Add ability to limit SChannel to TLS 1.0

Some servers have very restrictive TLS stacks that respond badly to a bug in the SChannel TLS implementation, meaning that TLS has to be limited to 1.0. Add ClientOptions.tlsOptions. This is a method of passing options into the TLS stack. It's currently only used for the TLS 1.0 workaround in SChannel, but we might reasonably expose other options in the future, such as limiting cypher suites. Disables use of SSLv3 for SChannel Also updates the coding style in SchannelContext a bit. Test-Information: Compiles on both OS X and Windows(SChannel). OS X doesn't show the new option. Windows shows it, and remembers it between logins. Not tested against a server requiring 1.0 only, but a previous hack with the same approach was tested. Change-Id: I1e7854d43811fd173f21f98d4dc3915fc7a4b322
author: Kevin Smith <git@kismith.co.uk> 2014-08-27 14:16:15 (GMT)
committer: Kevin Smith <kevin.smith@isode.com> 2015-06-10 20:29:05 (GMT)
commit: b2093a372874aefb4f56f66a70a96f78d6cbbaec (patch)
tree: ab779a4cc7950339d2c2cb0261ae6a08df84c645 /Swift
parent: b6b0695643f932827add43b9de0e09ed74eb6799 (diff)
download: swift-b2093a372874aefb4f56f66a70a96f78d6cbbaec.zip
swift-b2093a372874aefb4f56f66a70a96f78d6cbbaec.tar.bz2
3 files changed, 19 insertions, 4 deletions
diff --git a/Swift/Controllers/MainController.cpp b/Swift/Controllers/MainController.cpp
index 328d837..c6b6dfc 100644
--- a/Swift/Controllers/MainController.cpp
+++ b/Swift/Controllers/MainController.cpp
@@ -395,25 +395,25 @@ void MainController::handleConnected() {
 		client_->getDiscoManager()->setCapsNode(CLIENT_NODE);
 		client_->getDiscoManager()->setDiscoInfo(discoInfo);
 
 		userSearchControllerChat_ = new UserSearchController(UserSearchController::StartChat, jid_, uiEventStream_, client_->getVCardManager(), uiFactory_, client_->getIQRouter(), rosterController_, contactSuggesterWithRoster_, client_->getAvatarManager(), client_->getPresenceOracle());
 		userSearchControllerAdd_ = new UserSearchController(UserSearchController::AddContact, jid_, uiEventStream_, client_->getVCardManager(), uiFactory_, client_->getIQRouter(), rosterController_, contactSuggesterWithoutRoster_, client_->getAvatarManager(), client_->getPresenceOracle());
 		adHocManager_ = new AdHocManager(JID(boundJID_.getDomain()), uiFactory_, client_->getIQRouter(), uiEventStream_, rosterController_->getWindow());
-		
+
 		chatsManager_->onImpromptuMUCServiceDiscovered.connect(boost::bind(&UserSearchController::setCanInitiateImpromptuMUC, userSearchControllerChat_, _1));
 	}
 	loginWindow_->setIsLoggingIn(false);
 
 	client_->requestRoster();
 
 	GetDiscoInfoRequest::ref discoInfoRequest = GetDiscoInfoRequest::create(JID(boundJID_.getDomain()), client_->getIQRouter());
 	discoInfoRequest->onResponse.connect(boost::bind(&MainController::handleServerDiscoInfoResponse, this, _1, _2));
 	discoInfoRequest->send();
 
 	client_->getVCardManager()->requestOwnVCard();
-	
+
 	rosterController_->setJID(boundJID_);
 	rosterController_->setEnabled(true);
 	rosterController_->getWindow()->setStreamEncryptionStatus(client_->isStreamEncrypted());
 	profileController_->setAvailable(true);
 	contactEditController_->setAvailable(true);
 	/* Send presence later to catch all the incoming presences. */
@@ -838,16 +838,17 @@ std::string MainController::serializeClientOptions(const ClientOptions& options)
 	SERIALIZE_STRING(manualProxyHostname);
 	SERIALIZE_INT(manualProxyPort);
 	SERIALIZE_URL(boshURL);
 	SERIALIZE_URL(boshHTTPConnectProxyURL);
 	SERIALIZE_SAFE_STRING(boshHTTPConnectProxyAuthID);
 	SERIALIZE_SAFE_STRING(boshHTTPConnectProxyAuthPassword);
+	SERIALIZE_BOOL(tlsOptions.schannelTLS1_0Workaround);
 	return result;
 }
 
-#define CHECK_PARSE_LENGTH if (i >= segments.size()) {return result;} 
+#define CHECK_PARSE_LENGTH if (i >= segments.size()) {return result;}
 #define PARSE_INT_RAW(defaultValue) CHECK_PARSE_LENGTH intVal = defaultValue; try {intVal = boost::lexical_cast<int>(segments[i]);} catch(const boost::bad_lexical_cast&) {};i++;
 #define PARSE_STRING_RAW CHECK_PARSE_LENGTH stringVal = byteArrayToString(Base64::decode(segments[i]));i++;
 
 #define PARSE_BOOL(option, defaultValue) PARSE_INT_RAW(defaultValue); result.option = (intVal == 1);
 #define PARSE_INT(option, defaultValue) PARSE_INT_RAW(defaultValue); result.option = intVal;
 #define PARSE_STRING(option) PARSE_STRING_RAW; result.option = stringVal;
@@ -885,11 +886,12 @@ ClientOptions MainController::parseClientOptions(const std::string& optionString
 	PARSE_STRING(manualProxyHostname);
 	PARSE_INT(manualProxyPort, -1);
 	PARSE_URL(boshURL);
 	PARSE_URL(boshHTTPConnectProxyURL);
 	PARSE_SAFE_STRING(boshHTTPConnectProxyAuthID);
 	PARSE_SAFE_STRING(boshHTTPConnectProxyAuthPassword);
+	PARSE_BOOL(tlsOptions.schannelTLS1_0Workaround, false);
 
 	return result;
 }
 
 }
diff --git a/Swift/QtUI/QtConnectionSettings.ui b/Swift/QtUI/QtConnectionSettings.ui
index 2dc46d1..cce60fe 100644
--- a/Swift/QtUI/QtConnectionSettings.ui
+++ b/Swift/QtUI/QtConnectionSettings.ui
@@ -133,12 +133,19 @@
          <property name="text">
           <string>Allow sending password over insecure connection</string>
          </property>
         </widget>
        </item>
        <item>
+        <widget class="QCheckBox" name="manual_forceTLS1_0">
+         <property name="text">
+          <string>Limit encryption to TLS 1.0</string>
+         </property>
+        </widget>
+       </item>
+       <item>
         <spacer name="verticalSpacer_2">
          <property name="orientation">
           <enum>Qt::Vertical</enum>
          </property>
          <property name="sizeType">
           <enum>QSizePolicy::Fixed</enum>
diff --git a/Swift/QtUI/QtConnectionSettingsWindow.cpp b/Swift/QtUI/QtConnectionSettingsWindow.cpp
index a3598fa..7b5003a 100644
--- a/Swift/QtUI/QtConnectionSettingsWindow.cpp
+++ b/Swift/QtUI/QtConnectionSettingsWindow.cpp
@@ -1,8 +1,8 @@
 /*
- * Copyright (c) 2012 Isode Limited.
+ * Copyright (c) 2012-2015 Isode Limited.
  * All rights reserved.
  * See the COPYING file for more information.
  */
 
 #include "Swift/QtUI/QtConnectionSettingsWindow.h"
 
@@ -64,12 +64,13 @@ QtConnectionSettingsWindow::QtConnectionSettingsWindow(const ClientOptions& opti
 		isDefault &= options.useAcks == defaults.useAcks;
 		isDefault &= options.manualHostname == defaults.manualHostname;
 		isDefault &= options.manualPort == defaults.manualPort;
 		isDefault &= options.proxyType == defaults.proxyType;
 		isDefault &= options.manualProxyHostname == defaults.manualProxyHostname;
 		isDefault &= options.manualProxyPort == defaults.manualProxyPort;
+		isDefault &= options.tlsOptions.schannelTLS1_0Workaround == defaults.tlsOptions.schannelTLS1_0Workaround;
 		if (isDefault) {
 		    ui.connectionMethod->setCurrentIndex(0);
 		}
 		else {
 			ui.connectionMethod->setCurrentIndex(1);
 			ui.manual_useTLS->setCurrentIndex(options.useTLS);
@@ -85,24 +86,28 @@ QtConnectionSettingsWindow::QtConnectionSettingsWindow(const ClientOptions& opti
 			ui.manual_proxyType->setCurrentIndex(options.proxyType);
 			if (!options.manualProxyHostname.empty()) {
 				ui.manual_manualProxy->setChecked(true);
 				ui.manual_manualProxyHost->setText(P2QSTRING(options.manualProxyHostname));
 				ui.manual_manualProxyPort->setText(P2QSTRING(boost::lexical_cast<std::string>(options.manualProxyPort)));
 			}
+			ui.manual_forceTLS1_0->setChecked(options.tlsOptions.schannelTLS1_0Workaround);
 		}
 	} else {
 		ui.connectionMethod->setCurrentIndex(2);
 		ui.bosh_uri->setText(P2QSTRING(options.boshURL.toString()));
 		if (!options.boshHTTPConnectProxyURL.isEmpty()) {
 			ui.bosh_manualProxy->setChecked(true);
 			ui.bosh_manualProxyHost->setText(P2QSTRING(options.boshHTTPConnectProxyURL.getHost()));
 			if (options.boshHTTPConnectProxyURL.getPort()) {
 				ui.bosh_manualProxyPort->setText(P2QSTRING(boost::lexical_cast<std::string>(*options.boshHTTPConnectProxyURL.getPort())));
 			}
 		}
 	}
+#ifndef HAVE_SCHANNEL
+	ui.manual_forceTLS1_0->hide();
+#endif
 }
 
 void QtConnectionSettingsWindow::handleProxyTypeChanged(int index) {
 	bool proxySettingsVisible = index != NoProxy && index != SystemProxy;
 	ui.manual_manualProxy->setVisible(proxySettingsVisible);
 	ui.manual_manualProxyHostLabel->setVisible(proxySettingsVisible);
@@ -126,12 +131,13 @@ ClientOptions QtConnectionSettingsWindow::getOptions() {
 		/* Not automatic */
 		if (ui.connectionMethod->currentIndex() == 1) {
 			/* Manual */
 			options.useTLS = static_cast<ClientOptions::UseTLS>(ui.manual_useTLS->currentIndex());
 			options.useStreamCompression = ui.manual_allowCompression->isChecked();
 			options.allowPLAINWithoutTLS = ui.manual_allowPLAINWithoutTLS->isChecked();
+			options.tlsOptions.schannelTLS1_0Workaround = ui.manual_forceTLS1_0->isChecked();
 			if (ui.manual_manualHost->isChecked()) {
 				options.manualHostname = Q2PSTRING(ui.manual_manualHostName->text());
 				try {
 					options.manualPort = boost::lexical_cast<int>(Q2PSTRING(ui.manual_manualHostPort->text()));
 				} catch (const boost::bad_lexical_cast&) {
 					options.manualPort = -1;
author	Kevin Smith <git@kismith.co.uk>	2014-08-27 14:16:15 (GMT)
committer	Kevin Smith <kevin.smith@isode.com>	2015-06-10 20:29:05 (GMT)
commit	b2093a372874aefb4f56f66a70a96f78d6cbbaec (patch)
tree	ab779a4cc7950339d2c2cb0261ae6a08df84c645 /Swift
parent	b6b0695643f932827add43b9de0e09ed74eb6799 (diff)
download	swift-b2093a372874aefb4f56f66a70a96f78d6cbbaec.zip swift-b2093a372874aefb4f56f66a70a96f78d6cbbaec.tar.bz2