diff options
author | Tobias Markmann <tm@ayena.de> | 2017-03-19 16:27:06 (GMT) |
---|---|---|
committer | Tobias Markmann <tm@ayena.de> | 2017-04-04 09:14:16 (GMT) |
commit | ad66cc53f7e7ce860aee5b71b871a0ae9f8d357d (patch) | |
tree | bc655727b49d9308f220574c89aa9911fc30ed92 | |
parent | 38f35935581b826940a10246b0a624c643dccc2e (diff) | |
download | swift-ad66cc53f7e7ce860aee5b71b871a0ae9f8d357d.zip swift-ad66cc53f7e7ce860aee5b71b871a0ae9f8d357d.tar.bz2 |
Verify certificates for HTTPS BOSH connections
Test-Information:
Tested against a BOSH server with a valid HTTPS certificate
and against a BOSH server with an expired HTTPS certificate.
Tested on macOS 10.12.3 with Qt 5.5.1.
Change-Id: I9989389b271961fc4d66db56198b32715af52ae7
-rw-r--r-- | Swiften/Client/ClientSession.cpp | 20 | ||||
-rw-r--r-- | Swiften/Network/BOSHConnectionPool.cpp | 1 | ||||
-rw-r--r-- | Swiften/Network/BOSHConnectionPool.h | 1 | ||||
-rw-r--r-- | Swiften/Session/BOSHSessionStream.cpp | 7 | ||||
-rw-r--r-- | Swiften/Session/BOSHSessionStream.h | 1 |
5 files changed, 23 insertions, 7 deletions
diff --git a/Swiften/Client/ClientSession.cpp b/Swiften/Client/ClientSession.cpp index bcfb004..661a832 100644 --- a/Swiften/Client/ClientSession.cpp +++ b/Swiften/Client/ClientSession.cpp @@ -45,6 +45,8 @@ #include <Swiften/SASL/PLAINClientAuthenticator.h> #include <Swiften/SASL/SCRAMSHA1ClientAuthenticator.h> #include <Swiften/Session/SessionStream.h> +#include <Swiften/Session/BasicSessionStream.h> +#include <Swiften/Session/BOSHSessionStream.h> #include <Swiften/StreamManagement/StanzaAckRequester.h> #include <Swiften/StreamManagement/StanzaAckResponder.h> #include <Swiften/TLS/CertificateTrustChecker.h> @@ -430,7 +432,9 @@ void ClientSession::sendCredentials(const SafeByteArray& password) { } void ClientSession::handleTLSEncrypted() { - CHECK_STATE_OR_RETURN(State::Encrypting); + if (!std::dynamic_pointer_cast<BOSHSessionStream>(stream)) { + CHECK_STATE_OR_RETURN(State::Encrypting); + } std::vector<Certificate::ref> certificateChain = stream->getPeerCertificateChain(); std::shared_ptr<CertificateVerificationError> verificationError = stream->getPeerCertificateVerificationError(); @@ -450,7 +454,9 @@ void ClientSession::handleTLSEncrypted() { void ClientSession::checkTrustOrFinish(const std::vector<Certificate::ref>& certificateChain, std::shared_ptr<CertificateVerificationError> error) { if (certificateTrustChecker && certificateTrustChecker->isCertificateTrusted(certificateChain)) { - continueAfterTLSEncrypted(); + if (!std::dynamic_pointer_cast<BOSHSessionStream>(stream)) { + continueAfterTLSEncrypted(); + } } else { finishSession(error); @@ -476,9 +482,11 @@ void ClientSession::initiateShutdown(bool sendFooter) { } void ClientSession::continueAfterTLSEncrypted() { - state = State::WaitingForStreamStart; - stream->resetXMPPParser(); - sendStreamHeader(); + if (!std::dynamic_pointer_cast<BOSHSessionStream>(stream)) { + state = State::WaitingForStreamStart; + stream->resetXMPPParser(); + sendStreamHeader(); + } } void ClientSession::handleStreamClosed(std::shared_ptr<Swift::Error> streamError) { @@ -536,7 +544,7 @@ void ClientSession::finishSession(std::shared_ptr<Swift::Error> error) { error_ = error; } else { - SWIFT_LOG(warning) << "Session finished twice"; + SWIFT_LOG(warning) << "Session finished twice" << std::endl; } assert(stream->isOpen()); if (stanzaAckResponder_) { diff --git a/Swiften/Network/BOSHConnectionPool.cpp b/Swiften/Network/BOSHConnectionPool.cpp index e4ca471..8a75e81 100644 --- a/Swiften/Network/BOSHConnectionPool.cpp +++ b/Swiften/Network/BOSHConnectionPool.cpp @@ -142,6 +142,7 @@ void BOSHConnectionPool::handleConnectFinished(bool error, BOSHConnection::ref c } if (!pinnedCertificateChain_.empty()) { lastVerificationError_ = connection->getPeerCertificateVerificationError(); + onTLSConnectionEstablished(); } if (sid.empty()) { diff --git a/Swiften/Network/BOSHConnectionPool.h b/Swiften/Network/BOSHConnectionPool.h index 1a805de..c4d827c 100644 --- a/Swiften/Network/BOSHConnectionPool.h +++ b/Swiften/Network/BOSHConnectionPool.h @@ -41,6 +41,7 @@ namespace Swift { std::vector<Certificate::ref> getPeerCertificateChain() const; std::shared_ptr<CertificateVerificationError> getPeerCertificateVerificationError() const; + boost::signals2::signal<void ()> onTLSConnectionEstablished; boost::signals2::signal<void (BOSHError::ref)> onSessionTerminated; boost::signals2::signal<void ()> onSessionStarted; boost::signals2::signal<void (const SafeByteArray&)> onXMPPDataRead; diff --git a/Swiften/Session/BOSHSessionStream.cpp b/Swiften/Session/BOSHSessionStream.cpp index 4c7bdee..a335b93 100644 --- a/Swiften/Session/BOSHSessionStream.cpp +++ b/Swiften/Session/BOSHSessionStream.cpp @@ -55,7 +55,7 @@ BOSHSessionStream::BOSHSessionStream(const URL& boshURL, connectionPool->onXMPPDataRead.connect(boost::bind(&BOSHSessionStream::handlePoolXMPPDataRead, this, _1)); connectionPool->onBOSHDataRead.connect(boost::bind(&BOSHSessionStream::handlePoolBOSHDataRead, this, _1)); connectionPool->onBOSHDataWritten.connect(boost::bind(&BOSHSessionStream::handlePoolBOSHDataWritten, this, _1)); - + connectionPool->onTLSConnectionEstablished.connect(boost::bind(&BOSHSessionStream::handlePoolTLSEstablished, this)); xmppLayer = new XMPPLayer(payloadParserFactories, payloadSerializers, xmlParserFactory, ClientStreamType, true); xmppLayer->onStreamStart.connect(boost::bind(&BOSHSessionStream::handleStreamStartReceived, this, _1)); xmppLayer->onElement.connect(boost::bind(&BOSHSessionStream::handleElementReceived, this, _1)); @@ -72,6 +72,7 @@ BOSHSessionStream::~BOSHSessionStream() { connectionPool->onXMPPDataRead.disconnect(boost::bind(&BOSHSessionStream::handlePoolXMPPDataRead, this, _1)); connectionPool->onBOSHDataRead.disconnect(boost::bind(&BOSHSessionStream::handlePoolBOSHDataRead, this, _1)); connectionPool->onBOSHDataWritten.disconnect(boost::bind(&BOSHSessionStream::handlePoolBOSHDataWritten, this, _1)); + connectionPool->onTLSConnectionEstablished.disconnect(boost::bind(&BOSHSessionStream::handlePoolTLSEstablished, this)); delete connectionPool; connectionPool = nullptr; xmppLayer->onStreamStart.disconnect(boost::bind(&BOSHSessionStream::handleStreamStartReceived, this, _1)); @@ -178,6 +179,10 @@ void BOSHSessionStream::handlePoolSessionTerminated(BOSHError::ref error) { eventLoop->postEvent(boost::bind(&BOSHSessionStream::fakeStreamFooterReceipt, this, error), shared_from_this()); } +void BOSHSessionStream::handlePoolTLSEstablished() { + onTLSEncrypted(); +} + void BOSHSessionStream::writeHeader(const ProtocolHeader& header) { streamHeader = header; /*First time we're told to do this, don't (the sending of the initial header is handled on connect) diff --git a/Swiften/Session/BOSHSessionStream.h b/Swiften/Session/BOSHSessionStream.h index 0c26848..719f1f0 100644 --- a/Swiften/Session/BOSHSessionStream.h +++ b/Swiften/Session/BOSHSessionStream.h @@ -85,6 +85,7 @@ namespace Swift { void handlePoolBOSHDataRead(const SafeByteArray& data); void handlePoolBOSHDataWritten(const SafeByteArray& data); void handlePoolSessionTerminated(BOSHError::ref condition); + void handlePoolTLSEstablished(); private: void fakeStreamHeaderReceipt(); |