diff options
author | Tobias Markmann <tm@ayena.de> | 2018-01-26 18:04:17 (GMT) |
---|---|---|
committer | Tobias Markmann <tm@ayena.de> | 2018-03-12 09:02:00 (GMT) |
commit | ff600776577ce4e3bbf9aa66f5980bc9cf1042a0 (patch) | |
tree | f4dcd3484d481d8a7b78bdbf29a3481f0e6b7e83 | |
parent | 3a540816280691e7ca3191867d3c73beba465674 (diff) | |
download | swift-ff600776577ce4e3bbf9aa66f5980bc9cf1042a0.zip swift-ff600776577ce4e3bbf9aa66f5980bc9cf1042a0.tar.bz2 |
Add getPeerFinishMessage() method and OpenSSL TLS backend
This method allows to calculate the TLS finish message of the
peer of a TLS connection. It can be used to provide SASL
channel binding for TLS servers.
Test-Information:
Added unit test that verifies the finish messages of a server
TLS context with the finish messages of a client TLS context.
Tests pass on macOS 10.13.3 with OpenSSL.
Change-Id: Ia5ba539e1fb6d1bef6b4436bb59c7384b57a69b0
-rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.cpp | 10 | ||||
-rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.h | 1 | ||||
-rw-r--r-- | Swiften/TLS/TLSContext.cpp | 6 | ||||
-rw-r--r-- | Swiften/TLS/TLSContext.h | 2 | ||||
-rw-r--r-- | Swiften/TLS/UnitTest/ClientServerTest.cpp | 23 |
5 files changed, 40 insertions, 2 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index 47e7175..6c27e22 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp @@ -490,11 +490,19 @@ std::shared_ptr<CertificateVerificationError> OpenSSLContext::getPeerCertificate ByteArray OpenSSLContext::getFinishMessage() const { ByteArray data; data.resize(MAX_FINISHED_SIZE); - size_t size = SSL_get_finished(handle_.get(), vecptr(data), data.size()); + auto size = SSL_get_finished(handle_.get(), vecptr(data), data.size()); data.resize(size); return data; } +ByteArray OpenSSLContext::getPeerFinishMessage() const { + ByteArray data; + data.resize(MAX_FINISHED_SIZE); + auto size = SSL_get_peer_finished(handle_.get(), vecptr(data), data.size()); + data.resize(size); + return data; + } + CertificateVerificationError::Type OpenSSLContext::getVerificationErrorTypeForResult(int result) { assert(result != 0); switch (result) { diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.h b/Swiften/TLS/OpenSSL/OpenSSLContext.h index 4a94848..bf897a7 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.h +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.h @@ -57,6 +57,7 @@ namespace Swift { std::shared_ptr<CertificateVerificationError> getPeerCertificateVerificationError() const override final; virtual ByteArray getFinishMessage() const override final; + virtual ByteArray getPeerFinishMessage() const override final; private: static void ensureLibraryInitialized(); diff --git a/Swiften/TLS/TLSContext.cpp b/Swiften/TLS/TLSContext.cpp index 39fb5c9..8246dde 100644 --- a/Swiften/TLS/TLSContext.cpp +++ b/Swiften/TLS/TLSContext.cpp @@ -35,10 +35,14 @@ void TLSContext::setAbortTLSHandshake(bool /* abort */) { assert(false); } - Certificate::ref TLSContext::getPeerCertificate() const { std::vector<Certificate::ref> chain = getPeerCertificateChain(); return chain.empty() ? Certificate::ref() : chain[0]; } +ByteArray TLSContext::getPeerFinishMessage() const { + assert(false); + return ByteArray(); +} + } diff --git a/Swiften/TLS/TLSContext.h b/Swiften/TLS/TLSContext.h index 2655d4b..653e8d2 100644 --- a/Swiften/TLS/TLSContext.h +++ b/Swiften/TLS/TLSContext.h @@ -47,6 +47,8 @@ namespace Swift { virtual CertificateVerificationError::ref getPeerCertificateVerificationError() const = 0; virtual ByteArray getFinishMessage() const = 0; + virtual ByteArray getPeerFinishMessage() const; + public: enum class Mode { diff --git a/Swiften/TLS/UnitTest/ClientServerTest.cpp b/Swiften/TLS/UnitTest/ClientServerTest.cpp index 692b3c0..5777856 100644 --- a/Swiften/TLS/UnitTest/ClientServerTest.cpp +++ b/Swiften/TLS/UnitTest/ClientServerTest.cpp @@ -655,3 +655,26 @@ TEST(ClientServerTest, testClientServerSNIRequestedHostUnavailable) { ASSERT_EQ("client", events.events[3].first); ASSERT_EQ("TLSFault()", boost::apply_visitor(TLSEventToStringVisitor(), events.events[3].second)); } + +TEST(ClientServerTest, testClientServerEqualFinishedMessage) { + auto clientContext = createTLSContext(TLSContext::Mode::Client); + auto serverContext = createTLSContext(TLSContext::Mode::Server); + + TLSClientServerEventHistory events(clientContext.get(), serverContext.get()); + + ClientServerConnector connector(clientContext.get(), serverContext.get()); + + auto tlsFactories = std::make_shared<PlatformTLSFactories>(); + + ASSERT_EQ(true, serverContext->setCertificateChain(tlsFactories->getCertificateFactory()->createCertificateChain(createByteArray(certificatePEM["capulet.example"])))); + + auto privateKey = tlsFactories->getCertificateFactory()->createPrivateKey(createSafeByteArray(privateKeyPEM["capulet.example"])); + ASSERT_NE(nullptr, privateKey.get()); + ASSERT_EQ(true, serverContext->setPrivateKey(privateKey)); + + serverContext->accept(); + clientContext->connect(); + + ASSERT_EQ(serverContext->getPeerFinishMessage(), clientContext->getFinishMessage()); + ASSERT_EQ(clientContext->getPeerFinishMessage(), serverContext->getFinishMessage()); +} |