Merge pull request #4020 from esl/scram_errors

Scram errors
esl · May 9, 2023 · b12d6d6 · b12d6d6
2 parents 7ffe85a + 897d72b
commit b12d6d6
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 6 deletions.
diff --git a/big_tests/tests/login_SUITE.erl b/big_tests/tests/login_SUITE.erl
@@ -18,6 +18,7 @@
 -compile([export_all, nowarn_export_all]).
 
 -include_lib("exml/include/exml.hrl").
+-include_lib("stdlib/include/assert.hrl").
 
 -import(distributed_helper, [mim/0,
                              require_rpc_nodes/1,
@@ -52,7 +53,8 @@ groups() ->
      {access, [], access_tests()}].
 
 scram_tests() ->
-    [log_one,
+    [scram_failed_with_non_authorized,
+     log_one,
      log_one_scram_sha1,
      log_one_scram_sha224,
      log_one_scram_sha256,
@@ -230,6 +232,22 @@ set_access_none(C2SPort, Config) ->
 %% Message tests
 %%--------------------------------------------------------------------
 
+scram_failed_with_non_authorized(Config) ->
+    ConnectionSteps = [start_stream, stream_features],
+    UserSpec = escalus_fresh:create_fresh_user(Config, alice),
+    {ok, Alice, _Features} = escalus_connection:start(UserSpec, ConnectionSteps),
+    Username = escalus_utils:get_username(Alice),
+    BadPayload = <<"n,,n=", Username/binary, ",r=9ZdW+o71OwOrDUx4J5+M+A==">>,
+    AuthStanza = auth_stanza(<<"SCRAM-SHA-1">>, BadPayload),
+    escalus_client:send(Alice, AuthStanza),
+    _Challenge = escalus_client:wait_for_stanza(Alice),
+    WrongProof = <<"c=biws,r=invalid_nonce,p=wrong_proof">>,
+    Response = auth_response(WrongProof),
+    escalus_client:send(Alice, Response),
+    Failure = escalus_client:wait_for_stanza(Alice),
+    ?assertMatch(#xmlel{name = <<"failure">>}, Failure),
+    ?assertMatch(#xmlel{}, exml_query:subelement(Failure, <<"not-authorized">>)).
+
 log_one(Config) ->
     escalus:fresh_story(Config, [{alice, 1}], fun(Alice) ->
 
@@ -498,3 +516,15 @@ are_sasl_scram_modules_supported() ->
 restore_c2s(Config) ->
    C2SListener = proplists:get_value(c2s_listener, Config),
    mongoose_helper:restart_listener(mim(), C2SListener).
+
+-define(NS_SASL, <<"urn:ietf:params:xml:ns:xmpp-sasl">>).
+auth_stanza(Mech, Payload) ->
+    #xmlel{name = <<"auth">>,
+           attrs = [{<<"xmlns">>, ?NS_SASL},
+                    {<<"mechanism">>, Mech}],
+           children = [#xmlcdata{content = base64:encode(Payload)}]}.
+
+auth_response(Payload) ->
+    #xmlel{name = <<"response">>,
+           attrs = [{<<"xmlns">>, ?NS_SASL}],
+           children = [#xmlcdata{content = base64:encode(Payload)}]}.
diff --git a/rebar.config b/rebar.config
@@ -71,7 +71,7 @@
 
   %%% Stateless libraries
   {fast_tls, "1.1.16"},
-  {fast_scram, "0.4.4"},
+  {fast_scram, "0.5.0"},
   {idna, "6.1.1"},
   {uuid, "2.0.5", {pkg, uuid_erl}},
   {gen_fsm_compat, "0.3.0"},

diff --git a/rebar.lock b/rebar.lock
@@ -41,7 +41,7 @@
        {ref,"f1c369becb6e57871f1c7b0e491f6c3a302a65ee"}},
   0},
  {<<"fast_pbkdf2">>,{pkg,<<"fast_pbkdf2">>,<<"1.0.3">>},1},
- {<<"fast_scram">>,{pkg,<<"fast_scram">>,<<"0.4.4">>},0},
+ {<<"fast_scram">>,{pkg,<<"fast_scram">>,<<"0.5.0">>},0},
  {<<"fast_tls">>,{pkg,<<"fast_tls">>,<<"1.1.16">>},0},
  {<<"flatlog">>,{pkg,<<"flatlog">>,<<"0.1.2">>},0},
  {<<"fusco">>,{pkg,<<"fusco">>,<<"0.1.1">>},0},
@@ -148,7 +148,7 @@
  {<<"erlcloud">>, <<"75B93168BF6F9CD4573B261D8F83FD2C89F7809AFEAAADABFA39ECE3F75F3055">>},
  {<<"exml">>, <<"C64FE46373886FD62F3F753D8031034E231DC0C138F9CD3539F738EF220F0960">>},
  {<<"fast_pbkdf2">>, <<"4F09D6C6C20DBEE1970E0A6AE91432E1B7731F88426C671D083BAC31FFA1FDAD">>},
- {<<"fast_scram">>, <<"299A2D430955A62A94CB43B1A727C5D21A5C4BD11AEBA476AE2F3A24CFBE89C3">>},
+ {<<"fast_scram">>, <<"BD0B946911B07D36EC22AD950FF22F77F27B94E4E24452AF966597C6D8CB5E7F">>},
  {<<"fast_tls">>, <<"85FA7F3112EA4FF5CCB4F3ABADC130A8C855AD74EB00869487399CB0C322D208">>},
  {<<"flatlog">>, <<"8C4B81A4931A1396254DBD975B841F4A6350D6F128FF94FFE86799A4451E32B1">>},
  {<<"fusco">>, <<"3DD6A90151DFEF30EA1937CC44E9A59177C0094918388D9BCAA2F2DC5E2AE4AA">>},
@@ -214,7 +214,7 @@
  {<<"erlcloud">>, <<"9E482E6B1C956A649AE878CBE46494BC36E6CAFA1C677B30158C0ED4BAD789E9">>},
  {<<"exml">>, <<"CB54BF62E2902B52FE9CAF7E65176E764E8A10CCC51DE2DEDC0FC5C8D9F91AC6">>},
  {<<"fast_pbkdf2">>, <<"2900431E2E6402F23A92754448BBD949DA366BC9C984FDC791DDCFCC41042434">>},
- {<<"fast_scram">>, <<"4B30084E3BDB39158076381FC871035BEFD157D5EE614BDA5E19EA482855E5D5">>},
+ {<<"fast_scram">>, <<"D45B746B8D17C0F73A94CBDB526E115A4AEDFECB4D42CA935BCB1195D783B4E1">>},
  {<<"fast_tls">>, <<"AA08CCA89B4044E74F1F12E399817D8BEAEAE3EE006C98A893C0BFB1D81FBA51">>},
  {<<"flatlog">>, <<"FDD2A311A67F63F9D0BC194FAD6BEAF9CCCDE8FFFEE2919DF1C4D86098E49984">>},
  {<<"fusco">>, <<"6343551BD1E824F2A6CA85E1158C5B37C320FD449FBFEC7450A73F192AAF9022">>},

diff --git a/src/sasl/cyrsasl_scram.erl b/src/sasl/cyrsasl_scram.erl
@@ -60,7 +60,8 @@ mech_step(State, ClientIn) ->
             Creds1 = mongoose_credentials:extend(Creds0, R),
             {ok, Creds1};
         {error, Reason, _} ->
-            {error, Reason}
+            ?LOG_INFO(#{what => scram_authentication_failed, reason => Reason}),
+            {error, <<"not-authorized">>}
     end.
 
 -spec get_scram_attributes(mongooseim:host_type(), jid:jid(), sha()) -> scram_att() | error().