Swiftdiff options
| author | Tobias Markmann <tm@ayena.de> | 2017-03-19 16:27:06 (GMT) |
|---|---|---|
| committer | Tobias Markmann <tm@ayena.de> | 2017-04-04 09:14:16 (GMT) |
| commit | ad66cc53f7e7ce860aee5b71b871a0ae9f8d357d (patch) | |
| tree | bc655727b49d9308f220574c89aa9911fc30ed92 /Swiften/Client/ClientSession.cpp | |
| parent | 38f35935581b826940a10246b0a624c643dccc2e (diff) | |
| download | swift-ad66cc53f7e7ce860aee5b71b871a0ae9f8d357d.zip swift-ad66cc53f7e7ce860aee5b71b871a0ae9f8d357d.tar.bz2 | |
Verify certificates for HTTPS BOSH connections
Test-Information:
Tested against a BOSH server with a valid HTTPS certificate
and against a BOSH server with an expired HTTPS certificate.
Tested on macOS 10.12.3 with Qt 5.5.1.
Change-Id: I9989389b271961fc4d66db56198b32715af52ae7
Diffstat (limited to 'Swiften/Client/ClientSession.cpp')
| -rw-r--r-- | Swiften/Client/ClientSession.cpp | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/Swiften/Client/ClientSession.cpp b/Swiften/Client/ClientSession.cpp index bcfb004..661a832 100644 --- a/Swiften/Client/ClientSession.cpp +++ b/Swiften/Client/ClientSession.cpp @@ -18,60 +18,62 @@ #include <Swiften/Crypto/CryptoProvider.h> #include <Swiften/Elements/AuthChallenge.h> #include <Swiften/Elements/AuthFailure.h> #include <Swiften/Elements/AuthRequest.h> #include <Swiften/Elements/AuthResponse.h> #include <Swiften/Elements/AuthSuccess.h> #include <Swiften/Elements/CompressFailure.h> #include <Swiften/Elements/CompressRequest.h> #include <Swiften/Elements/Compressed.h> #include <Swiften/Elements/EnableStreamManagement.h> #include <Swiften/Elements/IQ.h> #include <Swiften/Elements/ProtocolHeader.h> #include <Swiften/Elements/ResourceBind.h> #include <Swiften/Elements/StanzaAck.h> #include <Swiften/Elements/StanzaAckRequest.h> #include <Swiften/Elements/StartSession.h> #include <Swiften/Elements/StartTLSFailure.h> #include <Swiften/Elements/StartTLSRequest.h> #include <Swiften/Elements/StreamError.h> #include <Swiften/Elements/StreamFeatures.h> #include <Swiften/Elements/StreamManagementEnabled.h> #include <Swiften/Elements/StreamManagementFailed.h> #include <Swiften/Elements/TLSProceed.h> #include <Swiften/Network/Timer.h> #include <Swiften/Network/TimerFactory.h> #include <Swiften/SASL/DIGESTMD5ClientAuthenticator.h> #include <Swiften/SASL/EXTERNALClientAuthenticator.h> #include <Swiften/SASL/PLAINClientAuthenticator.h> #include <Swiften/SASL/SCRAMSHA1ClientAuthenticator.h> #include <Swiften/Session/SessionStream.h> +#include <Swiften/Session/BasicSessionStream.h> +#include <Swiften/Session/BOSHSessionStream.h> #include <Swiften/StreamManagement/StanzaAckRequester.h> #include <Swiften/StreamManagement/StanzaAckResponder.h> #include <Swiften/TLS/CertificateTrustChecker.h> #include <Swiften/TLS/ServerIdentityVerifier.h> #ifdef SWIFTEN_PLATFORM_WIN32 #include <Swiften/Base/WindowsRegistry.h> #include <Swiften/SASL/WindowsGSSAPIClientAuthenticator.h> #endif #define CHECK_STATE_OR_RETURN(a) \ if (!checkState(a)) { return; } namespace Swift { ClientSession::ClientSession( const JID& jid, std::shared_ptr<SessionStream> stream, IDNConverter* idnConverter, CryptoProvider* crypto, TimerFactory* timerFactory) : localJID(jid), state(State::Initial), stream(stream), idnConverter(idnConverter), crypto(crypto), timerFactory(timerFactory), allowPLAINOverNonTLS(false), useStreamCompression(true), useTLS(UseTLSWhenAvailable), @@ -403,167 +405,173 @@ void ClientSession::continueSessionInitialization() { state = State::EnablingSessionManagement; stream->writeElement(std::make_shared<EnableStreamManagement>()); } else if (needSessionStart) { state = State::StartingSession; sendStanza(IQ::createRequest(IQ::Set, JID(), "session-start", std::make_shared<StartSession>())); } else { state = State::Initialized; onInitialized(); } } bool ClientSession::checkState(State state) { if (this->state != state) { finishSession(Error::UnexpectedElementError); return false; } return true; } void ClientSession::sendCredentials(const SafeByteArray& password) { assert(state == State::WaitingForCredentials); assert(authenticator); state = State::Authenticating; authenticator->setCredentials(localJID.getNode(), password); stream->writeElement(std::make_shared<AuthRequest>(authenticator->getName(), authenticator->getResponse())); } void ClientSession::handleTLSEncrypted() { - CHECK_STATE_OR_RETURN(State::Encrypting); + if (!std::dynamic_pointer_cast<BOSHSessionStream>(stream)) { + CHECK_STATE_OR_RETURN(State::Encrypting); + } std::vector<Certificate::ref> certificateChain = stream->getPeerCertificateChain(); std::shared_ptr<CertificateVerificationError> verificationError = stream->getPeerCertificateVerificationError(); if (verificationError) { checkTrustOrFinish(certificateChain, verificationError); } else { ServerIdentityVerifier identityVerifier(localJID, idnConverter); if (!certificateChain.empty() && identityVerifier.certificateVerifies(certificateChain[0])) { continueAfterTLSEncrypted(); } else { checkTrustOrFinish(certificateChain, std::make_shared<CertificateVerificationError>(CertificateVerificationError::InvalidServerIdentity)); } } } void ClientSession::checkTrustOrFinish(const std::vector<Certificate::ref>& certificateChain, std::shared_ptr<CertificateVerificationError> error) { if (certificateTrustChecker && certificateTrustChecker->isCertificateTrusted(certificateChain)) { - continueAfterTLSEncrypted(); + if (!std::dynamic_pointer_cast<BOSHSessionStream>(stream)) { + continueAfterTLSEncrypted(); + } } else { finishSession(error); } } void ClientSession::initiateShutdown(bool sendFooter) { if (!streamShutdownTimeout) { streamShutdownTimeout = timerFactory->createTimer(sessionShutdownTimeoutInMilliseconds); streamShutdownTimeout->onTick.connect(boost::bind(&ClientSession::handleStreamShutdownTimeout, shared_from_this())); streamShutdownTimeout->start(); } if (sendFooter) { stream->writeFooter(); } if (state == State::Finishing) { // The other side already send </stream>; we can close the socket. stream->close(); } else { state = State::Finishing; } } void ClientSession::continueAfterTLSEncrypted() { - state = State::WaitingForStreamStart; - stream->resetXMPPParser(); - sendStreamHeader(); + if (!std::dynamic_pointer_cast<BOSHSessionStream>(stream)) { + state = State::WaitingForStreamStart; + stream->resetXMPPParser(); + sendStreamHeader(); + } } void ClientSession::handleStreamClosed(std::shared_ptr<Swift::Error> streamError) { State previousState = state; state = State::Finished; if (streamShutdownTimeout) { streamShutdownTimeout->stop(); streamShutdownTimeout.reset(); } if (stanzaAckRequester_) { stanzaAckRequester_->onRequestAck.disconnect(boost::bind(&ClientSession::requestAck, shared_from_this())); stanzaAckRequester_->onStanzaAcked.disconnect(boost::bind(&ClientSession::handleStanzaAcked, shared_from_this(), _1)); stanzaAckRequester_.reset(); } if (stanzaAckResponder_) { stanzaAckResponder_->onAck.disconnect(boost::bind(&ClientSession::ack, shared_from_this(), _1)); stanzaAckResponder_.reset(); } stream->setWhitespacePingEnabled(false); stream->onStreamStartReceived.disconnect(boost::bind(&ClientSession::handleStreamStart, shared_from_this(), _1)); stream->onStreamEndReceived.disconnect(boost::bind(&ClientSession::handleStreamEnd, shared_from_this())); stream->onElementReceived.disconnect(boost::bind(&ClientSession::handleElement, shared_from_this(), _1)); stream->onClosed.disconnect(boost::bind(&ClientSession::handleStreamClosed, shared_from_this(), _1)); stream->onTLSEncrypted.disconnect(boost::bind(&ClientSession::handleTLSEncrypted, shared_from_this())); if (previousState == State::Finishing) { onFinished(error_); } else { onFinished(streamError); } } void ClientSession::handleStreamShutdownTimeout() { handleStreamClosed(std::shared_ptr<Swift::Error>()); } void ClientSession::finish() { if (state != State::Finishing && state != State::Finished) { finishSession(std::shared_ptr<Error>()); } else { SWIFT_LOG(warning) << "Session already finished or finishing." << std::endl; } } void ClientSession::finishSession(Error::Type error) { finishSession(std::make_shared<Swift::ClientSession::Error>(error)); } void ClientSession::finishSession(std::shared_ptr<Swift::Error> error) { if (!error_) { error_ = error; } else { - SWIFT_LOG(warning) << "Session finished twice"; + SWIFT_LOG(warning) << "Session finished twice" << std::endl; } assert(stream->isOpen()); if (stanzaAckResponder_) { stanzaAckResponder_->handleAckRequestReceived(); } if (authenticator) { delete authenticator; authenticator = nullptr; } // Immidiately close TCP connection without stream closure. if (std::dynamic_pointer_cast<CertificateVerificationError>(error)) { state = State::Finishing; initiateShutdown(false); } else { if (state == State::Finishing) { initiateShutdown(true); } else if (state != State::Finished) { initiateShutdown(true); } } } void ClientSession::requestAck() { stream->writeElement(std::make_shared<StanzaAckRequest>()); } void ClientSession::handleStanzaAcked(std::shared_ptr<Stanza> stanza) { onStanzaAcked(stanza); |