-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Converting to scram throws error due to a newline character in password #996
Comments
The "error" comes from jid:resourceprep here:
The password should be normalized with saslprep and not resourceprep. Saslprep seems to support newline characters, if I read the RFC correctly. The stringprep module does not support saslprep. |
Nevermind. Saslprep does not allow newline characters. |
In summary, what's the result of your findings? |
Both. It depends on the SASL mechanism. From the PLAIN RFC:
From the SCRAM RFC:
SASLprep does not allow control characters such as newline characters. Ejabberd does not use a preparation algorithm when using PLAIN (or when registering an account), but uses it for SCRAM. This causes a problem when converting the database and I found another problem, that I tested:
There probably should always be a jid:resourceprep check, when a password is used, but this is a problem for existing password databases, because they already contain a newline character. But it should not be a problem adding this check to the registration of new users. Note: I dont have much experience reading RFCs. |
This issue still requires some fixes, see #1295 |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
I am trying to convert a user database in mysql to the scram format. For this I have a database, that has the correct table coloumns for scram. I start the conversion via ejabberdctl debug:
This error happens after it converted the first hundreds of users. It has a problem with passwords that contain a newline character ("\n"). There are a few dozen users with such a password.
Here is a test case with an empty database:
I tested this with ejabberd 16.02 and 16.01.
The text was updated successfully, but these errors were encountered: