Verify certificates for HTTPS BOSH connections

Test-Information: Tested against a BOSH server with a valid HTTPS certificate and against a BOSH server with an expired HTTPS certificate. Tested on macOS 10.12.3 with Qt 5.5.1. Change-Id: I9989389b271961fc4d66db56198b32715af52ae7
author: Tobias Markmann <tm@ayena.de> 2017-03-19 16:27:06 (GMT)
committer: Tobias Markmann <tm@ayena.de> 2017-04-04 09:14:16 (GMT)
commit: ad66cc53f7e7ce860aee5b71b871a0ae9f8d357d (patch)
tree: bc655727b49d9308f220574c89aa9911fc30ed92 /Swiften/Client
parent: 38f35935581b826940a10246b0a624c643dccc2e (diff)
download: swift-ad66cc53f7e7ce860aee5b71b871a0ae9f8d357d.zip
swift-ad66cc53f7e7ce860aee5b71b871a0ae9f8d357d.tar.bz2
1 files changed, 14 insertions, 6 deletions
diff --git a/Swiften/Client/ClientSession.cpp b/Swiften/Client/ClientSession.cpp
index bcfb004..661a832 100644
--- a/Swiften/Client/ClientSession.cpp
+++ b/Swiften/Client/ClientSession.cpp
@@ -45,6 +45,8 @@
 #include <Swiften/SASL/PLAINClientAuthenticator.h>
 #include <Swiften/SASL/SCRAMSHA1ClientAuthenticator.h>
 #include <Swiften/Session/SessionStream.h>
+#include <Swiften/Session/BasicSessionStream.h>
+#include <Swiften/Session/BOSHSessionStream.h>
 #include <Swiften/StreamManagement/StanzaAckRequester.h>
 #include <Swiften/StreamManagement/StanzaAckResponder.h>
 #include <Swiften/TLS/CertificateTrustChecker.h>
@@ -430,7 +432,9 @@ void ClientSession::sendCredentials(const SafeByteArray& password) {
 }
 
 void ClientSession::handleTLSEncrypted() {
-    CHECK_STATE_OR_RETURN(State::Encrypting);
+    if (!std::dynamic_pointer_cast<BOSHSessionStream>(stream)) {
+        CHECK_STATE_OR_RETURN(State::Encrypting);
+    }
 
     std::vector<Certificate::ref> certificateChain = stream->getPeerCertificateChain();
     std::shared_ptr<CertificateVerificationError> verificationError = stream->getPeerCertificateVerificationError();
@@ -450,7 +454,9 @@ void ClientSession::handleTLSEncrypted() {
 
 void ClientSession::checkTrustOrFinish(const std::vector<Certificate::ref>& certificateChain, std::shared_ptr<CertificateVerificationError> error) {
     if (certificateTrustChecker && certificateTrustChecker->isCertificateTrusted(certificateChain)) {
-        continueAfterTLSEncrypted();
+        if (!std::dynamic_pointer_cast<BOSHSessionStream>(stream)) {
+            continueAfterTLSEncrypted();
+        }
     }
     else {
         finishSession(error);
@@ -476,9 +482,11 @@ void ClientSession::initiateShutdown(bool sendFooter) {
 }
 
 void ClientSession::continueAfterTLSEncrypted() {
-    state = State::WaitingForStreamStart;
-    stream->resetXMPPParser();
-    sendStreamHeader();
+    if (!std::dynamic_pointer_cast<BOSHSessionStream>(stream)) {
+        state = State::WaitingForStreamStart;
+        stream->resetXMPPParser();
+        sendStreamHeader();
+    }
 }
 
 void ClientSession::handleStreamClosed(std::shared_ptr<Swift::Error> streamError) {
@@ -536,7 +544,7 @@ void ClientSession::finishSession(std::shared_ptr<Swift::Error> error) {
         error_ = error;
     }
     else {
-        SWIFT_LOG(warning) << "Session finished twice";
+        SWIFT_LOG(warning) << "Session finished twice" << std::endl;
     }
     assert(stream->isOpen());
     if (stanzaAckResponder_) {
author	Tobias Markmann <tm@ayena.de>	2017-03-19 16:27:06 (GMT)
committer	Tobias Markmann <tm@ayena.de>	2017-04-04 09:14:16 (GMT)
commit	ad66cc53f7e7ce860aee5b71b871a0ae9f8d357d (patch)
tree	bc655727b49d9308f220574c89aa9911fc30ed92 /Swiften/Client
parent	38f35935581b826940a10246b0a624c643dccc2e (diff)
download	swift-ad66cc53f7e7ce860aee5b71b871a0ae9f8d357d.zip swift-ad66cc53f7e7ce860aee5b71b871a0ae9f8d357d.tar.bz2