78", [:rebar3], [], "hexpm", "25eee6d67df61960cf6a794239566599b09e17e668d3700247bc498638152521"},
"xmpp": {:git, "https://github.com/processone/xmpp.git", "2a54443436dc8a942969f2ef7c5654d5acab7533", [ref: "2a54443436dc8a942969f2ef7c5654d5acab7533"]}, "xmpp": {:git, "https://github.com/processone/xmpp.git", "ff0dd5390acc3c1ee8cd1c7e6dc60a0c3cb1d127", [ref: "ff0dd5390acc3c1ee8cd1c7e6dc60a0c3cb1d127"]},
"yconf": {:hex, :yconf, "1.0.16", "d59521d66ff89f219411b6e9277cd6feec7cc6fce11554e67de02a8d0a470479", [:rebar3], [{:fast_yaml, "1.0.37", [hex: :fast_yaml, repo: "hexpm", optional: false]}], "hexpm", "e947813273f38711c7b2e5a8e4acc9a51c7bbe854f744a345f60300b38586c89"}, "yconf": {:hex, :yconf, "1.0.16", "d59521d66ff89f219411b6e9277cd6feec7cc6fce11554e67de02a8d0a470479", [:rebar3], [{:fast_yaml, "1.0.37", [hex: :fast_yaml, repo: "hexpm", optional: false]}], "hexpm", "e947813273f38711c7b2e5a8e4acc9a51c7bbe854f744a345f60300b38586c89"},
} }

View File

@ -69,7 +69,7 @@
{stringprep, "~> 1.0.29", {git, "https://github.com/processone/stringprep", {tag, "1.0.30"}}}, {stringprep, "~> 1.0.29", {git, "https://github.com/processone/stringprep", {tag, "1.0.30"}}},
{if_var_true, stun, {if_var_true, stun,
{stun, "~> 1.2.12", {git, "https://github.com/processone/stun", {tag, "1.2.14"}}}}, {stun, "~> 1.2.12", {git, "https://github.com/processone/stun", {tag, "1.2.14"}}}},
{xmpp, "~> 1.8.3", {git, "https://github.com/processone/xmpp", "2a54443436dc8a942969f2ef7c5654d5acab7533"}}, {xmpp, "~> 1.8.3", {git, "https://github.com/processone/xmpp", "ff0dd5390acc3c1ee8cd1c7e6dc60a0c3cb1d127"}},
{yconf, "~> 1.0.15", {git, "https://github.com/processone/yconf", {tag, "1.0.16"}}} {yconf, "~> 1.0.15", {git, "https://github.com/processone/yconf", {tag, "1.0.16"}}}
]}. ]}.

View File

@ -32,7 +32,7 @@
{<<"unicode_util_compat">>,{pkg,<<"unicode_util_compat">>,<<"0.7.0">>},1}, {<<"unicode_util_compat">>,{pkg,<<"unicode_util_compat">>,<<"0.7.0">>},1},
{<<"xmpp">>, {<<"xmpp">>,
{git,"https://github.com/processone/xmpp", {git,"https://github.com/processone/xmpp",
{ref,"2a54443436dc8a942969f2ef7c5654d5acab7533"}}, {ref,"ff0dd5390acc3c1ee8cd1c7e6dc60a0c3cb1d127"}},
0}, 0},
{<<"yconf">>,{pkg,<<"yconf">>,<<"1.0.16">>},0}]}. {<<"yconf">>,{pkg,<<"yconf">>,<<"1.0.16">>},0}]}.
[ [

View File

@ -35,16 +35,16 @@
-export([init/1, handle_call/3, handle_cast/2, -export([init/1, handle_call/3, handle_cast/2,
handle_info/2, terminate/2, code_change/3]). handle_info/2, terminate/2, code_change/3]).
-export([tls_options/1, tls_required/1, tls_enabled/1, -export([tls_options/1, tls_required/1, tls_enabled/1,
compress_methods/1, bind/2, sasl_mechanisms/2, allow_unencrypted_sasl2/1, compress_methods/1, bind/2,
get_password_fun/2, check_password_fun/2, check_password_digest_fun/2, sasl_mechanisms/2, get_password_fun/2, check_password_fun/2,
unauthenticated_stream_features/1, authenticated_stream_features/1, check_password_digest_fun/2, unauthenticated_stream_features/1,
handle_stream_start/2, handle_stream_end/2, authenticated_stream_features/1, handle_stream_start/2,
handle_unauthenticated_packet/2, handle_authenticated_packet/2, handle_stream_end/2, handle_unauthenticated_packet/2,
handle_auth_success/4, handle_auth_failure/4, handle_send/3, handle_authenticated_packet/2, handle_auth_success/4,
handle_recv/3, handle_cdata/2, handle_unbinded_packet/2, handle_auth_failure/4, handle_send/3, handle_recv/3, handle_cdata/2,
inline_stream_features/1, handle_sasl2_inline/2, handle_unbinded_packet/2, inline_stream_features/1,
handle_sasl2_inline_post/3, handle_bind2_inline/2, handle_sasl2_inline/2, handle_sasl2_inline_post/3,
handle_bind2_inline_post/3, sasl_options/1]). handle_bind2_inline/2, handle_bind2_inline_post/3, sasl_options/1]).
%% Hooks %% Hooks
-export([handle_unexpected_cast/2, handle_unexpected_call/3, -export([handle_unexpected_cast/2, handle_unexpected_call/3,
process_auth_result/3, reject_unauthenticated_packet/2, process_auth_result/3, reject_unauthenticated_packet/2,
@ -392,6 +392,9 @@ tls_enabled(#{tls_enabled := TLSEnabled,
tls_verify := TLSVerify}) -> tls_verify := TLSVerify}) ->
TLSEnabled or TLSRequired or TLSVerify. TLSEnabled or TLSRequired or TLSVerify.
allow_unencrypted_sasl2(#{allow_unencrypted_sasl2 := AllowUnencryptedSasl2}) ->
AllowUnencryptedSasl2.
compress_methods(#{zlib := true}) -> compress_methods(#{zlib := true}) ->
[<<"zlib">>]; [<<"zlib">>];
compress_methods(_) -> compress_methods(_) ->
@ -604,12 +607,14 @@ init([State, Opts]) ->
TLSEnabled = proplists:get_bool(starttls, Opts), TLSEnabled = proplists:get_bool(starttls, Opts),
TLSRequired = proplists:get_bool(starttls_required, Opts), TLSRequired = proplists:get_bool(starttls_required, Opts),
TLSVerify = proplists:get_bool(tls_verify, Opts), TLSVerify = proplists:get_bool(tls_verify, Opts),
AllowUnencryptedSasl2 = proplists:get_bool(allow_unencrypted_sasl2, Opts),
Zlib = proplists:get_bool(zlib, Opts), Zlib = proplists:get_bool(zlib, Opts),
Timeout = ejabberd_option:negotiation_timeout(), Timeout = ejabberd_option:negotiation_timeout(),
State1 = State#{tls_options => TLSOpts2, State1 = State#{tls_options => TLSOpts2,
tls_required => TLSRequired, tls_required => TLSRequired,
tls_enabled => TLSEnabled, tls_enabled => TLSEnabled,
tls_verify => TLSVerify, tls_verify => TLSVerify,
allow_unencrypted_sasl2 => AllowUnencryptedSasl2,
pres_a => ?SETS:new(), pres_a => ?SETS:new(),
zlib => Zlib, zlib => Zlib,
lang => ejabberd_option:language(), lang => ejabberd_option:language(),
@ -1047,6 +1052,8 @@ listen_opt_type(starttls) ->
econf:bool(); econf:bool();
listen_opt_type(starttls_required) -> listen_opt_type(starttls_required) ->
econf:bool(); econf:bool();
listen_opt_type(allow_unencrypted_sasl2) ->
econf:bool();
listen_opt_type(tls_verify) -> listen_opt_type(tls_verify) ->
econf:bool(); econf:bool();
listen_opt_type(zlib) -> listen_opt_type(zlib) ->
@ -1069,6 +1076,7 @@ listen_options() ->
{tls_compression, false}, {tls_compression, false},
{starttls, false}, {starttls, false},
{starttls_required, false}, {starttls_required, false},
{allow_unencrypted_sasl2, false},
{tls_verify, false}, {tls_verify, false},
{zlib, false}, {zlib, false},
{max_stanza_size, infinity}, {max_stanza_size, infinity},