From a1bbefc9e3b947ead9567a6daa150a1c21fd5ce6 Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Sat, 30 Jul 2016 10:39:38 +0200 Subject: [PATCH 1/4] Smack 4.1.9-SNAPSHOT --- version.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.gradle b/version.gradle index 41a5580b6..2919ff247 100644 --- a/version.gradle +++ b/version.gradle @@ -1,7 +1,7 @@ allprojects { ext { - shortVersion = '4.1.8' - isSnapshot = false + shortVersion = '4.1.9' + isSnapshot = true jxmppVersion = '0.4.2' smackMinAndroidSdk = 8 } From fca2f59e08da2936f6d899a95fb0f6ed9aa07f0c Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Thu, 20 Oct 2016 16:57:06 +0200 Subject: [PATCH 2/4] Fix SCRAM-SHA1 mechanism creating invalid c-nonce Because of the condition "c >= 32", Smack would possible return a c-nonce containing ASCII whitespace characters (32d, 0x20), which are not allowed in the c-nonce as per RFC 5802. This commit applies the correct condition: "c > 32". Fixes SMACK-735. --- .../org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/smack-core/src/main/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java b/smack-core/src/main/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java index 217ace4e9..4d15a8f91 100644 --- a/smack-core/src/main/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java +++ b/smack-core/src/main/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java @@ -257,7 +257,10 @@ public class SCRAMSHA1Mechanism extends SASLMechanism { if (c == ',') { return false; } - return c >= 32 && c < 127; + // RFC 5802 ยง 7. 'printable': Contains all chars within 0x21 (33d) to 0x2b (43d) and 0x2d (45d) to 0x7e (126) + // aka. "Printable ASCII except ','". Since we already filter the ASCII ',' (0x2c, 44d) above, we only have to + // ensure that c is within [33, 126]. + return c > 32 && c < 127; } /** From 059ee99ba0d5ff7758829acf5a9aeede09ec820b Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Sat, 12 Nov 2016 11:12:50 +0100 Subject: [PATCH 3/4] Move TLS Required check at the end of connect() It was a *very* bad idea to perform the SecurityMode.Required check in the connection's reader thread and not at the end of AbstractXMPPConnectin's connect(). :/ This behavior dates back to 8e750912a765f77a4f178a4f307a8b42c2afb5ae Fixes SMACK-739 --- .../smack/AbstractXMPPConnection.java | 1 + .../smack/tcp/XMPPTCPConnection.java | 20 +++++++++---------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java b/smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java index 7b680b1a3..df1acef66 100644 --- a/smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java +++ b/smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java @@ -362,6 +362,7 @@ public abstract class AbstractXMPPConnection implements XMPPConnection { // Perform the actual connection to the XMPP service connectInternal(); + return this; } diff --git a/smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java b/smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java index d0ca18bf2..4d21f6fc6 100644 --- a/smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java +++ b/smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java @@ -28,10 +28,9 @@ import org.jivesoftware.smack.SmackException.AlreadyConnectedException; import org.jivesoftware.smack.SmackException.AlreadyLoggedInException; import org.jivesoftware.smack.SmackException.NoResponseException; import org.jivesoftware.smack.SmackException.NotConnectedException; -import org.jivesoftware.smack.SmackException.ConnectionException; import org.jivesoftware.smack.SmackException.SecurityRequiredByClientException; +import org.jivesoftware.smack.SmackException.ConnectionException; import org.jivesoftware.smack.SmackException.SecurityRequiredByServerException; -import org.jivesoftware.smack.SmackException.SecurityRequiredException; import org.jivesoftware.smack.SynchronizationPoint; import org.jivesoftware.smack.XMPPException.StreamErrorException; import org.jivesoftware.smack.XMPPConnection; @@ -857,6 +856,14 @@ public class XMPPTCPConnection extends AbstractXMPPConnection { // Wait with SASL auth until the SASL mechanisms have been received saslFeatureReceived.checkIfSuccessOrWaitOrThrow(); + // If TLS is required but the server doesn't offer it, disconnect + // from the server and throw an error. First check if we've already negotiated TLS + // and are secure, however (features get parsed a second time after TLS is established). + if (!isSecureConnection() && getConfiguration().getSecurityMode() == SecurityMode.required) { + shutdown(); + throw new SecurityRequiredByClientException(); + } + // Make note of the fact that we're now connected. connected = true; callConnectionConnectedListener(); @@ -897,7 +904,7 @@ public class XMPPTCPConnection extends AbstractXMPPConnection { } @Override - protected void afterFeaturesReceived() throws SecurityRequiredException, NotConnectedException { + protected void afterFeaturesReceived() throws NotConnectedException { StartTls startTlsFeature = getFeature(StartTls.ELEMENT, StartTls.NAMESPACE); if (startTlsFeature != null) { if (startTlsFeature.required() && config.getSecurityMode() == SecurityMode.disabled) { @@ -909,13 +916,6 @@ public class XMPPTCPConnection extends AbstractXMPPConnection { send(new StartTls()); } } - // If TLS is required but the server doesn't offer it, disconnect - // from the server and throw an error. First check if we've already negotiated TLS - // and are secure, however (features get parsed a second time after TLS is established). - if (!isSecureConnection() && startTlsFeature == null - && getConfiguration().getSecurityMode() == SecurityMode.required) { - throw new SecurityRequiredByClientException(); - } if (getSASLAuthentication().authenticationSuccessful()) { // If we have received features after the SASL has been successfully completed, then we From af6e80deccb7f587c8339272e4a7e8449edb7fdf Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Sat, 19 Nov 2016 14:34:29 +0100 Subject: [PATCH 4/4] Smack 4.1.9 --- resources/releasedocs/changelog.html | 12 ++++++++++++ version.gradle | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/resources/releasedocs/changelog.html b/resources/releasedocs/changelog.html index 01c8a003b..cb513e360 100644 --- a/resources/releasedocs/changelog.html +++ b/resources/releasedocs/changelog.html @@ -141,6 +141,18 @@ hr {
+ +

4.1.9 -- 2016-11-19

+ +

Bug +

+
    +
  • [SMACK-739] - Smack starts SASL step without TLS in case STARTTLS is stripped even if SecurityMode.Required is used +
  • +
  • [SMACK-735] - Smack sometimes sends invalid SCRAM-SHA1 nonce +
  • +
+

4.1.8 -- 2016-07-30

Bug diff --git a/version.gradle b/version.gradle index 2919ff247..e767541d8 100644 --- a/version.gradle +++ b/version.gradle @@ -1,7 +1,7 @@ allprojects { ext { shortVersion = '4.1.9' - isSnapshot = true + isSnapshot = false jxmppVersion = '0.4.2' smackMinAndroidSdk = 8 }