Skip to content

Commit

Permalink
ejabberd_c2s: Optionally allow unencrypted SASL2
Browse files Browse the repository at this point in the history 
XEP-0388 says: "SASL2 MUST only be used by Clients or offered by Servers
after TLS negotiation".  Therefore, we reject SASL2 negotiations over
unencrypted transports by default.  However, TLS might be terminated
outside of ejabberd.  Add the 'allow_unencrypted_sasl2' option to
support this use case.
  • Loading branch information
@weiss
weiss committed Sep 29, 2024
1 parent 36187e0 commit 4723283
Show file tree
Hide file tree
Showing 5 changed files with 22 additions and 14 deletions.
2 changes: 1 addition & 1 deletion mix.exs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ defmodule Ejabberd.MixProject do
{:p1_utils, "~> 1.0"},
{:pkix, "~> 1.0"},
{:stringprep, ">= 1.0.26"},
{:xmpp, git: "https://github.com/processone/xmpp.git", ref: "2a54443436dc8a942969f2ef7c5654d5acab7533", override: true},
{:xmpp, git: "https://github.com/processone/xmpp.git", ref: "ff0dd5390acc3c1ee8cd1c7e6dc60a0c3cb1d127", override: true},
{:yconf, "~> 1.0"}]
++ cond_deps()
end
Expand Down
2 changes: 1 addition & 1 deletion mix.lock
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,6 @@
"stringprep": {:hex, :stringprep, "1.0.30", "46cf0ff631b3e7328f61f20b454d59428d87738f25d709798b5dcbb9b83c23f1", [:rebar3], [{:p1_utils, "1.0.26", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "f6fc9b3384a03877830f89b2f38580caf3f4a27448a4a333d6a8c3975c220b9a"},
"stun": {:hex, :stun, "1.2.14", "6f538ac80c842131dbd149055570d116bfabc9b5ebff4bd6af2e7888958c660c", [:rebar3], [{:fast_tls, "1.1.21", [hex: :fast_tls, repo: "hexpm", optional: false]}, {:p1_utils, "1.0.26", [hex: :p1_utils, repo: "hexpm", optional: false]}], "hexpm", "e134807b1b7a8dffd94e64eefee00e65c7b4042f3d14e16f8f43566d20371583"},
"unicode_util_compat": {:hex, :unicode_util_compat, "0.7.0", "bc84380c9ab48177092f43ac89e4dfa2c6d62b40b8bd132b1059ecc7232f9a78", [:rebar3], [], "hexpm", "25eee6d67df61960cf6a794239566599b09e17e668d3700247bc498638152521"},
"xmpp": {:git, "https://github.com/processone/xmpp.git", "2a54443436dc8a942969f2ef7c5654d5acab7533", [ref: "2a54443436dc8a942969f2ef7c5654d5acab7533"]},
"xmpp": {:git, "https://github.com/processone/xmpp.git", "ff0dd5390acc3c1ee8cd1c7e6dc60a0c3cb1d127", [ref: "ff0dd5390acc3c1ee8cd1c7e6dc60a0c3cb1d127"]},
"yconf": {:hex, :yconf, "1.0.16", "d59521d66ff89f219411b6e9277cd6feec7cc6fce11554e67de02a8d0a470479", [:rebar3], [{:fast_yaml, "1.0.37", [hex: :fast_yaml, repo: "hexpm", optional: false]}], "hexpm", "e947813273f38711c7b2e5a8e4acc9a51c7bbe854f744a345f60300b38586c89"},
}
2 changes: 1 addition & 1 deletion rebar.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@
{stringprep, "~> 1.0.29", {git, "https://github.com/processone/stringprep", {tag, "1.0.30"}}},
{if_var_true, stun,
{stun, "~> 1.2.12", {git, "https://github.com/processone/stun", {tag, "1.2.14"}}}},
{xmpp, "~> 1.8.3", {git, "https://github.com/processone/xmpp", "2a54443436dc8a942969f2ef7c5654d5acab7533"}},
{xmpp, "~> 1.8.3", {git, "https://github.com/processone/xmpp", "ff0dd5390acc3c1ee8cd1c7e6dc60a0c3cb1d127"}},
{yconf, "~> 1.0.15", {git, "https://github.com/processone/yconf", {tag, "1.0.16"}}}
]}.

Expand Down
2 changes: 1 addition & 1 deletion rebar.lock
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
{<<"unicode_util_compat">>,{pkg,<<"unicode_util_compat">>,<<"0.7.0">>},1},
{<<"xmpp">>,
{git,"https://github.com/processone/xmpp",
{ref,"2a54443436dc8a942969f2ef7c5654d5acab7533"}},
{ref,"ff0dd5390acc3c1ee8cd1c7e6dc60a0c3cb1d127"}},
0},
{<<"yconf">>,{pkg,<<"yconf">>,<<"1.0.16">>},0}]}.
[
Expand Down
28 changes: 18 additions & 10 deletions src/ejabberd_c2s.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,16 +35,16 @@
-export([init/1, handle_call/3, handle_cast/2,
handle_info/2, terminate/2, code_change/3]).
-export([tls_options/1, tls_required/1, tls_enabled/1,
compress_methods/1, bind/2, sasl_mechanisms/2,
get_password_fun/2, check_password_fun/2, check_password_digest_fun/2,
unauthenticated_stream_features/1, authenticated_stream_features/1,
handle_stream_start/2, handle_stream_end/2,
handle_unauthenticated_packet/2, handle_authenticated_packet/2,
handle_auth_success/4, handle_auth_failure/4, handle_send/3,
handle_recv/3, handle_cdata/2, handle_unbinded_packet/2,
inline_stream_features/1, handle_sasl2_inline/2,
handle_sasl2_inline_post/3, handle_bind2_inline/2,
handle_bind2_inline_post/3, sasl_options/1]).
allow_unencrypted_sasl2/1, compress_methods/1, bind/2,
sasl_mechanisms/2, get_password_fun/2, check_password_fun/2,
check_password_digest_fun/2, unauthenticated_stream_features/1,
authenticated_stream_features/1, handle_stream_start/2,
handle_stream_end/2, handle_unauthenticated_packet/2,
handle_authenticated_packet/2, handle_auth_success/4,
handle_auth_failure/4, handle_send/3, handle_recv/3, handle_cdata/2,
handle_unbinded_packet/2, inline_stream_features/1,
handle_sasl2_inline/2, handle_sasl2_inline_post/3,
handle_bind2_inline/2, handle_bind2_inline_post/3, sasl_options/1]).
%% Hooks
-export([handle_unexpected_cast/2, handle_unexpected_call/3,
process_auth_result/3, reject_unauthenticated_packet/2,
Expand Down Expand Up @@ -392,6 +392,9 @@ tls_enabled(#{tls_enabled := TLSEnabled,
tls_verify := TLSVerify}) ->
TLSEnabled or TLSRequired or TLSVerify.

allow_unencrypted_sasl2(#{allow_unencrypted_sasl2 := AllowUnencryptedSasl2}) ->
AllowUnencryptedSasl2.

compress_methods(#{zlib := true}) ->
[<<"zlib">>];
compress_methods(_) ->
Expand Down Expand Up @@ -604,12 +607,14 @@ init([State, Opts]) ->
TLSEnabled = proplists:get_bool(starttls, Opts),
TLSRequired = proplists:get_bool(starttls_required, Opts),
TLSVerify = proplists:get_bool(tls_verify, Opts),
AllowUnencryptedSasl2 = proplists:get_bool(allow_unencrypted_sasl2, Opts),
Zlib = proplists:get_bool(zlib, Opts),
Timeout = ejabberd_option:negotiation_timeout(),
State1 = State#{tls_options => TLSOpts2,
tls_required => TLSRequired,
tls_enabled => TLSEnabled,
tls_verify => TLSVerify,
allow_unencrypted_sasl2 => AllowUnencryptedSasl2,
pres_a => ?SETS:new(),
zlib => Zlib,
lang => ejabberd_option:language(),
Expand Down Expand Up @@ -1047,6 +1052,8 @@ listen_opt_type(starttls) ->
econf:bool();
listen_opt_type(starttls_required) ->
econf:bool();
listen_opt_type(allow_unencrypted_sasl2) ->
econf:bool();
listen_opt_type(tls_verify) ->
econf:bool();
listen_opt_type(zlib) ->
Expand All @@ -1069,6 +1076,7 @@ listen_options() ->
{tls_compression, false},
{starttls, false},
{starttls_required, false},
{allow_unencrypted_sasl2, false},
{tls_verify, false},
{zlib, false},
{max_stanza_size, infinity},
Expand Down

0 comments on commit 4723283

Please sign in to comment.