Add support for client certificate authentication in BOSH

This allows to authenticate using SASL EXTERNAL over BOSH using a client TLS certificate for the HTTPS connection of the BOSH channel. The implementation also enforces the HTTPS server certificate of subsequent BOSH connections not to change. This commit also removes TLSConnection and TLSConnectionFactory as no code is using them. Test-Information: Tested against M-Link 16.3v6-0 on Debian 7.9 and Swift on OS X 10.10.5. Verified working client certificate authentication. Verified Swift not falling back to password-based authentication, in case EXTERNAL is not allowed by the server over BOSH or the client certificate is invalid. Change-Id: Ia96bcac27cac9fc9261ed847c82c6328307bfbd1
author: Tobias Markmann <tm@ayena.de> 2015-10-19 14:23:42 (GMT)
committer: Swift Review <review@swift.im> 2015-11-10 18:28:39 (GMT)
commit: ab651834c9088e34e6e66eb105e0fb855f1572c4 (patch)
tree: 611d434fedcb69f6698af9dc4696e59fba9d97b7 /Swiften/Network/BOSHConnection.h
parent: 9b090062d0270d556c9253e0ddf767d7c5bbadbf (diff)
download: swift-ab651834c9088e34e6e66eb105e0fb855f1572c4.zip
swift-ab651834c9088e34e6e66eb105e0fb855f1572c4.tar.bz2
1 files changed, 38 insertions, 20 deletions
diff --git a/Swiften/Network/BOSHConnection.h b/Swiften/Network/BOSHConnection.h
index 65d179a..da43e71 100644
--- a/Swiften/Network/BOSHConnection.h
+++ b/Swiften/Network/BOSHConnection.h
@@ -1,108 +1,126 @@
 /*
  * Copyright (c) 2011 Thilo Cestonaro
  * Licensed under the simplified BSD license.
  * See Documentation/Licenses/BSD-simplified.txt for more information.
  */
 
 /*
- * Copyright (c) 2011 Isode Limited.
+ * Copyright (c) 2011-2015 Isode Limited.
  * All rights reserved.
  * See the COPYING file for more information.
  */
 
 
 #pragma once
 
 #include <boost/enable_shared_from_this.hpp>
 
 #include <Swiften/Base/API.h>
+#include <Swiften/Base/Error.h>
+#include <Swiften/Base/String.h>
+#include <Swiften/Base/URL.h>
 #include <Swiften/Network/Connection.h>
 #include <Swiften/Network/Connector.h>
 #include <Swiften/Network/HostAddressPort.h>
-#include <Swiften/Base/String.h>
-#include <Swiften/Base/URL.h>
-#include <Swiften/Base/Error.h>
 #include <Swiften/Session/SessionStream.h>
+#include <Swiften/TLS/TLSError.h>
 
 namespace boost {
 	class thread;
 	namespace system {
 		class error_code;
 	}
 }
 
 class BOSHConnectionTest;
 
 namespace Swift {
 	class XMLParserFactory;
 	class TLSContextFactory;
+	class TLSLayer;
+	struct TLSOptions;
+	class HighLayer;
 
-		class SWIFTEN_API BOSHError : public SessionStream::SessionStreamError {
-				public:
-					enum Type {BadRequest, HostGone, HostUnknown, ImproperAddressing, 
-						  InternalServerError, ItemNotFound, OtherRequest, PolicyViolation, 
-						  RemoteConnectionFailed, RemoteStreamError, SeeOtherURI, SystemShutdown, UndefinedCondition,
-						  NoError};
-					BOSHError(Type type) : SessionStream::SessionStreamError(SessionStream::SessionStreamError::ConnectionReadError), type(type) {}
-					Type getType() {return type;}
-					typedef boost::shared_ptr<BOSHError> ref;
-				private:
-					Type type;
-					
-			};
+	class SWIFTEN_API BOSHError : public SessionStream::SessionStreamError {
+		public:
+			enum Type {
+				BadRequest, HostGone, HostUnknown, ImproperAddressing,
+				InternalServerError, ItemNotFound, OtherRequest, PolicyViolation,
+				RemoteConnectionFailed, RemoteStreamError, SeeOtherURI, SystemShutdown, UndefinedCondition,
+				NoError};
 
+			BOSHError(Type type) : SessionStream::SessionStreamError(SessionStream::SessionStreamError::ConnectionReadError), type(type) {}
+			Type getType() {return type;}
+			typedef boost::shared_ptr<BOSHError> ref;
+
+		private:
+			Type type;
+	};
 
 	class SWIFTEN_API BOSHConnection : public boost::enable_shared_from_this<BOSHConnection> {
 		public:
 			typedef boost::shared_ptr<BOSHConnection> ref;
-			static ref create(const URL& boshURL, Connector::ref connector, XMLParserFactory* parserFactory) {
-				return ref(new BOSHConnection(boshURL, connector, parserFactory));
+			static ref create(const URL& boshURL, Connector::ref connector, XMLParserFactory* parserFactory, TLSContextFactory* tlsContextFactory, const TLSOptions& tlsOptions) {
+				return ref(new BOSHConnection(boshURL, connector, parserFactory, tlsContextFactory, tlsOptions));
 			}
 			virtual ~BOSHConnection();
 			virtual void connect();
 			virtual void disconnect();
 			virtual void write(const SafeByteArray& data);
 
 			const std::string& getSID();
 			void setRID(unsigned long long rid);
 			void setSID(const std::string& sid);
 			void startStream(const std::string& to, unsigned long long rid);
 			void terminateStream();
 			bool isReadyToSend();
 			void restartStream();
 
+			bool setClientCertificate(CertificateWithKey::ref cert);
+			Certificate::ref getPeerCertificate() const;
+			std::vector<Certificate::ref> getPeerCertificateChain() const;
+			CertificateVerificationError::ref getPeerCertificateVerificationError() const;
 
 			boost::signal<void (bool /* error */)> onConnectFinished;
 			boost::signal<void (bool /* error */)> onDisconnected;
 			boost::signal<void (BOSHError::ref)> onSessionTerminated;
 			boost::signal<void (const std::string& /*sid*/, size_t /*requests*/)> onSessionStarted;
 			boost::signal<void (const SafeByteArray&)> onXMPPDataRead;
 			boost::signal<void (const SafeByteArray&)> onBOSHDataRead;
 			boost::signal<void (const SafeByteArray&)> onBOSHDataWritten;
 			boost::signal<void (const std::string&)> onHTTPError;
 
 		private:
 			friend class ::BOSHConnectionTest;
 
-			BOSHConnection(const URL& boshURL, Connector::ref connector, XMLParserFactory* parserFactory);
+			BOSHConnection(const URL& boshURL, Connector::ref connector, XMLParserFactory* parserFactory, TLSContextFactory* tlsContextFactory, const TLSOptions& tlsOptions);
 
 			static std::pair<SafeByteArray, size_t> createHTTPRequest(const SafeByteArray& data, bool streamRestart, bool terminate, unsigned long long rid, const std::string& sid, const URL& boshURL);
 			void handleConnectFinished(Connection::ref);
 			void handleDataRead(boost::shared_ptr<SafeByteArray> data);
 			void handleDisconnected(const boost::optional<Connection::Error>& error);
 			void write(const SafeByteArray& data, bool streamRestart, bool terminate); /* FIXME: refactor */
 			BOSHError::Type parseTerminationCondition(const std::string& text);
 			void cancelConnector();
 
+			void handleTLSConnected();
+			void handleTLSApplicationDataRead(const SafeByteArray& data);
+			void handleTLSNetowrkDataWriteRequest(const SafeByteArray& data);
+			void handleRawDataRead(boost::shared_ptr<SafeByteArray> data);
+			void handleTLSError(boost::shared_ptr<TLSError> error);
+			void writeData(const SafeByteArray& data);
+
 			URL boshURL_;
 			Connector::ref connector_;
 			XMLParserFactory* parserFactory_;
 			boost::shared_ptr<Connection> connection_;
+			boost::shared_ptr<HighLayer> dummyLayer_;
+			boost::shared_ptr<TLSLayer> tlsLayer_;
 			std::string sid_;
 			bool waitingForStartResponse_;
 			unsigned long long rid_;
 			SafeByteArray buffer_;
 			bool pending_;
 			bool connectionReady_;
 	};
 }
author	Tobias Markmann <tm@ayena.de>	2015-10-19 14:23:42 (GMT)
committer	Swift Review <review@swift.im>	2015-11-10 18:28:39 (GMT)
commit	ab651834c9088e34e6e66eb105e0fb855f1572c4 (patch)
tree	611d434fedcb69f6698af9dc4696e59fba9d97b7 /Swiften/Network/BOSHConnection.h
parent	9b090062d0270d556c9253e0ddf767d7c5bbadbf (diff)
download	swift-ab651834c9088e34e6e66eb105e0fb855f1572c4.zip swift-ab651834c9088e34e6e66eb105e0fb855f1572c4.tar.bz2