gloox: implement tls-exporter channel binding type

2026-04-09 05:10:05 +02:00 · 2023-09-26 21:59:54 +02:00
parent e729a566f0
commit 0ec5be036d
2 changed files with 124 additions and 5 deletions
--- a/net-libs/gloox/gloox-1.0.27.recipe
+++ b/net-libs/gloox/gloox-1.0.27.recipe
@@ -3,7 +3,7 @@ DESCRIPTION="Rock-solid, full-featured Jabber/XMPP client library, written in cl
 HOMEPAGE="https://camaya.net/gloox/"
 COPYRIGHT="2002-2023 Jakob Schröter"
 LICENSE="GNU GPL v2"
-REVISION="1"
+REVISION="2"
 SOURCE_URI="http://camaya.net/download/gloox-$portVersion.tar.bz2"
 CHECKSUM_SHA256="0b8b7371439bc58d9e51384b616c964b18b7b41b87af1b7855104380eda86ffb"
 PATCHES="gloox-$portVersion.patchset"
--- a/net-libs/gloox/patches/gloox-1.0.27.patchset
+++ b/net-libs/gloox/patches/gloox-1.0.27.patchset
@@ -1,11 +1,11 @@
-From d18dc2f6032970e03a440208d4effa7b3290892d Mon Sep 17 00:00:00 2001
+From 14aca6f824c3fa48a0042609083ffa2bb08d9711 Mon Sep 17 00:00:00 2001
 From: Adrien Destugues <pulkomandy@pulkomandy.tk>
 Date: Sat, 28 Mar 2020 10:17:16 +0100
 Subject: Search for network functions in libnetwork


 diff --git a/configure.ac b/configure.ac
-index 261a78c..2d1c210 100644
+index 6e707e5..fe84d53 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -330,7 +330,7 @@ AC_ARG_ENABLE( getaddrinfo,
@@ -29,7 +29,7 @@ index 261a78c..2d1c210 100644
 2.37.3


-From 735c2d5e13b7412c2cc93edac11cabada62ac1b1 Mon Sep 17 00:00:00 2001
+From f93d15f6b273aabbcd81cf4e8e9e96820a319f25 Mon Sep 17 00:00:00 2001
 From: Adrien Destugues <pulkomandy@pulkomandy.tk>
 Date: Sat, 28 Mar 2020 13:10:43 +0100
 Subject: Hack for detecting libnetwork internal functions
@@ -38,7 +38,7 @@ These functions are found indirectly through #defines in the headers.
 So a normal AC_SEARCH_LIBS does not work.

 diff --git a/configure.ac b/configure.ac
-index 2d1c210..cc03de2 100644
+index fe84d53..91bd9e0 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -220,7 +220,7 @@ else
@@ -70,3 +70,122 @@ index 2d1c210..cc03de2 100644
                       AC_DEFINE(HAVE_RES_QUERY)
 -- 
 2.37.3
+
+
+From 73268b719739c73b5a4e4ecda2bdd9dffa7f1bea Mon Sep 17 00:00:00 2001
+From: PulkoMandy <pulkomandy@pulkomandy.tk>
+Date: Tue, 26 Sep 2023 20:31:10 +0200
+Subject: Implement TLS-exporter channel binding type
+
+As defined in RFC 9266.
+
+Implemented in the OpenSSL backend only. Enabled when TLS 1.3 is in use, in other cases the
+previous TLS-unique is used.
+
+diff --git a/src/clientbase.cpp b/src/clientbase.cpp
+index 3fe66f8..b08653b 100644
+--- a/src/clientbase.cpp
+++ b/src/clientbase.cpp
+@@ -503,7 +503,7 @@ namespace gloox
+         }
+         else // SaslMechScramSha1Plus
+         {
+-          m_gs2Header = "p=tls-unique,";
+          m_gs2Header = "p=" + m_encryption->channelBindingType() + ",";
+           a->addAttribute( "mechanism", "SCRAM-SHA-1-PLUS" );
+         }
+ 
+diff --git a/src/tlsbase.h b/src/tlsbase.h
+index d0b6dc6..e7c6cf6 100644
+--- a/src/tlsbase.h
+++ b/src/tlsbase.h
+@@ -116,6 +116,8 @@ namespace gloox
+        */
+       virtual const std::string channelBinding() const { return EmptyString; }
+ 
+      virtual const std::string channelBindingType() const { return "tls-unique"; }
+
+       /**
+        * Use this function to set a number of trusted root CA certificates which shall be
+        * used to verify a servers certificate.
+diff --git a/src/tlsdefault.cpp b/src/tlsdefault.cpp
+index adcd644..3d545ee 100644
+--- a/src/tlsdefault.cpp
+++ b/src/tlsdefault.cpp
+@@ -136,6 +136,11 @@ namespace gloox
+     return m_impl ? m_impl->channelBinding() : EmptyString;
+   }
+ 
+  const std::string TLSDefault::channelBindingType() const
+  {
+    return m_impl ? m_impl->channelBindingType() : "tls-unique";
+  }
+
+   void TLSDefault::setCACerts( const StringList& cacerts )
+   {
+     if( m_impl )
+diff --git a/src/tlsdefault.h b/src/tlsdefault.h
+index 50432b9..9bce81d 100644
+--- a/src/tlsdefault.h
+++ b/src/tlsdefault.h
+@@ -87,6 +87,9 @@ namespace gloox
+       // reimplemented from TLSBase
+       virtual const std::string channelBinding() const;
+ 
+      // reimplemented from TLSBase
+      virtual const std::string channelBindingType() const;
+
+       // reimplemented from TLSBase
+       virtual void setCACerts( const StringList& cacerts );
+ 
+diff --git a/src/tlsopensslclient.cpp b/src/tlsopensslclient.cpp
+index ac30e18..d0fb3ff 100644
+--- a/src/tlsopensslclient.cpp
+++ b/src/tlsopensslclient.cpp
+@@ -46,9 +46,26 @@ namespace gloox
+ 
+   const std::string OpenSSLClient::channelBinding() const
+   {
+-    unsigned char* buf[128];
+-    long res = SSL_get_finished( m_ssl, buf, 128 );
+-    return std::string( reinterpret_cast<char*>( buf ), res );
+
+    if (SSL_version(m_ssl) == TLS1_3_VERSION) {
+      unsigned char buf[32];
+      const char* const label = "EXPORTER-Channel-Binding";
+      SSL_export_keying_material( m_ssl, buf, 32, label, strlen(label), { 0 }, 1, 0);
+      return std::string( reinterpret_cast<char* const>( buf ), 32);
+    } else {
+      unsigned char* buf[128];
+      long res = SSL_get_finished( m_ssl, buf, 128 );
+      return std::string( reinterpret_cast<char*>( buf ), res );
+    }
+  }
+
+  const std::string OpenSSLClient::channelBindingType() const
+  {
+    if (SSL_version(m_ssl) == TLS1_3_VERSION) {
+      return "tls-exporter";
+    } else {
+      return "tls-unique";
+    }
+   }
+ 
+   int OpenSSLClient::handshakeFunction()
+diff --git a/src/tlsopensslclient.h b/src/tlsopensslclient.h
+index e8ac22d..81463d5 100644
+--- a/src/tlsopensslclient.h
+++ b/src/tlsopensslclient.h
+@@ -53,6 +53,9 @@ namespace gloox
+       // reimplemented from TLSBase
+       virtual const std::string channelBinding() const;
+ 
+      // reimplemented from TLSBase
+      virtual const std::string channelBindingType() const;
+
+   private:
+       // reimplemented from OpenSSLBase
+       virtual bool setType();
+-- 
+2.37.3
+