Skip to content

Commit

Permalink
Remove obsolete fast_tls and reimplement tls-exporter CB over OTP ssl
Browse files Browse the repository at this point in the history
  • Loading branch information
NelsonVides committed Jan 9, 2025
1 parent a9509dc commit b5ba493
Show file tree
Hide file tree
Showing 7 changed files with 96 additions and 102 deletions.
1 change: 0 additions & 1 deletion rebar.config
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@
{uuid, "2.0.7", {pkg, uuid_erl}},
{gun, "2.1.0"},
{worker_pool, "6.4.0"},
{fast_tls, "1.1.21"},
{fast_scram, "0.6.1"}
]}.

Expand Down
6 changes: 0 additions & 6 deletions rebar.lock
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,8 @@
{<<"exml">>,{pkg,<<"hexml">>,<<"3.4.1">>},0},
{<<"fast_pbkdf2">>,{pkg,<<"fast_pbkdf2">>,<<"1.0.6">>},1},
{<<"fast_scram">>,{pkg,<<"fast_scram">>,<<"0.6.1">>},0},
{<<"fast_tls">>,{pkg,<<"fast_tls">>,<<"1.1.21">>},0},
{<<"gun">>,{pkg,<<"gun">>,<<"2.1.0">>},0},
{<<"meck">>,{pkg,<<"meck">>,<<"1.0.0">>},0},
{<<"p1_utils">>,{pkg,<<"p1_utils">>,<<"1.0.26">>},1},
{<<"quickrand">>,{pkg,<<"quickrand">>,<<"2.0.7">>},1},
{<<"uuid">>,{pkg,<<"uuid_erl">>,<<"2.0.7">>},0},
{<<"worker_pool">>,{pkg,<<"worker_pool">>,<<"6.4.0">>},0}]}.
Expand All @@ -18,10 +16,8 @@
{<<"exml">>, <<"9581FE6512D9772C61BBE611CD4A8E5BB90B4D4481275325EC520F7A931A9393">>},
{<<"fast_pbkdf2">>, <<"199BCEC73A1A246941E9465D3DC41052953B638128841ED24B29ED03CF70AF27">>},
{<<"fast_scram">>, <<"BEEADB03D774640F0671681759CE53B2FF33CB58C86FD9BF2A793E2FC1ED0F5D">>},
{<<"fast_tls">>, <<"65D7D547A09EEFB37A1C0D04D8601FAC4F3E6E2C1EDE859A7787081670F9648D">>},
{<<"gun">>, <<"B4E4CBBF3026D21981C447E9E7CA856766046EFF693720BA43114D7F5DE36E87">>},
{<<"meck">>, <<"24676CB6EE6951530093A93EDCD410CFE4CB59FE89444B875D35C9D3909A15D0">>},
{<<"p1_utils">>, <<"67B0C4AC9FA3BA3EF563B31AA111B0A004439A37FAC85E027F1C3617E1C7EC6C">>},
{<<"quickrand">>, <<"D2BD76676A446E6A058D678444B7FDA1387B813710D1AF6D6E29BB92186C8820">>},
{<<"uuid">>, <<"B2078D2CC814F53AFA52D36C91E08962C7E7373585C623F4C0EA6DFB04B2AF94">>},
{<<"worker_pool">>, <<"0347B805A8E5804B5676A9885FB3B9B6C1627099C449C3C67C0E8E6AF79E9AA6">>}]},
Expand All @@ -31,10 +27,8 @@
{<<"exml">>, <<"D8E7894E2544402B4986EEB2443C15B51B14F686266F091DBF2777D1D99A2FA2">>},
{<<"fast_pbkdf2">>, <<"35EEC22629AAA739915843C7B7DE0D84657D1ECE972D8BBC86368747E9C14012">>},
{<<"fast_scram">>, <<"FE0650A309FDF97C75E1EA812CCFB40EB464ECAFD3783E83AA17C7F572EDAB0B">>},
{<<"fast_tls">>, <<"131542913937025E48CD80AA81F00359686D5501B75621E72026A87B5229505B">>},
{<<"gun">>, <<"52FC7FC246BFC3B00E01AEA1C2854C70A366348574AB50C57DFE796D24A0101D">>},
{<<"meck">>, <<"680A9BCFE52764350BEB9FB0335FB75FEE8E7329821416CEE0A19FEC35433882">>},
{<<"p1_utils">>, <<"D0379E8C1156B98BD64F8129C1DE022FCCA4F2FDB7486CE73BF0ED2C3376B04C">>},
{<<"quickrand">>, <<"B8ACBF89A224BC217C3070CA8BEBC6EB236DBE7F9767993B274084EA044D35F0">>},
{<<"uuid">>, <<"4E4C5CA3461DC47C5E157ED42AA3981A053B7A186792AF972A27B14A9489324E">>},
{<<"worker_pool">>, <<"59946FBCE1D331CDEB153EDD36A823DC1AAB4C2482662582B983C9C90EBC3461">>}]}
Expand Down
1 change: 0 additions & 1 deletion src/escalus.app.src
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@
meck,
bbmustache,
uuid,
fast_tls,
fast_scram,
worker_pool
]},
Expand Down
29 changes: 14 additions & 15 deletions src/escalus_auth.erl
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,16 @@
-type client() :: escalus_connection:client().
-type user_spec() :: escalus_users:user_spec().
-type hash_type() :: fast_scram:sha_type().
-type plus_variant() :: none | tls_unique.
-type plus_variant() :: none | tls_exporter.
-type scram_options() :: #{plus_variant := plus_variant(),
hash_type := hash_type(),
xmpp_method := binary()
}.

-include_lib("exml/include/exml.hrl").

-define(CB_LABEL, <<"EXPORTER-Channel-Binding">>).

%%--------------------------------------------------------------------
%% Public API
%%--------------------------------------------------------------------
Expand Down Expand Up @@ -92,31 +94,31 @@ auth_sasl_scram_sha512(Conn, Props) ->
%% SCRAM PLUS
-spec auth_sasl_scram_sha1_plus(client(), user_spec()) -> ok.
auth_sasl_scram_sha1_plus(Conn, Props) ->
Options = #{plus_variant => tls_unique, hash_type => sha,
Options = #{plus_variant => tls_exporter, hash_type => sha,
xmpp_method => <<"SCRAM-SHA-1-PLUS">>},
auth_sasl_scram(Options, Conn, Props).

-spec auth_sasl_scram_sha224_plus(client(), user_spec()) -> ok.
auth_sasl_scram_sha224_plus(Conn, Props) ->
Options = #{plus_variant => tls_unique, hash_type => sha224,
Options = #{plus_variant => tls_exporter, hash_type => sha224,
xmpp_method => <<"SCRAM-SHA-224-PLUS">>},
auth_sasl_scram(Options, Conn, Props).

-spec auth_sasl_scram_sha256_plus(client(), user_spec()) -> ok.
auth_sasl_scram_sha256_plus(Conn, Props) ->
Options = #{plus_variant => tls_unique, hash_type => sha256,
Options = #{plus_variant => tls_exporter, hash_type => sha256,
xmpp_method => <<"SCRAM-SHA-256-PLUS">>},
auth_sasl_scram(Options, Conn, Props).

-spec auth_sasl_scram_sha384_plus(client(), user_spec()) -> ok.
auth_sasl_scram_sha384_plus(Conn, Props) ->
Options = #{plus_variant => tls_unique, hash_type => sha384,
Options = #{plus_variant => tls_exporter, hash_type => sha384,
xmpp_method => <<"SCRAM-SHA-384-PLUS">>},
auth_sasl_scram(Options, Conn, Props).

-spec auth_sasl_scram_sha512_plus(client(), user_spec()) -> ok.
auth_sasl_scram_sha512_plus(Conn, Props) ->
Options = #{plus_variant => tls_unique, hash_type => sha512,
Options = #{plus_variant => tls_exporter, hash_type => sha512,
xmpp_method => <<"SCRAM-SHA-512-PLUS">>},
auth_sasl_scram(Options, Conn, Props).

Expand All @@ -127,8 +129,7 @@ auth_sasl_scram(#{plus_variant := PlusVariant,
Conn, Props) ->
Username = get_property(username, Props),
Password = get_property(password, Props),
ChannelBinding = scram_sha_auth_payload(
proplists:get_value(tls_module, Props, ssl), PlusVariant, Conn),
ChannelBinding = scram_sha_auth_payload(PlusVariant, Conn),
{ok, ClientState1} = fast_scram:mech_new(
#{entity => client, username => Username, hash_method => HashMethod, nonce_size => 16,
channel_binding => ChannelBinding, auth_data => #{password => Password}}),
Expand Down Expand Up @@ -220,14 +221,12 @@ md5_digest_response(ChallengeData, Props) ->
{<<"authzid">>, FullJid}
])).

scram_sha_auth_payload(ssl, _, _) ->
{undefined, <<>>};
scram_sha_auth_payload(fast_tls, none, _) ->
scram_sha_auth_payload(none, _) ->
{none, <<>>};
scram_sha_auth_payload(fast_tls, tls_unique, Conn) ->
{ok, FinishedTLS} = escalus_connection:get_tls_last_message(Conn),
{<<"tls-unique">>, FinishedTLS}.

scram_sha_auth_payload(tls_exporter, Conn) ->
{ok, Material} = escalus_connection:export_key_materials(
Conn, [?CB_LABEL], [no_context], [32], true),
{<<"tls-exporter">>, Material}.

hex_md5(Data) ->
binary:encode_hex(crypto:hash(md5, Data), lowercase).
Expand Down
30 changes: 24 additions & 6 deletions src/escalus_connection.erl
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
get_sm_h/1,
set_sm_h/2,
set_filter_predicate/2,
get_tls_last_message/1,
export_key_materials/5,
reset_parser/1,
is_connected/1,
wait_for_close/1,
Expand Down Expand Up @@ -87,6 +87,16 @@
-callback set_filter_predicate(pid(), filter_pred()) -> ok.
-callback stop(pid()) -> ok | already_stopped.
-callback kill(pid()) -> ok | already_stopped.
-callback export_key_materials(pid(), Labels, Contexts, WantedLengths, ConsumeSecret) ->
{ok, ExportKeyMaterials} |
{error, undefined_tls_material | exporter_master_secret_already_consumed | bad_input}
when
Labels :: [binary()],
Contexts :: [binary() | no_context],
WantedLengths :: [non_neg_integer()],
ConsumeSecret :: boolean(),
ExportKeyMaterials :: binary() | [binary()].
-optional_callbacks([export_key_materials/5]).

-callback stream_start_req(user_spec()) -> exml_stream:element().
-callback stream_end_req(user_spec()) -> exml_stream:element().
Expand Down Expand Up @@ -390,11 +400,19 @@ set_sm_h(#client{module = Mod}, _) ->
set_filter_predicate(#client{module = Module, rcv_pid = Pid}, Pred) ->
Module:set_filter_predicate(Pid, Pred).

-spec get_tls_last_message(client()) -> {ok, binary()} | {error, undefined_tls_message}.
get_tls_last_message(#client{module = escalus_tcp, rcv_pid = Pid}) ->
escalus_tcp:get_tls_last_message(Pid);
get_tls_last_message(#client{module = Mod}) ->
error({get_tls_last_message, {undefined_for_escalus_module, Mod}}).
-spec export_key_materials(client(), Labels, Contexts, WantedLengths, ConsumeSecret) ->
{ok, ExportKeyMaterials} |
{error, undefined_tls_material | exporter_master_secret_already_consumed | bad_input}
when
Labels :: [binary()],
Contexts :: [binary() | no_context],
WantedLengths :: [non_neg_integer()],
ConsumeSecret :: boolean(),
ExportKeyMaterials :: binary() | [binary()].
export_key_materials(#client{module = escalus_tcp, rcv_pid = Pid}, Labels, Contexts, WantedLengths, ConsumeSecret) ->
escalus_tcp:export_key_materials(Pid, Labels, Contexts, WantedLengths, ConsumeSecret);
export_key_materials(#client{module = Mod}, _Labels, _Contexts, _WantedLengths, _ConsumeSecret) ->
error({export_key_materials, {undefined_for_escalus_module, Mod}}).

-spec reset_parser(client()) -> ok.
reset_parser(#client{module = Mod, rcv_pid = Pid}) ->
Expand Down
Loading

0 comments on commit b5ba493

Please sign in to comment.