fix tls 1.3 wip

Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>

.woodpecker/lint.yml

@@ -0,0 +1,6 @@
+steps:
+  mypy:
+    image: python:3
+    script:
+      - pip3 install mypy types-setuptools
+      - mypy slixmpp

.woodpecker/test-integration.yml

@@ -0,0 +1,9 @@
+steps:
+  test_integration:
+    image: "python:3.11"
+    secrets: [ci_account1, ci_account1_password, ci_account2, ci_account2_password]
+    commands:
+      - apt-get update
+      - apt-get install -y python3-pip cython3 gpg
+      - pip3 install emoji aiohttp aiodns
+      - ./run_integration_tests.py

.woodpecker/test.yml

@@ -0,0 +1,17 @@
+steps:
+  unit_tests:
+    image: "python:${TAG}"
+    commands:
+    - apt-get update
+    - apt-get install -y python3 python3-pip cython3 gpg
+    - pip3 install emoji aiohttp cryptography
+    - ./run_tests.py
+
+matrix:
+  TAG:
+    - "3.7"
+    - "3.9"
+    - "3.8"
+    - "3.10"
+    - "3.11"
+    - "3.12"

docs/projects.rst

@@ -0,0 +1,95 @@
+Projects Using Slixmpp
+======================
+
+Applications
+------------
+
+sendxmpp-py
+~~~~~~~~~~~
+sendxmpp is a command line program and is the XMPP equivalent of sendmail. It is a Python version of the original sendxmpp which is written in Perl.
+
+- `Source <https://github.com/moparisthebest/sendxmpp-py>`_
+
+Bots
+----
+
+BotLogMauve
+~~~~~~~~~~~
+XMPP bot which logs groupchat messages. Logs are in text format, with one file per day and per groupchat.
+
+- `Source <https://git.khaganat.net/khaganat/BotLogMauve>`_
+
+LinkBot
+~~~~~~~
+This bot reveals the title of any shared link in a groupchat for quick content insight.
+
+- `Source <https://git.xmpp-it.net/mario/XMPPBot>`_
+
+llama-bot
+~~~~~~~~~
+Llama-bot enables engaging communication with the LLM (large language model) of llama.cpp, providing seamless and dynamic conversation with it.
+
+- `Groupchat <xmpp:slixmpp@muc.poez.io?join>`_
+- `Source <https://github.com/decent-im/llama-bot>`_
+- `Demo <xmpp:llama@decent.im?message>`_
+
+Morbot
+~~~~~~
+Morbot is a simple Slixmpp bot that will take new articles from listed RSS feeds and send them to assigned XMPP MUCs.
+
+- `Groupchat <xmpp:slixmpp@muc.poez.io?join>`_
+- `Source <https://codeberg.org/TheCoffeMaker/Morbot>`_
+
+Slixfeed
+~~~~~~~~
+Slixfeed aims to be an easy to use and fully-featured news aggregator bot for XMPP. It provides a convenient access to Blogs, Fediverse and News websites along with filtering functionality.
+
+- `Groupchat <xmpp:slixfeed@chat.woodpeckersnest.space?join>`_
+- `Source <https://gitgud.io/sjehuda/slixfeed>`_
+
+sms4you
+~~~~~~~
+sms4you forwards messages from and to SMS and connects either with sms4you-xmpp or sms4you-email to choose the other mean of communication. Nice for receiving or sending SMS, independently from carrying a SIM card.
+
+- `Groupchat <xmpp:slixmpp@muc.poez.io?join>`_
+- `Homepage <https://sms4you-team.pages.debian.net/sms4you/>`_
+- `Source <https://salsa.debian.org/sms4you-team/sms4you>`_
+
+Stable Diffusion
+~~~~~~~~~~~~~~~~
+XMPP bot that generates digital images from textual descriptions.
+
+- `Groupchat <xmpp:slidge@conference.nicoco.fr?join>`_
+- `Source <https://www.nicoco.fr/blog/2022/08/31/xmpp-bot-stable-diffusion/>`_
+
+WhisperBot
+~~~~~~~~~~
+XMPP bot that transliterates audio messages using OpenAI's Whisper libraries.
+
+- `Groupchat <xmpp:slixmpp@muc.poez.io?join>`_
+- `Source <https://codeberg.org/TheCoffeMaker/WhisperBot>`_
+
+XMPP MUC Message Gateway
+~~~~~~~~~~~~~~~~~~~~~~~~
+A multipurpose JSON forwarder microservice from HTTP POST to XMPP MUC room over TLSv1.2 with SliXMPP.
+
+- `Source <https://github.com/immanuelfodor/xmpp-muc-message-gateway>`_
+
+Services
+--------
+
+AtomToPubsub
+~~~~~~~~~~~~
+AtomToPubsub is a simple Python script that parses Atom + RSS feeds and pushes the entries to a designated XMPP Pubsub Node.
+
+- `Groupchat <xmpp:movim@conference.movim.eu?join>`_
+- `Source <https://github.com/imattau/atomtopubsub>`_
+
+Slidge
+~~~~~~
+
+Slidge is a general purpose XMPP gateway framework in Python.
+
+- `Groupchat <xmpp:slidge@conference.nicoco.fr?join>`_
+- `Homepage <https://slidge.im/core/>`_
+- `Source <https://sr.ht/~nicoco/slidge>`_

slixmpp/clientxmpp.py

@@ -138,8 +138,8 @@ class ClientXMPP(BaseXMPP):
         self.credentials['password'] = value
 
     def connect(self, address: Optional[Tuple[str, int]] = None,  # type: ignore
-                use_ssl: bool = False, force_starttls: bool = True,
+                use_ssl: Optional[bool] = None, force_starttls: Optional[bool] = None,
-                disable_starttls: bool = False) -> None:
+                disable_starttls: Optional[bool] = None) -> None:
         """Connect to the XMPP server.
 
         When no address is given, a SRV lookup for the server will
@@ -166,8 +166,8 @@ class ClientXMPP(BaseXMPP):
             host, port = (self.boundjid.host, 5222)
             self.dns_service = 'xmpp-client'
 
-        return XMLStream.connect(self, host, port, use_ssl=use_ssl,
+        XMLStream.connect(self, host, port, use_ssl=use_ssl,
-                                 force_starttls=force_starttls, disable_starttls=disable_starttls)
+                          force_starttls=force_starttls, disable_starttls=disable_starttls)
 
     def register_feature(self, name: str, handler: Callable, restart: bool = False, order: int = 5000) -> None:
         """Register a stream feature handler.

slixmpp/componentxmpp.py

@@ -9,6 +9,8 @@
 import logging
 import hashlib
 
+from typing import Optional
+
 from slixmpp import Message, Iq, Presence
 from slixmpp.basexmpp import BaseXMPP
 from slixmpp.stanza import Handshake
@@ -93,7 +95,7 @@ class ComponentXMPP(BaseXMPP):
         for st in Message, Iq, Presence:
             register_stanza_plugin(st, Error)
 
-    def connect(self, host=None, port=None, use_ssl=False):
+    def connect(self, host: str = None, port: int = 0, use_ssl: Optional[bool] = None) -> None:
         """Connect to the server.
 
 
@@ -104,16 +106,15 @@ class ComponentXMPP(BaseXMPP):
         :param use_ssl: Flag indicating if SSL should be used by connecting
                         directly to a port using SSL.
         """
-        if host is None:
+        if host is not None:
-            host = self.server_host
+            self.server_host = host
-        if port is None:
+        if port:
-            port = self.server_port
+            self.server_port = port
 
         self.server_name = self.boundjid.host
 
         log.debug("Connecting to %s:%s", host, port)
-        return XMLStream.connect(self, host=host, port=port,
+        XMLStream.connect(self, host=self.server_host, port=self.server_port, use_ssl=use_ssl)
-                                       use_ssl=use_ssl)
 
     def incoming_filter(self, xml):
         """

slixmpp/features/feature_mechanisms/mechanisms.py

@@ -37,7 +37,8 @@ class FeatureMechanisms(BasePlugin):
         'unencrypted_digest': False,
         'unencrypted_cram': False,
         'unencrypted_scram': True,
-        'order': 100
+        'order': 100,
+        'tls_version': None,
     }
 
     def plugin_init(self):
@@ -96,7 +97,20 @@ class FeatureMechanisms(BasePlugin):
                 result[value] = creds.get('email', jid)
             elif value == 'channel_binding':
                 if isinstance(self.xmpp.socket, (ssl.SSLSocket, ssl.SSLObject)):
-                    result[value] = self.xmpp.socket.get_channel_binding()
+                    version = self.xmpp.socket.version()
+                    # As of now, python does not implement anything else
+                    # than tls-unique, which is forbidden on TLSv1.3
+                    # see https://github.com/python/cpython/issues/95341
+                    if version != 'TLSv1.3':
+                        result[value] = self.xmpp.socket.get_channel_binding(
+                            cb_type="tls-unique"
+                        )
+                    elif 'tls-exporter' in ssl.CHANNEL_BINDING_TYPES:
+                        result[value] = self.xmpp.socket.get_channel_binding(
+                            cb_type="tls-exporter"
+                        )
+                    else:
+                        result[value] = None
                 else:
                     result[value] = None
             elif value == 'host':
@@ -121,6 +135,11 @@ class FeatureMechanisms(BasePlugin):
                     result[value] = True
                 else:
                     result[value] = False
+            elif value == 'tls_version':
+                if isinstance(self.xmpp.socket, (ssl.SSLSocket, ssl.SSLObject)):
+                    result[value] = self.xmpp.socket.version()
+            elif value == 'binding_proposed':
+                result[value] = any(x for x in self.mech_list if x.endswith('-PLUS'))
             else:
                 result[value] = self.config.get(value, False)
         return result

slixmpp/plugins/xep_0115/caps.py

@@ -7,7 +7,8 @@ import logging
 import hashlib
 import base64
 
-from asyncio import Future
+from asyncio import Future, Lock
+from collections import defaultdict
 from typing import Optional
 
 from slixmpp import __version__
@@ -94,6 +95,9 @@ class XEP_0115(BasePlugin):
         disco.assign_verstring = self.assign_verstring
         disco.get_verstring = self.get_verstring
 
+        # prevent concurrent fetches for the same hash
+        self._locks = defaultdict(Lock)
+
     def plugin_end(self):
         self.xmpp['xep_0030'].del_feature(feature=stanza.Capabilities.namespace)
         self.xmpp.del_filter('out', self._filter_add_caps)
@@ -137,7 +141,7 @@ class XEP_0115(BasePlugin):
 
         self.xmpp.event('entity_caps', p)
 
-    async def _process_caps(self, pres):
+    async def _process_caps(self, pres: Presence):
         if not pres['caps']['hash']:
             log.debug("Received unsupported legacy caps: %s, %s, %s",
                     pres['caps']['node'],
@@ -147,7 +151,11 @@ class XEP_0115(BasePlugin):
             return
 
         ver = pres['caps']['ver']
+        async with self._locks[ver]:
+            await self._process_caps_wrapped(pres, ver)
+        self._locks.pop(ver, None)
 
+    async def _process_caps_wrapped(self, pres: Presence, ver: str):
         existing_verstring = await self.get_verstring(pres['from'].full)
         if str(existing_verstring) == str(ver):
             return

slixmpp/plugins/xep_0221/media.py

@@ -15,6 +15,32 @@ log = logging.getLogger(__name__)
 
 
 class XEP_0221(BasePlugin):
+    """
+    XEP-0221: Data Forms Media Element
+
+    In certain implementations of Data Forms (XEP-0004), it can be
+    helpful to include media data such as small images. One example is
+    CAPTCHA Forms (XEP-0158). This plugin implements a method for
+    including media data in a data form.
+
+    Typical use pattern:
+
+    .. code-block:: python
+
+        self.register_plugin('xep_0221')
+        self['xep_0050'].add_command(node="showimage",
+                                        name="Show my image",
+                                        handler=self.form_handler)
+
+        def form_handler(self,iq,session):
+            image_url="https://xmpp.org/images/logos/xmpp-logo.svg"
+            form=self['xep_0004'].make_form('result','My Image')
+            form.addField(var='myimage', ftype='text-single', label='My Image', value=image_url)
+            form.field['myimage']['media'].add_uri(value=image_url, itype="image/svg")
+            session['payload']=form
+            return session
+    """
+
 
     name = 'xep_0221'
     description = 'XEP-0221: Data Forms Media Element'

slixmpp/test/slixtest.py

@@ -3,6 +3,7 @@
 # Copyright (C) 2010 Nathanael C. Fritz, Lance J.T. Stout
 # This file is part of Slixmpp.
 # See the file LICENSE for copying permission.
+import atexit
 import unittest
 from queue import Queue
 from xml.parsers.expat import ExpatError
@@ -750,3 +751,9 @@ class SlixTest(unittest.TestCase):
             Error.namespace = 'jabber:client'
             for st in Message, Iq, Presence:
                 register_stanza_plugin(st, Error)
+
+
+@atexit.register
+def cleanup():
+    loop = asyncio.get_event_loop()
+    loop.close()

slixmpp/util/sasl/mechanisms.py

@@ -181,7 +181,7 @@ class SCRAM(Mech):
     channel_binding = True
     required_credentials = {'username', 'password'}
     optional_credentials = {'authzid', 'channel_binding'}
-    security = {'encrypted', 'unencrypted_scram'}
+    security = {'tls_version', 'encrypted', 'unencrypted_scram', 'binding_proposed'}
 
     def setup(self, name):
         self.use_channel_binding = False
@@ -244,11 +244,15 @@ class SCRAM(Mech):
         self.cnonce = bytes(('%s' % random.random())[2:])
 
         gs2_cbind_flag = b'n'
-        if self.credentials['channel_binding']:
+        if self.security_settings['binding_proposed']:
-            if self.use_channel_binding:
+            if self.credentials['channel_binding'] and \
-                gs2_cbind_flag = b'p=tls-unique'
+                    self.use_channel_binding:
-            else:
+                if self.security_settings['tls_version'] != 'TLSv1.3':
-                gs2_cbind_flag = b'y'
+                    gs2_cbind_flag = b'p=tls-unique'
+                else:
+                    gs2_cbind_flag = b'p=tls-exporter'
+        else:
+            gs2_cbind_flag = b'y'
 
         authzid = b''
         if self.credentials['authzid']:
@@ -280,7 +284,7 @@ class SCRAM(Mech):
             raise SASLCancelled('Invalid nonce')
 
         cbind_data = b''
-        if self.use_channel_binding:
+        if self.use_channel_binding and self.credentials['channel_binding']:
             cbind_data = self.credentials['channel_binding']
         cbind_input = self.gs2_header + cbind_data
         channel_binding = b'c=' + b64encode(cbind_input).replace(b'\n', b'')

slixmpp/xmlstream/xmlstream.py

@@ -290,8 +290,8 @@ class XMLStream(asyncio.BaseProtocol):
         self.xml_depth = 0
         self.xml_root = None
 
-        self.force_starttls = None
+        self.force_starttls = True
-        self.disable_starttls = None
+        self.disable_starttls = False
 
         self.waiting_queue = asyncio.Queue()
 
@@ -405,8 +405,9 @@ class XMLStream(asyncio.BaseProtocol):
             self.disconnected.set_result(True)
         self.disconnected = asyncio.Future()
 
-    def connect(self, host: str = '', port: int = 0, use_ssl: Optional[bool] = False,
+    def connect(self, host: str = '', port: int = 0, use_ssl: Optional[bool] = None,
-                force_starttls: Optional[bool] = True, disable_starttls: Optional[bool] = False) -> None:
+                force_starttls: Optional[bool] = None,
+                disable_starttls: Optional[bool] = None) -> None:
         """Create a new socket and connect to the server.
 
         :param host: The name of the desired server for the connection.

tests/test_stream_xep_0115.py

@@ -0,0 +1,76 @@
+import logging
+import unittest
+from slixmpp.test import SlixTest
+
+
+class TestCaps(SlixTest):
+    def setUp(self):
+        self.stream_start(plugins=["xep_0115"])
+
+    def testConcurrentSameHash(self):
+        """
+        Check that we only resolve a given ver string to a disco info once,
+        even if we receive several presences with that same ver string
+        consecutively.
+        """
+        self.recv(  # language=XML
+            """
+            <presence from='romeo@montague.lit/orchard'>
+              <c xmlns='http://jabber.org/protocol/caps'
+                 hash='sha-1'
+                 node='a-node'
+                 ver='h0TdMvqNR8FHUfFG1HauOLYZDqE='/>
+            </presence>
+            """
+        )
+        self.recv(  # language=XML
+            """
+            <presence from='i-dont-know-much-shakespeare@montague.lit/orchard'>
+              <c xmlns='http://jabber.org/protocol/caps'
+                 hash='sha-1'
+                 node='a-node'
+                 ver='h0TdMvqNR8FHUfFG1HauOLYZDqE='/>
+            </presence>
+            """
+        )
+        self.send(  # language=XML
+            """
+            <iq xmlns="jabber:client"
+                id="1"
+                to="romeo@montague.lit/orchard"
+                type="get">
+              <query xmlns="http://jabber.org/protocol/disco#info"
+                     node="a-node#h0TdMvqNR8FHUfFG1HauOLYZDqE="/>
+            </iq>
+            """
+        )
+        self.send(None)
+        self.recv(  # language=XML
+            """
+            <iq from='romeo@montague.lit/orchard'
+                id='1'
+                type='result'>
+              <query xmlns='http://jabber.org/protocol/disco#info'
+                     node='a-nodes#h0TdMvqNR8FHUfFG1HauOLYZDqE='>
+                <identity category='client' name='a client' type='pc'/>
+                <feature var='http://jabber.org/protocol/caps'/>
+              </query>
+            </iq>
+            """
+        )
+        self.send(None)
+        self.assertTrue(
+            self.xmpp["xep_0030"].supports(
+                "romeo@montague.lit/orchard", "http://jabber.org/protocol/caps"
+            )
+        )
+        self.assertTrue(
+            self.xmpp["xep_0030"].supports(
+                "i-dont-know-much-shakespeare@montague.lit/orchard",
+                "http://jabber.org/protocol/caps",
+            )
+        )
+
+
+logging.basicConfig(level=logging.DEBUG)
+suite = unittest.TestLoader().loadTestsFromTestCase(TestCaps)