Build #2,997

Plan branch:
Verifies the integrety of the projects, as builds are executed immediately after a code change was detected. This plan provides no artifiacts (use a nightly build instead).

Build: #2997 was successful Changes by Guus der Kinderen

Stages & jobs

  1. Default Stage

  2. Continuous Integration

Code commits

Openfire (master)

  • Guus der Kinderen

    Guus der Kinderen 45b0221b64f9b2ba21e2953bb503118656b95fb3

    OF-2694 (code review feedback): (more) correctly encode SCRAM-SHA-1 test vector
    Instead of concatenating two base64 strings, concat the byte-parts of the channel-binding data, and base64 encode the result. This better conforms to https://datatracker.ietf.org/doc/html/rfc5802#section-7

    • xmppserver/src/test/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServerTest.java (version 45b0221b64f9b2ba21e2953bb503118656b95fb3)
  • Guus der Kinderen

    Guus der Kinderen f39641d3f8b22024dd3320e6a56a80f0ab04a654

    OF-2694: Make available `tls-server-end-point` channel binding by default
    This registers the corresponding provider without any ceremony. Future modifications could introduce configurability, but as support for this channel binding is mandatory per XEP, hard-coding seems acceptable.

    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManager.java (version f39641d3f8b22024dd3320e6a56a80f0ab04a654)
  • Guus der Kinderen

    Guus der Kinderen e9759983513777462a9b082b13d660a645e0cee1

    OF-2694: Add SCRAM-SHA-1-PLUS mechanism with channel binding support
    Introduces SCRAM-SHA-1-PLUS SASL mechanism, implementing RFC 5802 channel binding for TLS.

    Advertise SCRAM-SHA-1-PLUS by default, but only when channel binding is available and session is encrypted.

    • i18n/src/main/resources/openfire_i18n.properties (version e9759983513777462a9b082b13d660a645e0cee1)
    • i18n/src/main/resources/openfire_i18n_nl.properties (version e9759983513777462a9b082b13d660a645e0cee1)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version e9759983513777462a9b082b13d660a645e0cee1)
    • xmppserver/src/main/java/org/jivesoftware/openfire/sasl/SaslProvider.java (version e9759983513777462a9b082b13d660a645e0cee1)
    • xmppserver/src/main/java/org/jivesoftware/openfire/sasl/SaslServerFactoryImpl.java (version e9759983513777462a9b082b13d660a645e0cee1)
    • xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java (version e9759983513777462a9b082b13d660a645e0cee1)
    • xmppserver/src/test/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServerTest.java (version e9759983513777462a9b082b13d660a645e0cee1)
  • Guus der Kinderen

    Guus der Kinderen ea80cd3df604f98a0efa5828a390f9a2e0dd96f3

    OF-2879: Implement XEP-0440: SASL Channel-Binding Type Capability
    With Channel Binding now available (as this commit follows commits that implements these under OF-2694), Openfire should announce what type of channel binding types it supports. The mechanism for this is define in XEP-0440. This commit implements this mechanism.

    Additionally, the channel binding type that is used for a session (if any) is now shown on its 'session details' page on the admin console.

    • documentation/openfire.doap (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • documentation/protocol-support.html (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • i18n/src/main/resources/openfire_i18n.properties (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SocketReadingMode.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/StanzaHandler.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/openfire/session/LocalClientSession.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/openfire/websocket/WebSocketClientStanzaHandler.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManager.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/main/webapp/session-details.jsp (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
    • xmppserver/src/test/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManagerTest.java (version ea80cd3df604f98a0efa5828a390f9a2e0dd96f3)
  • Guus der Kinderen

    Guus der Kinderen ddec6a6f7fb4756dd60e9890e4456d7c1afff230

    OF-2694 (code review feedback): Additional hardening + unit test coverage
    This adds more validation of the exchanged data in the SASL handshake, and adds more unit test coverage.

    Small refactorings have been applied to make ScramSha1SaslServer easier to unit-test. It now no longer unconditionally uses static calls to other classes. Such classes can be provided via a `@VisibleForTesting` constructor.

    • xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java (version ddec6a6f7fb4756dd60e9890e4456d7c1afff230)
    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManager.java (version ddec6a6f7fb4756dd60e9890e4456d7c1afff230)
    • xmppserver/src/test/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServerFakeKeyTest.java (version ddec6a6f7fb4756dd60e9890e4456d7c1afff230)
    • xmppserver/src/test/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServerSaltTest.java (version ddec6a6f7fb4756dd60e9890e4456d7c1afff230)
    • xmppserver/src/test/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServerTest.java (version ddec6a6f7fb4756dd60e9890e4456d7c1afff230)
  • Guus der Kinderen

    Guus der Kinderen d226e917c8cba9a3e5edd2c26ea368ce855f7b84

    CI: merge 'cb' and 'demoboot' Maestro tags
    The Conversations tests for channel binding added a second matrix for the `cb` tag, but it uses the same default demoboot config. Test hygiene would say: merge them.

    Basically, Dan told me to do this.

    • .github/workflows/continuous-integration-workflow.yml (version d226e917c8cba9a3e5edd2c26ea368ce855f7b84)
    • build/ci/conversations/flows/cb.yaml (version d226e917c8cba9a3e5edd2c26ea368ce855f7b84)
  • Guus der Kinderen

    Guus der Kinderen 5a2b6fa74d59a1531878ef29d7b56d562a2d2ff3

    OF-2694: Introduce pluggable channel binding providers with manager
    Add a channel binding abstraction consisting of:

    - ChannelBindingProvider interface for extracting channel binding data from an SSLEngine
    - ChannelBindingProviderManager to register, manage, and resolve providers per channel binding type
    - ChannelBindingType enum defining RFC-aligned binding identifiers
    - Comprehensive unit tests covering provider registration, ordering, resolution, and failure handling

    This introduces a best-effort mechanism to obtain channel binding data (as defined in RFC 5705, RFC 5929, and RFC 9266) without introducing hard dependencies on a specific TLS implementation or JDK version.

    The manager maintains an ordered list of providers per channel binding type and iterates through them until one successfully produces a value. Failures are isolated per provider, ensuring graceful degradation.

    Why this is needed

    Channel binding support is highly dependent on the capabilities of the underlying TLS stack and JDK version. Some mechanisms (notably newer exporter-based bindings) are difficult or effectively impossible to implement on older Java versions (e.g., Java 17), even when using reflection.

    At the same time, increasing the minimum required Java version for Openfire is undesirable, as it would negatively impact existing deployments.

    This change introduces a "manager/provider" pattern that:

    - Aligns with existing extensibility mechanisms used elsewhere in the codebase
    - Enables runtime discovery and prioritization of multiple implementations
    - Allows third parties to contribute additional providers via plugins

    Crucially, this design decouples channel binding support from the core runtime:

    - Core Openfire can remain compatible with Java 17
    - Optional plugins can provide advanced implementations that depend on newer Java versions (e.g., Java 25+)

    These plugins can register their providers with the manager at runtime, seamlessly extending functionality without impacting baseline compatibility

    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingProvider.java (version 5a2b6fa74d59a1531878ef29d7b56d562a2d2ff3)
    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManager.java (version 5a2b6fa74d59a1531878ef29d7b56d562a2d2ff3)
    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingType.java (version 5a2b6fa74d59a1531878ef29d7b56d562a2d2ff3)
    • xmppserver/src/test/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManagerTest.java (version 5a2b6fa74d59a1531878ef29d7b56d562a2d2ff3)
  • Guus der Kinderen

    Guus der Kinderen a77b374fcc84076e8794dfe08b7dfe3a114342a1

    OF-2694 (code review feedback): Only advertise SASL -PLUS mechanisms when channel binding is supported
    Refactored SASL mechanism advertisement logic to ensure that -PLUS mechanisms (e.g., SCRAM-SHA-1-PLUS) are only offered when the current connection supports channel binding. The check now relies on Connection#getSupportedChannelBindingTypes(), which must return a non-empty set for -PLUS mechanisms to be advertised.

    Updated all relevant connection implementations (only NettyConnection, and the default method in the Connection interface) to ensure correct reporting of supported channel binding types.

    This change prevents authentication failures caused by advertising -PLUS mechanisms on connections that cannot provide channel binding data (e.g., WebSocket connections).

    • xmppserver/src/main/java/org/jivesoftware/openfire/Connection.java (version a77b374fcc84076e8794dfe08b7dfe3a114342a1)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version a77b374fcc84076e8794dfe08b7dfe3a114342a1)
    • xmppserver/src/main/java/org/jivesoftware/openfire/nio/NettyConnection.java (version a77b374fcc84076e8794dfe08b7dfe3a114342a1)
  • Guus der Kinderen

    Guus der Kinderen a14b295fea4a1ce5e19a92b04aea8d089ea21908

    OF-2694 (code review feedback): Various text fixes
    This addresses various typos and spelling issues. None of these are functionally changing anything.

    • i18n/src/main/resources/openfire_i18n_nl.properties (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
    • xmppserver/src/main/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
    • xmppserver/src/main/java/org/jivesoftware/openfire/group/AbstractGroupProvider.java (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
    • xmppserver/src/main/java/org/jivesoftware/openfire/net/SASLAuthentication.java (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
    • xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
    • xmppserver/src/main/java/org/jivesoftware/util/CertificateManager.java (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
    • xmppserver/src/main/java/org/jivesoftware/util/cache/DefaultLocalCacheStrategy.java (version a14b295fea4a1ce5e19a92b04aea8d089ea21908)
  • Guus der Kinderen

    Guus der Kinderen c4ed939661fe08a0034a37ce02a07150f51e9e56

    OF-2694: Add tls-server-end-point channel binding provider implementation
    Introduce TlsServerEndPointChannelBindingProvider, an implementation of ChannelBindingProvider for the tls-server-end-point channel binding type as defined in RFC 5929.

    Implements logic to select the appropriate hash algorithm based on certificate signature algorithm, with special handling for RSASSA-PSS and weak hashes.

    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/TlsServerEndPointChannelBindingProvider.java (version c4ed939661fe08a0034a37ce02a07150f51e9e56)
    • xmppserver/src/test/java/org/jivesoftware/util/channelbinding/TlsServerEndPointChannelBindingProviderTest.java (version c4ed939661fe08a0034a37ce02a07150f51e9e56)
  • Guus der Kinderen

    Guus der Kinderen 219acd9b818412fd68a3920ad2d1c8ec37283b9d

    OF-2694: Add TLS channel binding primitive support
    Expose per-connection channel binding data retrieval for SASL.

    • xmppserver/src/main/java/org/jivesoftware/openfire/Connection.java (version 219acd9b818412fd68a3920ad2d1c8ec37283b9d)
    • xmppserver/src/main/java/org/jivesoftware/openfire/nio/NettyConnection.java (version 219acd9b818412fd68a3920ad2d1c8ec37283b9d)
  • Guus der Kinderen

    Guus der Kinderen a8cf669c8462393c42ae11dc6fbfa1ac65f2dfe0

    OF-2694: Add Maestro test to CI for Channel Binding
    This new test launches Conversations against a standard Openfire server (the 'demoboot' configuration) and attempts to authenticate.

    It is asserted that:
    - the authentication attempt was successful
    - a SASL mechanism ending with `-PLUS` was used

    When this test passes, it's verified that Conversations successfully used channel binding.

    • .github/workflows/continuous-integration-workflow.yml (version a8cf669c8462393c42ae11dc6fbfa1ac65f2dfe0)
    • build/ci/conversations/flows/cb.yaml (version a8cf669c8462393c42ae11dc6fbfa1ac65f2dfe0)
  • Guus der Kinderen

    Guus der Kinderen f0c162c4ee78e0bc3aa0f41b44e4f81902ab84bb

    OF-2694 (code review feedback): Make removal of ChannelBindingProvider thread safe
    This mimics the concurrency control of the implementation that adds these providers.

    • xmppserver/src/main/java/org/jivesoftware/util/channelbinding/ChannelBindingProviderManager.java (version f0c162c4ee78e0bc3aa0f41b44e4f81902ab84bb)