Update of the SASL SCRAM Downgrade protection XEP

[edhelas]

The value delimiters were changed to prevent some possible attack.

in a nutshell the "," delimiter with 0x1e and the "|" delimiter with 0x1f...the scram attribute key changed from "d" to "h" to get a better upgrade path...

The related PR is there: xsf/xeps#1422
And the rendered version is there: https://dyn.eightysoft.de/xeps/xep-0474.html

Thanks again for the awesome work you're doing on the library !

[fabiang]

Interesting attack vector! There are two key steps we need to address first:

1. Ensure we have server software that supports the new parameter so we can validate it with our integration tests.
2. Decide how to phase out the old parameter: should we trigger a warning when it's used and/or implement a strict mode to reject connections?

@edhelas: Could you provide an update here once XMPP servers has added the parameter?

[tmolitor-stud-tu]

I've already updated Prosody's ssdp module 2 days ago: https://hg.prosody.im/prosody-modules/rev/eedeed1bccf7

The fix for ejabberd was committed yesterday, too: processone/xmpp#99

[fabiang]

Thank you for the information! When I begin working on this issue, I'll attempt to build an ejabberd/ecs Docker image using the latest master branch, if no official version is available by that time.

[tmolitor-stud-tu]

you can use Holger Weiß' test server at messaging.one, too. He deployed my PR there before merging it :)

[tmolitor-stud-tu]

btw: go-sendxmpp and Monal are now patched to implement the fixed version of ssdp, too.

[edhelas]

It seems that some XMPP servers are already patched and Movim cannot login on them anymore :(
Do not hesitate to ping me if you make some advance, I'll do a .z release with the library bump once its fixed :)

[fabiang]

I'm currently waiting for processone/docker-ejabberd#121 to get merged. Without it I can't run the test automatically against a patched version of ejabberd.