Swiftdiff options
| author | Tim Costen <tim.costen@isode.com> | 2019-11-05 13:37:28 (GMT) |
|---|---|---|
| committer | Tim Costen <tim.costen@isode.com> | 2019-11-05 13:45:29 (GMT) |
| commit | 959a42d21fd70ea002da9afa7482194e8b6097e1 (patch) | |
| tree | cae4a070453d1e3827a3a1e4812bedfe88fd110a | |
| parent | 8baf0e407b3b4914654a6036a16ac81b7a2e7414 (diff) | |
| download | swift-959a42d21fd70ea002da9afa7482194e8b6097e1.zip swift-959a42d21fd70ea002da9afa7482194e8b6097e1.tar.bz2 | |
Handle xmpp-server SRV records
Update ServerIdentityVerifier with new boolean parameter
(defaulting to false) to its constructor. Use this to determine
whether to check for SRV records which start with "_xmpp-client."
(the default, for backwards compatibility), or "_xmpp-server.".
JIRA: SWIFT-424
Bug:
Release-notes:
Manual:
Test-information:
Added a couple of new unit tests to check operation when this parameter
is set true. All ServerIdentityVerifier unit tests run as before.
Change-Id: Icb1fee31b436292cd6b5e61bc86482d700e40332
| -rw-r--r-- | Swiften/TLS/ServerIdentityVerifier.cpp | 6 | ||||
| -rw-r--r-- | Swiften/TLS/ServerIdentityVerifier.h | 3 | ||||
| -rw-r--r-- | Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp | 20 |
3 files changed, 26 insertions, 3 deletions
diff --git a/Swiften/TLS/ServerIdentityVerifier.cpp b/Swiften/TLS/ServerIdentityVerifier.cpp index 226e94b..da116e5 100644 --- a/Swiften/TLS/ServerIdentityVerifier.cpp +++ b/Swiften/TLS/ServerIdentityVerifier.cpp | |||
| @@ -12,7 +12,7 @@ | |||
| 12 | 12 | ||
| 13 | namespace Swift { | 13 | namespace Swift { |
| 14 | 14 | ||
| 15 | ServerIdentityVerifier::ServerIdentityVerifier(const JID& jid, IDNConverter* idnConverter) : domainValid(false) { | 15 | ServerIdentityVerifier::ServerIdentityVerifier(const JID& jid, IDNConverter* idnConverter, bool checkServer) : domainValid(false), checkServer_(checkServer) { |
| 16 | domain = jid.getDomain(); | 16 | domain = jid.getDomain(); |
| 17 | boost::optional<std::string> domainResult = idnConverter->getIDNAEncoded(domain); | 17 | boost::optional<std::string> domainResult = idnConverter->getIDNAEncoded(domain); |
| 18 | if (!!domainResult) { | 18 | if (!!domainResult) { |
| @@ -36,12 +36,14 @@ bool ServerIdentityVerifier::certificateVerifies(Certificate::ref certificate) { | |||
| 36 | } | 36 | } |
| 37 | hasSAN |= !dnsNames.empty(); | 37 | hasSAN |= !dnsNames.empty(); |
| 38 | 38 | ||
| 39 | std::string prefix = (checkServer_) ? "_xmpp-server." : "_xmpp-client."; | ||
| 40 | |||
| 39 | // SRV names | 41 | // SRV names |
| 40 | std::vector<std::string> srvNames = certificate->getSRVNames(); | 42 | std::vector<std::string> srvNames = certificate->getSRVNames(); |
| 41 | for (const auto& srvName : srvNames) { | 43 | for (const auto& srvName : srvNames) { |
| 42 | // Only match SRV names that begin with the service; this isn't required per | 44 | // Only match SRV names that begin with the service; this isn't required per |
| 43 | // spec, but we're being purist about this. | 45 | // spec, but we're being purist about this. |
| 44 | if (boost::starts_with(srvName, "_xmpp-client.") && matchesDomain(srvName.substr(std::string("_xmpp-client.").size(), srvName.npos))) { | 46 | if (boost::starts_with(srvName, prefix) && matchesDomain(srvName.substr(prefix.size(), srvName.npos))) { |
| 45 | return true; | 47 | return true; |
| 46 | } | 48 | } |
| 47 | } | 49 | } |
diff --git a/Swiften/TLS/ServerIdentityVerifier.h b/Swiften/TLS/ServerIdentityVerifier.h index f40c683..f2cf46f 100644 --- a/Swiften/TLS/ServerIdentityVerifier.h +++ b/Swiften/TLS/ServerIdentityVerifier.h | |||
| @@ -18,7 +18,7 @@ namespace Swift { | |||
| 18 | 18 | ||
| 19 | class SWIFTEN_API ServerIdentityVerifier { | 19 | class SWIFTEN_API ServerIdentityVerifier { |
| 20 | public: | 20 | public: |
| 21 | ServerIdentityVerifier(const JID& jid, IDNConverter* idnConverter); | 21 | ServerIdentityVerifier(const JID& jid, IDNConverter* idnConverter, bool checkServer=false); |
| 22 | 22 | ||
| 23 | bool certificateVerifies(Certificate::ref); | 23 | bool certificateVerifies(Certificate::ref); |
| 24 | 24 | ||
| @@ -30,5 +30,6 @@ namespace Swift { | |||
| 30 | std::string domain; | 30 | std::string domain; |
| 31 | std::string encodedDomain; | 31 | std::string encodedDomain; |
| 32 | bool domainValid; | 32 | bool domainValid; |
| 33 | bool checkServer_; | ||
| 33 | }; | 34 | }; |
| 34 | } | 35 | } |
diff --git a/Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp b/Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp index 30fe423..7379b69 100644 --- a/Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp +++ b/Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp | |||
| @@ -35,6 +35,8 @@ class ServerIdentityVerifierTest : public CppUnit::TestFixture { | |||
| 35 | CPPUNIT_TEST(testCertificateVerifies_WithMatchingInternationalXmppAddr); | 35 | CPPUNIT_TEST(testCertificateVerifies_WithMatchingInternationalXmppAddr); |
| 36 | CPPUNIT_TEST(testCertificateVerifies_WithMatchingCNWithoutSAN); | 36 | CPPUNIT_TEST(testCertificateVerifies_WithMatchingCNWithoutSAN); |
| 37 | CPPUNIT_TEST(testCertificateVerifies_WithMatchingCNWithSAN); | 37 | CPPUNIT_TEST(testCertificateVerifies_WithMatchingCNWithSAN); |
| 38 | CPPUNIT_TEST(testCertificateVerifies_WithMatchingSRVNameWithServerExpected); | ||
| 39 | CPPUNIT_TEST(testCertificateVerifies_WithMatchingSRVNameWithClientUnexpected); | ||
| 38 | CPPUNIT_TEST_SUITE_END(); | 40 | CPPUNIT_TEST_SUITE_END(); |
| 39 | 41 | ||
| 40 | public: | 42 | public: |
| @@ -131,6 +133,24 @@ class ServerIdentityVerifierTest : public CppUnit::TestFixture { | |||
| 131 | CPPUNIT_ASSERT(!testling.certificateVerifies(certificate)); | 133 | CPPUNIT_ASSERT(!testling.certificateVerifies(certificate)); |
| 132 | } | 134 | } |
| 133 | 135 | ||
| 136 | void testCertificateVerifies_WithMatchingSRVNameWithServerExpected() { | ||
| 137 | // Server-mode test which gets cert with "xmpp-server" SRV name | ||
| 138 | ServerIdentityVerifier testling(JID("foo@bar.com/baz"), idnConverter.get(), true); | ||
| 139 | SimpleCertificate::ref certificate(new SimpleCertificate()); | ||
| 140 | certificate->addSRVName("_xmpp-server.bar.com"); | ||
| 141 | |||
| 142 | CPPUNIT_ASSERT(testling.certificateVerifies(certificate)); | ||
| 143 | } | ||
| 144 | |||
| 145 | void testCertificateVerifies_WithMatchingSRVNameWithClientUnexpected() { | ||
| 146 | // Server-mode test which gets cert with "xmpp-client" SRV name | ||
| 147 | ServerIdentityVerifier testling(JID("foo@bar.com/baz"), idnConverter.get(), true); | ||
| 148 | SimpleCertificate::ref certificate(new SimpleCertificate()); | ||
| 149 | certificate->addSRVName("_xmpp-client.bar.com"); | ||
| 150 | |||
| 151 | CPPUNIT_ASSERT(!testling.certificateVerifies(certificate)); | ||
| 152 | } | ||
| 153 | |||
| 134 | void testCertificateVerifies_WithMatchingXmppAddr() { | 154 | void testCertificateVerifies_WithMatchingXmppAddr() { |
| 135 | ServerIdentityVerifier testling(JID("foo@bar.com/baz"), idnConverter.get()); | 155 | ServerIdentityVerifier testling(JID("foo@bar.com/baz"), idnConverter.get()); |
| 136 | SimpleCertificate::ref certificate(new SimpleCertificate()); | 156 | SimpleCertificate::ref certificate(new SimpleCertificate()); |