Build: #3263 was successful
Job: Workflow was successful
Code commits
Openfire (master)
-
Guus der Kinderen 55f400f4b1e48da9a26bf0b033be8a5932653817
OF-3257: Use constant-time comparison for channel binding data in SCRAM-SHA-1(-PLUS) SASL server
Previously, the comparison of the expected and received channel binding payloads in ScramSha1SaslServer used Arrays.equals, which is not guaranteed to operate in constant time. This could potentially leak information about the channel binding data through timing side-channels.
This change replaces Arrays.equals with MessageDigest.isEqual, ensuring that the comparison is performed in constant time. This strengthens the implementation against timing attacks, aligns with secure coding best practices, and provides defense-in-depth for sensitive authentication operations.- xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java (version 55f400f4b1e48da9a26bf0b033be8a5932653817)
-
Guus der Kinderen 7325e1f3f14d5e2ee8ddc23b02265c23c306dbe4
OF-3257/OF-3258 (code review): Prevent order-dependent failures by resetting the property after each test.
- xmppserver/src/test/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServerFakeKeyTest.java (version 7325e1f3f14d5e2ee8ddc23b02265c23c306dbe4)
-
Guus der Kinderen d7e92d5a4b0ab130310cf7a9eb50b7be139e7414
OF-3257/OF-3258: Improve one-time initialization of SERVER_SECRET_NONEXISTENT_USERS
The previous method for one-time initialization of the SERVER_SECRET_NONEXISTENT_USERS property (which depended on a static initializer block) proved to be fragile.
In this commit, initialization happens in a getter that should be used instead of directly accessing the property.- xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java (version d7e92d5a4b0ab130310cf7a9eb50b7be139e7414)
-
Guus der Kinderen 38b2549c1a8753fffcc25dc54300ec0417d94c9b
OF-3257 (code review): Remove unused imports
- xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java (version 38b2549c1a8753fffcc25dc54300ec0417d94c9b)
-
Guus der Kinderen fe4f4ad6bc7e97947e02ee1e4df7a8655f85392c
OF-3257: Avoid short-circuiting in SCRAM by introducing deterministic fake keys
When storedKey or serverKey are missing, generate deterministic fake values derived from a server-side secret and the username. This ensures that authentication follows the same execution path regardless of user existence, reducing susceptibility to timing attacks.
Includes unit tests to verify determinism and key separation.- xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java (version fe4f4ad6bc7e97947e02ee1e4df7a8655f85392c)
- xmppserver/src/test/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServerFakeKeyTest.java (version fe4f4ad6bc7e97947e02ee1e4df7a8655f85392c)
-
Guus der Kinderen d8481eb175564f69727192ee303e49fb58a34bbd
OF-3257/OF-3258 (code review): Spelling: 'nonexisting' -> 'nonexistent'
- xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java (version d8481eb175564f69727192ee303e49fb58a34bbd)
- xmppserver/src/test/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServerFakeKeyTest.java (version d8481eb175564f69727192ee303e49fb58a34bbd)
-
Guus der Kinderen d9f966f1ade13034d2328eb10dfe0b76a9fe304e
OF-3257 (code review): Updated reference to JIRA issue in comment.
- xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java (version d9f966f1ade13034d2328eb10dfe0b76a9fe304e)
-
Dan Caseley 5be60e84bfb4650fdb3ac88d00db11150fb44382
Apply review feedback
- Ensure JS var is initialised
- Ensure bash exit trap is ready
- Ensure sidecar tidies up if it fails to launch
- Ensure adb failures don't pollute maestro exit codes- .github/actions/conversationstest-action/run-tests.sh (version 5be60e84bfb4650fdb3ac88d00db11150fb44382)
- .github/actions/conversationstest-action/start-sidecar-api.sh (version 5be60e84bfb4650fdb3ac88d00db11150fb44382)
- build/ci/conversations/flows/scripts/checkForLogs.js (version 5be60e84bfb4650fdb3ac88d00db11150fb44382)
-
Dan Caseley 69f593d3f7f0d90fffbbf93c7d4bbf5cadeae9b9
Apply review feedback
- Remove custom port config
- Make action tag input required
- Add empty config file entry for the demoboot tag
- Fix demoboot config path in docs
- Fix tmp directory docs- .github/actions/conversationstest-action/action.yml (version 69f593d3f7f0d90fffbbf93c7d4bbf5cadeae9b9)
- .github/actions/conversationstest-action/start-sidecar-api.sh (version 69f593d3f7f0d90fffbbf93c7d4bbf5cadeae9b9)
- .github/workflows/continuous-integration-workflow.yml (version 69f593d3f7f0d90fffbbf93c7d4bbf5cadeae9b9)
- build/ci/conversations/flows/README.md (version 69f593d3f7f0d90fffbbf93c7d4bbf5cadeae9b9)
-
Dan Caseley 54402247f5257658ecee6bd45019b364a07e547c
CI: Add action to run Maestro tests, along with simple tests
- .github/actions/conversationstest-action/action.yml (version 54402247f5257658ecee6bd45019b364a07e547c)
- .github/actions/conversationstest-action/run-tests.sh (version 54402247f5257658ecee6bd45019b364a07e547c)
- .github/actions/conversationstest-action/start-sidecar-api.sh (version 54402247f5257658ecee6bd45019b364a07e547c)
- .github/actions/conversationstest-action/stop-sidecar-api.sh (version 54402247f5257658ecee6bd45019b364a07e547c)
- .github/workflows/continuous-integration-workflow.yml (version 54402247f5257658ecee6bd45019b364a07e547c)
- .gitignore (version 54402247f5257658ecee6bd45019b364a07e547c)
- build/ci/conversations/configs/sasl2.xml (version 54402247f5257658ecee6bd45019b364a07e547c)
- build/ci/conversations/flows/README.md (version 54402247f5257658ecee6bd45019b364a07e547c)
- build/ci/conversations/flows/sasl2.yaml (version 54402247f5257658ecee6bd45019b364a07e547c)
- build/ci/conversations/flows/scripts/checkForLogs.js (version 54402247f5257658ecee6bd45019b364a07e547c)
- build/ci/conversations/flows/scripts/checkHealth.js (version 54402247f5257658ecee6bd45019b364a07e547c)
- build/ci/conversations/flows/scripts/startSession.js (version 54402247f5257658ecee6bd45019b364a07e547c)
- build/ci/conversations/flows/simple.yaml (version 54402247f5257658ecee6bd45019b364a07e547c)
-
Dan Caseley 70aa21b7d216e80ebcd20d7458a7715588e6e304
CI: Fix LocalIncomingServerSessionTest flake - don't hang on undiscovered streams
- xmppserver/src/test/java/org/jivesoftware/openfire/session/RemoteInitiatingServerDummy.java (version 70aa21b7d216e80ebcd20d7458a7715588e6e304)
-
Dan Caseley d33ef5468b96b45a142d4bf197e8fc045b6dff28
CI: Fix LocalOutgoingServerSessionTest flake - delaying assignment
Mockito was causing UnfinishedStubbingException on XMPPServer.setInstance(newMock)- xmppserver/src/test/java/org/jivesoftware/openfire/session/LocalOutgoingServerSessionTest.java (version d33ef5468b96b45a142d4bf197e8fc045b6dff28)
-
Dan Caseley 122043708956efe8d2eee66c62b7f805d16229ff
CI: Fix BOSH test flake
Commit ea7577566 explicitly added tolerance to the TCP test, but references BOSH. I've extended it to BOSH - no idea if TCP is in error.- .github/actions/connectivitytests-action/conntest/src/test/java/ConnectivityTest.java (version 122043708956efe8d2eee66c62b7f805d16229ff)
-
Dan Caseley 3f92aa72f42218169c53529fcfe16afbe47721d4
CI: Fix LocalOutgoingServerSessionTest by allowing a single retry in case of a Netty race condition
- xmppserver/src/test/java/org/jivesoftware/openfire/session/LocalOutgoingServerSessionTest.java (version 3f92aa72f42218169c53529fcfe16afbe47721d4)
-
Dan Caseley f0ad4afb17c2b145089ab54c30ef698951b05b76
CI: Fix LocalIncomingServerSessionTest flake - allow ssl retries
- xmppserver/src/test/java/org/jivesoftware/openfire/session/RemoteInitiatingServerDummy.java (version f0ad4afb17c2b145089ab54c30ef698951b05b76)
-
Dan Caseley f56e3fba24f8e15f2a504033e3e67090ef8a6a15
CI: Revert the lenience given to testTCPConnections
ea7577566 added a lenience, but gasve it to TCP rather than BOSH connection- .github/actions/connectivitytests-action/conntest/src/test/java/ConnectivityTest.java (version f56e3fba24f8e15f2a504033e3e67090ef8a6a15)