From: Badlop <badlop@process-one.net>
Date: Wed, 1 Jun 2016 18:48:52 +0000 (+0200)
Subject: Report in SQL when scram is enabled but the stored password isn't (#1096)
X-Git-Tag: 16.06~59
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=53520376809093244365f18bb076aa1dda487bb3;p=ejabberd

Report in SQL when scram is enabled but the stored password isn't (#1096)
---

diff --git a/src/ejabberd_auth_sql.erl b/src/ejabberd_auth_sql.erl
index 17e3e517b..d6d945e02 100644
--- a/src/ejabberd_auth_sql.erl
+++ b/src/ejabberd_auth_sql.erl
@@ -88,7 +88,7 @@ check_password(User, AuthzId, Server, Password) ->
                                        serverkey = ServerKey,
                                        salt = Salt,
                                        iterationcount = IterationCount},
-                            is_password_scram_valid(Password, Scram);
+                            is_password_scram_valid_stored(Password, Scram, LUser, LServer);
                         {selected, []} ->
                             false; %% Account does not exist
                         {error, _Error} ->
@@ -417,6 +417,15 @@ password_to_scram(Password, IterationCount) ->
 	   salt = jlib:encode_base64(Salt),
 	   iterationcount = IterationCount}.
 
+is_password_scram_valid_stored(Pass, {scram,Pass,<<>>,<<>>,0}, LUser, LServer) ->
+    ?INFO_MSG("Apparently, SQL auth method and scram password formatting are "
+	"enabled, but the password of user '~s' in the 'users' table is not "
+	"scrammed. You may want to execute this command: "
+	"ejabberdctl convert_to_scram ~s", [LUser, LServer]),
+    false;
+is_password_scram_valid_stored(Password, Scram, _, _) ->
+    is_password_scram_valid(Password, Scram).
+
 is_password_scram_valid(Password, Scram) ->
     IterationCount = Scram#scram.iterationcount,
     Salt = jlib:decode_base64(Scram#scram.salt),