From fe8710fe00a2b87e56f3b0d237c41f1159c78ea3 Mon Sep 17 00:00:00 2001
From: Pawel Chmielowski <pawel@process-one.net>
Date: Fri, 25 Jul 2025 09:35:10 +0200
Subject: [PATCH 1/3] Rename auth_password_types_hidden_in_scram1 option to
 auth_password_types_hidden_in_sasl1

Also add migration code from old name
---
 src/ejabberd_c2s.erl                |  2 +-
 src/ejabberd_config_transformer.erl |  2 ++
 src/ejabberd_option.erl             | 14 +++++++-------
 src/ejabberd_options.erl            |  4 ++--
 src/ejabberd_options_doc.erl        |  6 +++---
 5 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl
index 1a03adc9f..f0f225bee 100644
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -455,7 +455,7 @@ sasl_mechanisms(Mechs, #{lserver := LServer, stream_encrypted := Encrypted} = St
 	   (<<"EXTERNAL">>) -> maps:get(tls_verify, State, false);
 	   (_) -> false
 	end, Mechs -- Mechs1),
-    case ejabberd_option:auth_password_types_hidden_in_scram1() of
+    case ejabberd_option:auth_password_types_hidden_in_sasl1() of
 	[] -> Mechs2;
 	List ->
 	    Mechs3 = lists:foldl(
diff --git a/src/ejabberd_config_transformer.erl b/src/ejabberd_config_transformer.erl
index 362bbecea..1aed7c6a8 100644
--- a/src/ejabberd_config_transformer.erl
+++ b/src/ejabberd_config_transformer.erl
@@ -230,6 +230,8 @@ filter(_Host, captcha_host, _, _) ->
 filter(_Host, route_subdomains, _, _) ->
     warn_removed_option(route_subdomains, s2s_access),
     false;
+filter(_Host, auth_password_types_hidden_in_scram1, Val, _) ->
+    {true, {auth_password_types_hidden_in_sasl1, Val}};
 filter(Host, modules, ModOpts, State) ->
     NoDialbackHosts = maps:get(remove_s2s_dialback, State, []),
     ModOpts1 = lists:filter(
diff --git a/src/ejabberd_option.erl b/src/ejabberd_option.erl
index 4361571f8..775ea14c9 100644
--- a/src/ejabberd_option.erl
+++ b/src/ejabberd_option.erl
@@ -18,7 +18,7 @@
 -export([auth_method/0, auth_method/1]).
 -export([auth_opts/0, auth_opts/1]).
 -export([auth_password_format/0, auth_password_format/1]).
--export([auth_password_types_hidden_in_scram1/0, auth_password_types_hidden_in_scram1/1]).
+-export([auth_password_types_hidden_in_sasl1/0, auth_password_types_hidden_in_sasl1/1]).
 -export([auth_scram_hash/0, auth_scram_hash/1]).
 -export([auth_stored_password_types/0, auth_stored_password_types/1]).
 -export([auth_use_cache/0, auth_use_cache/1]).
@@ -264,12 +264,12 @@ auth_password_format() ->
 auth_password_format(Host) ->
     ejabberd_config:get_option({auth_password_format, Host}).
 
--spec auth_password_types_hidden_in_scram1() -> ['plain' | 'scram_sha1' | 'scram_sha256' | 'scram_sha512'].
-auth_password_types_hidden_in_scram1() ->
-    auth_password_types_hidden_in_scram1(global).
--spec auth_password_types_hidden_in_scram1(global | binary()) -> ['plain' | 'scram_sha1' | 'scram_sha256' | 'scram_sha512'].
-auth_password_types_hidden_in_scram1(Host) ->
-    ejabberd_config:get_option({auth_password_types_hidden_in_scram1, Host}).
+-spec auth_password_types_hidden_in_sasl1() -> ['plain' | 'scram_sha1' | 'scram_sha256' | 'scram_sha512'].
+auth_password_types_hidden_in_sasl1() ->
+    auth_password_types_hidden_in_sasl1(global).
+-spec auth_password_types_hidden_in_sasl1(global | binary()) -> ['plain' | 'scram_sha1' | 'scram_sha256' | 'scram_sha512'].
+auth_password_types_hidden_in_sasl1(Host) ->
+    ejabberd_config:get_option({auth_password_types_hidden_in_sasl1, Host}).
 
 -spec auth_scram_hash() -> 'sha' | 'sha256' | 'sha512'.
 auth_scram_hash() ->
diff --git a/src/ejabberd_options.erl b/src/ejabberd_options.erl
index ee3acfc58..609d75b93 100644
--- a/src/ejabberd_options.erl
+++ b/src/ejabberd_options.erl
@@ -79,7 +79,7 @@ opt_type(auth_opts) ->
     end;
 opt_type(auth_stored_password_types) ->
     econf:list(econf:enum([plain, scram_sha1, scram_sha256, scram_sha512]));
-opt_type(auth_password_types_hidden_in_scram1) ->
+opt_type(auth_password_types_hidden_in_sasl1) ->
     econf:list(econf:enum([plain, scram_sha1, scram_sha256, scram_sha512]));
 opt_type(auth_password_format) ->
     econf:enum([plain, scram]);
@@ -566,7 +566,7 @@ options() ->
      {auth_password_format, plain},
      {auth_scram_hash, sha},
      {auth_stored_password_types, []},
-     {auth_password_types_hidden_in_scram1, []},
+     {auth_password_types_hidden_in_sasl1, []},
      {auth_external_user_exists_check, true},
      {auth_use_cache,
       fun(Host) -> ejabberd_config:get_option({use_cache, Host}) end},
diff --git a/src/ejabberd_options_doc.erl b/src/ejabberd_options_doc.erl
index a8d5962f5..56e2633c3 100644
--- a/src/ejabberd_options_doc.erl
+++ b/src/ejabberd_options_doc.erl
@@ -399,12 +399,12 @@ doc() ->
                "depends on the _`auth_scram_hash`_ option."), "",
             ?T("The default value is 'plain'."), ""]}},
 
-     {auth_password_types_hidden_in_scram1,
+     {auth_password_types_hidden_in_sasl1,
       #{value => "[plain | scram_sha1 | scram_sha256 | scram_sha512]",
         note => "added in 25.07",
         desc =>
-        ?T("List of password types that should not be offered in SCRAM1 authenticatication. "
-           "Because SCRAM1, unlike SCRAM2, can't have list of available mechanisms tailored to "
+        ?T("List of password types that should not be offered in SASL1 authenticatication. "
+           "Because SASL1, unlike SASL2, can't have list of available mechanisms tailored to "
            "individual user, it's possible that offered mechanisms will not be compatible "
            "with stored password, especially if new password type was added recently. "
            "This option allows disabling offering some mechanisms in SASL1, to a time until new "

From 7647b77225da5ecbd67c5930f80953dbe25a6d1a Mon Sep 17 00:00:00 2001
From: Badlop <badlop@process-one.net>
Date: Thu, 24 Jul 2025 11:55:23 +0200
Subject: [PATCH 2/3] Runtime: Raise the minimum Erlang tested to Erlang/OTP 24

The Erlang containers from versions 20-23 use Debian Buster,
and require the debian repositories to install some development libraries.
The Debian Buster repositories are no longer available,
which means that we can no longer perform any test with Erlang 20-23.
---
 .github/workflows/runtime.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/runtime.yml b/.github/workflows/runtime.yml
index 4236a22be..90eee1fc2 100644
--- a/.github/workflows/runtime.yml
+++ b/.github/workflows/runtime.yml
@@ -31,9 +31,11 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        otp: ['20', '25', '26', '27', '28']
+        otp: ['24', '25', '26', '27', '28']
         rebar: ['rebar', 'rebar3']
         exclude:
+        - otp: '24'
+          rebar: 'rebar'
         - otp: '27'
           rebar: 'rebar'
         - otp: '28'

From 4cd3c657e22ca3987a5eaff6c1a5c6e2ef773477 Mon Sep 17 00:00:00 2001
From: Badlop <badlop@process-one.net>
Date: Fri, 25 Jul 2025 10:34:02 +0200
Subject: [PATCH 3/3] ejabberd_listener: Try to create provisional socket in
 final directory (#4422)

and if that path is too long, then try HOME directory,
if that's too long too, throw error explaining the problem.

By the way, cutting the base64 string to 107 is a bad idea,
as it encodes the final path, which would get lost and crash.
---
 src/ejabberd_listener.erl | 36 ++++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/src/ejabberd_listener.erl b/src/ejabberd_listener.erl
index aad6ecd86..f82b1e05b 100644
--- a/src/ejabberd_listener.erl
+++ b/src/ejabberd_listener.erl
@@ -224,13 +224,26 @@ setup_provisional_udsocket_dir(DefinitivePath) ->
     ProvisionalPath = get_provisional_udsocket_path(DefinitivePath),
     ?INFO_MSG("Creating a Unix Domain Socket provisional file at ~ts for the definitive path ~s",
               [ProvisionalPath, DefinitivePath]),
-    ProvisionalPath.
+    ProvisionalPathAbsolute = relative_socket_to_mnesia(ProvisionalPath),
+    create_base_dir(ProvisionalPathAbsolute),
+    ProvisionalPathAbsolute.
 
 get_provisional_udsocket_path(Path) ->
     PathBase64 = misc:term_to_base64(Path),
     PathBuild = filename:join(misc:get_home(), PathBase64),
-    %% Shorthen the path, a long path produces a crash when opening the socket.
-    binary:part(PathBuild, {0, erlang:min(107, byte_size(PathBuild))}).
+    DestPath = filename:join(filename:dirname(Path), PathBase64),
+    case {byte_size(DestPath) > 107, byte_size(PathBuild) > 107} of
+        {false, _} ->
+            DestPath;
+        {true, false} ->
+            ?INFO_MSG("The provisional Unix Domain Socket path ~ts is longer than 107, let's use home directory instead which is ~p", [DestPath, byte_size(PathBuild)]),
+            PathBuild;
+        {true, true} ->
+            ?ERROR_MSG("The Unix Domain Socket path ~ts is too long, "
+                       "and I cannot create the provisional file safely. "
+                       "Please configure a shorter path and try again.", [Path]),
+            throw({error_socket_path_too_long, Path})
+    end.
 
 get_definitive_udsocket_path(<<"unix", _>> = Unix) ->
     Unix;
@@ -271,17 +284,20 @@ set_definitive_udsocket(<<"unix:", Path/binary>>, Opts) ->
             end
     end,
     FinalPath = relative_socket_to_mnesia(Path),
-    FinalPathDir = filename:dirname(FinalPath),
-    case file:make_dir(FinalPathDir) of
-        ok ->
-            file:change_mode(FinalPathDir, 8#00700);
-        _ ->
-            ok
-    end,
+    create_base_dir(FinalPath),
     file:rename(Prov, FinalPath);
 set_definitive_udsocket(Port, _Opts) when is_integer(Port) ->
     ok.
 
+create_base_dir(Path) ->
+    Dirname = filename:dirname(Path),
+    case file:make_dir(Dirname) of
+        ok ->
+            file:change_mode(Dirname, 8#00700);
+        _ ->
+            ok
+    end.
+
 relative_socket_to_mnesia(Path1) ->
     case filename:pathtype(Path1) of
         absolute ->