diff options
author | Remko Tronçon <git@el-tramo.be> | 2010-05-08 17:01:12 (GMT) |
---|---|---|
committer | Remko Tronçon <git@el-tramo.be> | 2010-05-08 17:01:12 (GMT) |
commit | eb6a3e659254de70b7c45627e7e0f4f53b737d04 (patch) | |
tree | 09152371318a66feb4e8b0c936255bab17b74a91 | |
parent | d233ec7a863fb0b9a6f20ea0aa52c7c0ea38e2fd (diff) | |
download | swift-contrib-eb6a3e659254de70b7c45627e7e0f4f53b737d04.zip swift-contrib-eb6a3e659254de70b7c45627e7e0f4f53b737d04.tar.bz2 |
Don't allow PLAIN over Non-TLS.
-rw-r--r-- | Swiften/Client/ClientSession.cpp | 11 | ||||
-rw-r--r-- | Swiften/Client/ClientSession.h | 5 | ||||
-rw-r--r-- | Swiften/Client/UnitTest/ClientSessionTest.cpp | 18 | ||||
-rw-r--r-- | Swiften/Session/BasicSessionStream.cpp | 4 | ||||
-rw-r--r-- | Swiften/Session/BasicSessionStream.h | 1 | ||||
-rw-r--r-- | Swiften/Session/SessionStream.h | 1 |
6 files changed, 35 insertions, 5 deletions
diff --git a/Swiften/Client/ClientSession.cpp b/Swiften/Client/ClientSession.cpp index a255cef..5e2cd84 100644 --- a/Swiften/Client/ClientSession.cpp +++ b/Swiften/Client/ClientSession.cpp @@ -40,6 +40,7 @@ ClientSession::ClientSession( localJID(jid), state(Initial), stream(stream), + allowPLAINOverNonTLS(false), needSessionStart(false), authenticator(NULL) { } @@ -108,6 +109,11 @@ void ClientSession::handleElement(boost::shared_ptr<Element> element) { state = WaitingForCredentials; onNeedCredentials(); } + else if ((stream->isTLSEncrypted() || allowPLAINOverNonTLS) && streamFeatures->hasAuthenticationMechanism("PLAIN")) { + authenticator = new PLAINClientAuthenticator(); + state = WaitingForCredentials; + onNeedCredentials(); + } else if (streamFeatures->hasAuthenticationMechanism("DIGEST-MD5")) { std::ostringstream s; s << boost::uuids::random_generator()(); @@ -116,11 +122,6 @@ void ClientSession::handleElement(boost::shared_ptr<Element> element) { state = WaitingForCredentials; onNeedCredentials(); } - else if (streamFeatures->hasAuthenticationMechanism("PLAIN")) { - authenticator = new PLAINClientAuthenticator(); - state = WaitingForCredentials; - onNeedCredentials(); - } else { finishSession(Error::NoSupportedAuthMechanismsError); } diff --git a/Swiften/Client/ClientSession.h b/Swiften/Client/ClientSession.h index fa52706..37f8bea 100644 --- a/Swiften/Client/ClientSession.h +++ b/Swiften/Client/ClientSession.h @@ -61,6 +61,10 @@ namespace Swift { return state; } + void setAllowPLAINOverNonTLS(bool b) { + allowPLAINOverNonTLS = b; + } + void start(); void finish(); @@ -100,6 +104,7 @@ namespace Swift { JID localJID; State state; boost::shared_ptr<SessionStream> stream; + bool allowPLAINOverNonTLS; bool needSessionStart; ClientAuthenticator* authenticator; }; diff --git a/Swiften/Client/UnitTest/ClientSessionTest.cpp b/Swiften/Client/UnitTest/ClientSessionTest.cpp index 8e0a85d..180eab8 100644 --- a/Swiften/Client/UnitTest/ClientSessionTest.cpp +++ b/Swiften/Client/UnitTest/ClientSessionTest.cpp @@ -138,6 +138,19 @@ class ClientSessionTest : public CppUnit::TestFixture { CPPUNIT_ASSERT(sessionFinishedError); } + void testAuthenticate_PLAINOverNonTLS() { + boost::shared_ptr<ClientSession> session(createSession()); + session->setAllowPLAINOverNonTLS(false); + session->start(); + server->receiveStreamStart(); + server->sendStreamStart(); + server->sendStreamFeaturesWithPLAINAuthentication(); + + CPPUNIT_ASSERT_EQUAL(ClientSession::Finished, session->getState()); + CPPUNIT_ASSERT(sessionFinishedReceived); + CPPUNIT_ASSERT(sessionFinishedError); + } + void testAuthenticate_NoValidAuthMechanisms() { boost::shared_ptr<ClientSession> session(createSession()); session->start(); @@ -155,6 +168,7 @@ class ClientSessionTest : public CppUnit::TestFixture { boost::shared_ptr<ClientSession> session = ClientSession::create(JID("me@foo.com"), server); session->onFinished.connect(boost::bind(&ClientSessionTest::handleSessionFinished, this, _1)); session->onNeedCredentials.connect(boost::bind(&ClientSessionTest::handleSessionNeedCredentials, this)); + session->setAllowPLAINOverNonTLS(true); return session; } @@ -206,6 +220,10 @@ class ClientSessionTest : public CppUnit::TestFixture { tlsEncrypted = true; } + virtual bool isTLSEncrypted() { + return tlsEncrypted; + } + virtual void addZLibCompression() { compressed = true; } diff --git a/Swiften/Session/BasicSessionStream.cpp b/Swiften/Session/BasicSessionStream.cpp index 861b9d0..d75e2c3 100644 --- a/Swiften/Session/BasicSessionStream.cpp +++ b/Swiften/Session/BasicSessionStream.cpp @@ -81,6 +81,10 @@ void BasicSessionStream::addTLSEncryption() { } } +bool BasicSessionStream::isTLSEncrypted() { + return tlsLayer; +} + void BasicSessionStream::addZLibCompression() { boost::shared_ptr<CompressionLayer> compressionLayer(new CompressionLayer()); streamStack->addLayer(compressionLayer); diff --git a/Swiften/Session/BasicSessionStream.h b/Swiften/Session/BasicSessionStream.h index 7c98992..7f194ff 100644 --- a/Swiften/Session/BasicSessionStream.h +++ b/Swiften/Session/BasicSessionStream.h @@ -49,6 +49,7 @@ namespace Swift { virtual bool supportsTLSEncryption(); virtual void addTLSEncryption(); + virtual bool isTLSEncrypted(); virtual void setWhitespacePingEnabled(bool); diff --git a/Swiften/Session/SessionStream.h b/Swiften/Session/SessionStream.h index 614d237..f2d4a7b 100644 --- a/Swiften/Session/SessionStream.h +++ b/Swiften/Session/SessionStream.h @@ -44,6 +44,7 @@ namespace Swift { virtual bool supportsTLSEncryption() = 0; virtual void addTLSEncryption() = 0; + virtual bool isTLSEncrypted() = 0; virtual void setWhitespacePingEnabled(bool enabled) = 0; virtual void resetXMPPParser() = 0; |