summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemko Tronçon <git@el-tramo.be>2010-05-08 17:01:12 (GMT)
committerRemko Tronçon <git@el-tramo.be>2010-05-08 17:01:12 (GMT)
commiteb6a3e659254de70b7c45627e7e0f4f53b737d04 (patch)
tree09152371318a66feb4e8b0c936255bab17b74a91 /Swiften/Client
parentd233ec7a863fb0b9a6f20ea0aa52c7c0ea38e2fd (diff)
downloadswift-eb6a3e659254de70b7c45627e7e0f4f53b737d04.zip
swift-eb6a3e659254de70b7c45627e7e0f4f53b737d04.tar.bz2
Don't allow PLAIN over Non-TLS.
Diffstat (limited to 'Swiften/Client')
-rw-r--r--Swiften/Client/ClientSession.cpp11
-rw-r--r--Swiften/Client/ClientSession.h5
-rw-r--r--Swiften/Client/UnitTest/ClientSessionTest.cpp18
3 files changed, 29 insertions, 5 deletions
diff --git a/Swiften/Client/ClientSession.cpp b/Swiften/Client/ClientSession.cpp
index a255cef..5e2cd84 100644
--- a/Swiften/Client/ClientSession.cpp
+++ b/Swiften/Client/ClientSession.cpp
@@ -40,6 +40,7 @@ ClientSession::ClientSession(
localJID(jid),
state(Initial),
stream(stream),
+ allowPLAINOverNonTLS(false),
needSessionStart(false),
authenticator(NULL) {
}
@@ -108,6 +109,11 @@ void ClientSession::handleElement(boost::shared_ptr<Element> element) {
state = WaitingForCredentials;
onNeedCredentials();
}
+ else if ((stream->isTLSEncrypted() || allowPLAINOverNonTLS) && streamFeatures->hasAuthenticationMechanism("PLAIN")) {
+ authenticator = new PLAINClientAuthenticator();
+ state = WaitingForCredentials;
+ onNeedCredentials();
+ }
else if (streamFeatures->hasAuthenticationMechanism("DIGEST-MD5")) {
std::ostringstream s;
s << boost::uuids::random_generator()();
@@ -116,11 +122,6 @@ void ClientSession::handleElement(boost::shared_ptr<Element> element) {
state = WaitingForCredentials;
onNeedCredentials();
}
- else if (streamFeatures->hasAuthenticationMechanism("PLAIN")) {
- authenticator = new PLAINClientAuthenticator();
- state = WaitingForCredentials;
- onNeedCredentials();
- }
else {
finishSession(Error::NoSupportedAuthMechanismsError);
}
diff --git a/Swiften/Client/ClientSession.h b/Swiften/Client/ClientSession.h
index fa52706..37f8bea 100644
--- a/Swiften/Client/ClientSession.h
+++ b/Swiften/Client/ClientSession.h
@@ -61,6 +61,10 @@ namespace Swift {
return state;
}
+ void setAllowPLAINOverNonTLS(bool b) {
+ allowPLAINOverNonTLS = b;
+ }
+
void start();
void finish();
@@ -100,6 +104,7 @@ namespace Swift {
JID localJID;
State state;
boost::shared_ptr<SessionStream> stream;
+ bool allowPLAINOverNonTLS;
bool needSessionStart;
ClientAuthenticator* authenticator;
};
diff --git a/Swiften/Client/UnitTest/ClientSessionTest.cpp b/Swiften/Client/UnitTest/ClientSessionTest.cpp
index 8e0a85d..180eab8 100644
--- a/Swiften/Client/UnitTest/ClientSessionTest.cpp
+++ b/Swiften/Client/UnitTest/ClientSessionTest.cpp
@@ -138,6 +138,19 @@ class ClientSessionTest : public CppUnit::TestFixture {
CPPUNIT_ASSERT(sessionFinishedError);
}
+ void testAuthenticate_PLAINOverNonTLS() {
+ boost::shared_ptr<ClientSession> session(createSession());
+ session->setAllowPLAINOverNonTLS(false);
+ session->start();
+ server->receiveStreamStart();
+ server->sendStreamStart();
+ server->sendStreamFeaturesWithPLAINAuthentication();
+
+ CPPUNIT_ASSERT_EQUAL(ClientSession::Finished, session->getState());
+ CPPUNIT_ASSERT(sessionFinishedReceived);
+ CPPUNIT_ASSERT(sessionFinishedError);
+ }
+
void testAuthenticate_NoValidAuthMechanisms() {
boost::shared_ptr<ClientSession> session(createSession());
session->start();
@@ -155,6 +168,7 @@ class ClientSessionTest : public CppUnit::TestFixture {
boost::shared_ptr<ClientSession> session = ClientSession::create(JID("me@foo.com"), server);
session->onFinished.connect(boost::bind(&ClientSessionTest::handleSessionFinished, this, _1));
session->onNeedCredentials.connect(boost::bind(&ClientSessionTest::handleSessionNeedCredentials, this));
+ session->setAllowPLAINOverNonTLS(true);
return session;
}
@@ -206,6 +220,10 @@ class ClientSessionTest : public CppUnit::TestFixture {
tlsEncrypted = true;
}
+ virtual bool isTLSEncrypted() {
+ return tlsEncrypted;
+ }
+
virtual void addZLibCompression() {
compressed = true;
}