Improve handling of c=y flag during sasl scram authentication

With this change we will no longer abort connection if all -PLUS
methods are disabled by administrator using `disable_sasl_mechanisms`.

Additionally when using SASL2 authentication we will also allow
connections to continue, if filtering methods based on stored
user passwords, removed all offered -PLUS mechanisms.
This commit is contained in:
Pawel Chmielowski
2026-03-17 12:21:26 +01:00
parent c43b15b3cd
commit bb8d65b68a
3 changed files with 11 additions and 8 deletions
+1 -1
View File
@@ -67,7 +67,7 @@
{stringprep, "~> 1.0.33", {git, "https://github.com/processone/stringprep", {tag, "1.0.33"}}},
{if_var_true, stun,
{stun, "~> 1.2.21", {git, "https://github.com/processone/stun", {tag, "1.2.21"}}}},
{xmpp, "~> 1.12.0", {git, "https://github.com/processone/xmpp", {tag, "1.12.0"}}},
{xmpp, "~> 1.12.0", {git, "https://github.com/processone/xmpp", "8c1920d450f0a96cc89ed4f52ec429dfa404ae5a"}},
{yconf, "~> 1.0.22", {git, "https://github.com/processone/yconf", {tag, "1.0.22"}}}
]}.
+4 -3
View File
@@ -25,7 +25,10 @@
{<<"stringprep">>,{pkg,<<"stringprep">>,<<"1.0.33">>},0},
{<<"stun">>,{pkg,<<"stun">>,<<"1.2.21">>},0},
{<<"unicode_util_compat">>,{pkg,<<"unicode_util_compat">>,<<"0.7.1">>},1},
{<<"xmpp">>,{pkg,<<"xmpp">>,<<"1.12.0">>},0},
{<<"xmpp">>,
{git,"https://github.com/processone/xmpp",
{ref,"8c1920d450f0a96cc89ed4f52ec429dfa404ae5a"}},
0},
{<<"yconf">>,{pkg,<<"yconf">>,<<"1.0.22">>},0}]}.
[
{pkg_hash,[
@@ -55,7 +58,6 @@
{<<"stringprep">>, <<"22F42866B4F6F3C238EA2B9CB6241791184DDEDBAB55E94A025511F46325F3CA">>},
{<<"stun">>, <<"735855314AD22CB7816B88597D2F5CA22E24AA5E4D6010A0EF3AFFB33CEED6A5">>},
{<<"unicode_util_compat">>, <<"A48703A25C170EEDADCA83B11E88985AF08D35F37C6F664D6DCFB106A97782FC">>},
{<<"xmpp">>, <<"5A583FE1122F013310147CB7F36BD75DE8A4EF0A836487826BF1A9F53403792E">>},
{<<"yconf">>, <<"52A435F9B60AB1E13950DFE3F7131ECDD8B3D1CA72C44BF66FC74B4571027124">>}]},
{pkg_hash_ext,[
{<<"base64url">>, <<"F9B3ADD4731A02A9B0410398B475B33E7566A695365237A6BDEE1BB447719F5C">>},
@@ -84,6 +86,5 @@
{<<"stringprep">>, <<"96F8B30BC50887F605B33B46BCA1D248C19A879319B8C482790E3B4DA5DA98C0">>},
{<<"stun">>, <<"3D7FE8EFB9D05B240A6AA9A6BF8B8B7BFF2D802895D170443C588987DC1E12D9">>},
{<<"unicode_util_compat">>, <<"B3A917854CE3AE233619744AD1E0102E05673136776FB2FA76234F3E03B23642">>},
{<<"xmpp">>, <<"014BAE73659FBA256771EB007BC5348618AC727DD1D10B9AB15A9FEF871622C8">>},
{<<"yconf">>, <<"ACA83457CEABE70756484B5C87BA7B1955F511D499168687EAEAA7C300E857F1">>}]}
].
+6 -4
View File
@@ -421,7 +421,9 @@ inline_stream_features(#{lserver := LServer} = State) ->
sasl_mechanisms(Mechs, #{lserver := LServer, stream_encrypted := Encrypted} = State) ->
Type = ejabberd_auth:store_type(LServer),
Mechs1 = ejabberd_option:disable_sasl_mechanisms(LServer),
DisabledMechs = ejabberd_option:disable_sasl_mechanisms(LServer),
PlusMechs = [<<"SCRAM-SHA-1-PLUS">>,<<"SCRAM-SHA-256-PLUS">>,<<"SCRAM-SHA-512-PLUS">>],
PlusDisabled = (PlusMechs -- DisabledMechs) == [],
{Digest, ShaAv, Sha256Av, Sha512Av} =
case ejabberd_option:auth_stored_password_types(LServer) of
@@ -454,9 +456,9 @@ sasl_mechanisms(Mechs, #{lserver := LServer, stream_encrypted := Encrypted} = St
(<<"X-OAUTH2">>) -> [ejabberd_auth_anonymous] /= ejabberd_auth:auth_modules(LServer);
(<<"EXTERNAL">>) -> maps:get(tls_verify, State, false);
(_) -> false
end, Mechs -- Mechs1),
end, Mechs -- DisabledMechs),
case ejabberd_option:auth_password_types_hidden_in_sasl1() of
[] -> Mechs2;
[] -> {Mechs2, Mechs2, PlusDisabled};
List ->
Mechs3 = lists:foldl(
fun(plain, Acc) -> Acc -- [<<"PLAIN">>];
@@ -464,7 +466,7 @@ sasl_mechanisms(Mechs, #{lserver := LServer, stream_encrypted := Encrypted} = St
(scram_sha256, Acc) -> Acc -- [<<"SCRAM-SHA-256">>, <<"SCRAM-SHA-256-PLUS">>];
(scram_sha512, Acc) -> Acc -- [<<"SCRAM-SHA-512">>, <<"SCRAM-SHA-512-PLUS">>]
end, Mechs2, List),
{Mechs3, Mechs2}
{Mechs3, Mechs2, PlusDisabled}
end.
sasl_options(#{lserver := LServer}) ->