Implement SASL2, BIND2, and FAST

.github/workflows/CI.yml

@@ -26,7 +26,7 @@ jobs:
           echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee /etc/apt/sources.list.d/prosody.list
           sudo wget https://prosody.im/files/prosody-debian-packages.key -O/etc/apt/trusted.gpg.d/prosody.gpg
           sudo apt-get update
-          sudo apt-get -y install prosody lua-bitop lua-sec
+          sudo apt-get -y install lua5.3 prosody-trunk lua-bitop lua-sec
           sudo service prosody stop
 
       # - run: npm install -g npm

package.json

@@ -52,7 +52,7 @@
   "bundlesize": [
     {
       "path": "./packages/client/dist/xmpp.min.js",
-      "maxSize": "16 KB"
+      "maxSize": "17 KB"
     }
   ],
   "lint-staged": {

packages/client/browser.js

@@ -12,6 +12,7 @@ const _iqCallee = require("@xmpp/iq/callee");
 const _resolve = require("@xmpp/resolve");
 
 // Stream features - order matters and define priority
+const _sasl2 = require("@xmpp/sasl2");
 const _sasl = require("@xmpp/sasl");
 const _resourceBinding = require("@xmpp/resource-binding");
 const _sessionEstablishment = require("@xmpp/session-establishment");
@@ -22,7 +23,16 @@ const anonymous = require("@xmpp/sasl-anonymous");
 const plain = require("@xmpp/sasl-plain");
 
 function client(options = {}) {
-  const { resource, credentials, username, password, ...params } = options;
+  const {
+    resource,
+    credentials,
+    username,
+    password,
+    clientId,
+    software,
+    device,
+    ...params
+  } = options;
 
   const { domain, service } = params;
   if (!domain && service) {
@@ -40,11 +50,17 @@ function client(options = {}) {
   const iqCallee = _iqCallee({ middleware, entity });
   const resolve = _resolve({ entity });
   // Stream features - order matters and define priority
+  const sasl2 = _sasl2(
+    { streamFeatures },
+    credentials || { username, password },
+    { clientId, software, device },
+  );
   const sasl = _sasl({ streamFeatures }, credentials || { username, password });
   const streamManagement = _streamManagement({
     streamFeatures,
     entity,
     middleware,
+    sasl2,
   });
   const resourceBinding = _resourceBinding(
     { iqCaller, streamFeatures },
@@ -55,9 +71,10 @@ function client(options = {}) {
     streamFeatures,
   });
   // SASL mechanisms - order matters and define priority
-  const mechanisms = Object.entries({ plain, anonymous }).map(([k, v]) => ({
-    [k]: v(sasl),
-  }));
+  const mechanisms = Object.entries({
+    plain,
+    anonymous,
+  }).map(([k, v]) => ({ [k]: [v(sasl2), v(sasl)] }));
 
   return Object.assign(entity, {
     entity,
@@ -68,6 +85,7 @@ function client(options = {}) {
     iqCaller,
     iqCallee,
     resolve,
+    sasl2,
     sasl,
     resourceBinding,
     sessionEstablishment,

packages/client/index.js

@@ -15,18 +15,21 @@ const _resolve = require("@xmpp/resolve");
 
 // Stream features - order matters and define priority
 const _starttls = require("@xmpp/starttls/client");
+const _sasl2 = require("@xmpp/sasl2");
 const _sasl = require("@xmpp/sasl");
 const _resourceBinding = require("@xmpp/resource-binding");
 const _sessionEstablishment = require("@xmpp/session-establishment");
 const _streamManagement = require("@xmpp/stream-management");
 
 // SASL mechanisms - order matters and define priority
 const scramsha1 = require("@xmpp/sasl-scram-sha-1");
+const htsha256 = require("@xmpp/sasl-ht-sha-256-none");
 const plain = require("@xmpp/sasl-plain");
 const anonymous = require("@xmpp/sasl-anonymous");
 
 function client(options = {}) {
   const { resource, credentials, username, password, ...params } = options;
+  const { clientId, software, device } = params;
 
   const { domain, service } = params;
   if (!domain && service) {
@@ -47,11 +50,17 @@ function client(options = {}) {
   const resolve = _resolve({ entity });
   // Stream features - order matters and define priority
   const starttls = _starttls({ streamFeatures });
+  const sasl2 = _sasl2(
+    { streamFeatures },
+    credentials || { username, password },
+    { clientId, software, device },
+  );
   const sasl = _sasl({ streamFeatures }, credentials || { username, password });
   const streamManagement = _streamManagement({
     streamFeatures,
     entity,
     middleware,
+    sasl2,
   });
   const resourceBinding = _resourceBinding(
     { iqCaller, streamFeatures },
@@ -64,9 +73,10 @@ function client(options = {}) {
   // SASL mechanisms - order matters and define priority
   const mechanisms = Object.entries({
     scramsha1,
+    htsha256,
     plain,
     anonymous,
-  }).map(([k, v]) => ({ [k]: v(sasl) }));
+  }).map(([k, v]) => ({ [k]: [v(sasl2), v(sasl)] }));
 
   return Object.assign(entity, {
     entity,
@@ -80,6 +90,7 @@ function client(options = {}) {
     iqCallee,
     resolve,
     starttls,
+    sasl2,
     sasl,
     resourceBinding,
     sessionEstablishment,

packages/client/package.json

@@ -16,10 +16,12 @@
     "@xmpp/reconnect": "^0.13.2",
     "@xmpp/resolve": "^0.13.2",
     "@xmpp/resource-binding": "^0.13.2",
+    "@xmpp/sasl2": "^0.13.0",
     "@xmpp/sasl": "^0.13.2",
     "@xmpp/sasl-anonymous": "^0.13.2",
     "@xmpp/sasl-plain": "^0.13.2",
     "@xmpp/sasl-scram-sha-1": "^0.13.2",
+    "@xmpp/sasl-ht-sha-256-none": "^0.13.0",
     "@xmpp/session-establishment": "^0.13.2",
     "@xmpp/starttls": "^0.13.2",
     "@xmpp/stream-features": "^0.13.2",

packages/client/react-native.js

@@ -12,6 +12,7 @@ const _iqCallee = require("@xmpp/iq/callee");
 const _resolve = require("@xmpp/resolve");
 
 // Stream features - order matters and define priority
+const _sasl2 = require("@xmpp/sasl2");
 const _sasl = require("@xmpp/sasl");
 const _resourceBinding = require("@xmpp/resource-binding");
 const _sessionEstablishment = require("@xmpp/session-establishment");
@@ -22,7 +23,16 @@ const anonymous = require("@xmpp/sasl-anonymous");
 const plain = require("@xmpp/sasl-plain");
 
 function client(options = {}) {
-  const { resource, credentials, username, password, ...params } = options;
+  const {
+    resource,
+    credentials,
+    username,
+    password,
+    clientId,
+    software,
+    device,
+    ...params
+  } = options;
 
   const { domain, service } = params;
   if (!domain && service) {
@@ -40,11 +50,17 @@ function client(options = {}) {
   const iqCallee = _iqCallee({ middleware, entity });
   const resolve = _resolve({ entity });
   // Stream features - order matters and define priority
+  const sasl2 = _sasl2(
+    { streamFeatures },
+    credentials || { username, password },
+    { clientId, software, device },
+  );
   const sasl = _sasl({ streamFeatures }, credentials || { username, password });
   const streamManagement = _streamManagement({
     streamFeatures,
     entity,
     middleware,
+    sasl2,
   });
   const resourceBinding = _resourceBinding(
     { iqCaller, streamFeatures },
@@ -55,9 +71,10 @@ function client(options = {}) {
     streamFeatures,
   });
   // SASL mechanisms - order matters and define priority
-  const mechanisms = Object.entries({ plain, anonymous }).map(([k, v]) => ({
-    [k]: v(sasl),
-  }));
+  const mechanisms = Object.entries({
+    plain,
+    anonymous,
+  }).map(([k, v]) => ({ [k]: [v(sasl2), v(sasl)] }));
 
   return Object.assign(entity, {
     entity,
@@ -68,6 +85,7 @@ function client(options = {}) {
     iqCaller,
     iqCallee,
     resolve,
+    sasl2,
     sasl,
     resourceBinding,
     sessionEstablishment,

packages/connection/index.js

@@ -258,6 +258,16 @@ class Connection extends EventEmitter {
 
     const headerElement = this.headerElement();
     headerElement.attrs.to = domain;
+    if (
+      this.socket.secure &&
+      this.socket.secure() &&
+      (this.streamFrom || this.jid)
+    ) {
+      // When the stream is secure there is no leak to setting the stream from
+      // This is suggested in general and in required for FAST implementations
+      // in particular
+      headerElement.attrs.from = (this.streamFrom || this.jid).toString();
+    }
     headerElement.attrs["xml:lang"] = lang;
     this.root = headerElement;
 

packages/sasl-ht-sha-256-none/index.js

@@ -0,0 +1,29 @@
+"use strict";
+
+// https://datatracker.ietf.org/doc/draft-schmaus-kitten-sasl-ht/
+const createHmac = require("create-hmac");
+
+function Mechanism() {}
+
+Mechanism.prototype.Mechanism = Mechanism;
+Mechanism.prototype.name = "HT-SHA-256-NONE";
+Mechanism.prototype.clientFirst = true;
+
+Mechanism.prototype.response = (cred) => {
+  this.password = cred.password;
+  const hmac = createHmac("sha256", this.password);
+  hmac.update("Initiator");
+  return cred.username + "\0" + hmac.digest("latin1");
+};
+
+Mechanism.prototype.final = (data) => {
+  const hmac = createHmac("sha256", this.password);
+  hmac.update("Responder");
+  if (hmac.digest("latin1") !== data) {
+    throw "Responder message from server was wrong";
+  }
+};
+
+module.exports = function sasl2(sasl) {
+  sasl.use(Mechanism);
+};

packages/sasl-ht-sha-256-none/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "@xmpp/sasl-ht-sha-256-none",
+  "description": "XMPP SASL HT-SHA-256-NONE for JavaScript",
+  "repository": "github:xmppjs/xmpp.js",
+  "homepage": "https://github.com/xmppjs/xmpp.js/tree/main/packages/sasl-ht-sha-256-none",
+  "bugs": "http://github.com/xmppjs/xmpp.js/issues",
+  "version": "0.13.0",
+  "license": "ISC",
+  "keywords": [
+    "XMPP",
+    "sasl",
+    "plain"
+  ],
+  "dependencies": {
+    "create-hmac": "^1.1.7"
+  },
+  "engines": {
+    "node": ">= 14"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

packages/sasl/test.js

@@ -153,8 +153,6 @@ test("use ANONYMOUS if username and password are not provided", async (t) => {
 });
 
 test("with whitespaces", async (t) => {
-  console.log("truc");
-
   const { entity } = mockClient();
 
   entity.mockInput(