Swiftdiff options
| author | Tobias Markmann <tm@ayena.de> | 2015-10-19 14:23:42 (GMT) |
|---|---|---|
| committer | Swift Review <review@swift.im> | 2015-11-10 18:28:39 (GMT) |
| commit | ab651834c9088e34e6e66eb105e0fb855f1572c4 (patch) | |
| tree | 611d434fedcb69f6698af9dc4696e59fba9d97b7 /Swiften/Network/BOSHConnection.h | |
| parent | 9b090062d0270d556c9253e0ddf767d7c5bbadbf (diff) | |
| download | swift-ab651834c9088e34e6e66eb105e0fb855f1572c4.zip swift-ab651834c9088e34e6e66eb105e0fb855f1572c4.tar.bz2 | |
Add support for client certificate authentication in BOSH
This allows to authenticate using SASL EXTERNAL over BOSH
using a client TLS certificate for the HTTPS connection of
the BOSH channel.
The implementation also enforces the HTTPS server certificate
of subsequent BOSH connections not to change.
This commit also removes TLSConnection and TLSConnectionFactory
as no code is using them.
Test-Information:
Tested against M-Link 16.3v6-0 on Debian 7.9 and Swift on
OS X 10.10.5. Verified working client certificate authentication.
Verified Swift not falling back to password-based authentication,
in case EXTERNAL is not allowed by the server over BOSH or
the client certificate is invalid.
Change-Id: Ia96bcac27cac9fc9261ed847c82c6328307bfbd1
Diffstat (limited to 'Swiften/Network/BOSHConnection.h')
| -rw-r--r-- | Swiften/Network/BOSHConnection.h | 58 |
1 files changed, 38 insertions, 20 deletions
diff --git a/Swiften/Network/BOSHConnection.h b/Swiften/Network/BOSHConnection.h index 65d179a..da43e71 100644 --- a/Swiften/Network/BOSHConnection.h +++ b/Swiften/Network/BOSHConnection.h @@ -5,7 +5,7 @@ */ /* - * Copyright (c) 2011 Isode Limited. + * Copyright (c) 2011-2015 Isode Limited. * All rights reserved. * See the COPYING file for more information. */ @@ -16,13 +16,14 @@ #include <boost/enable_shared_from_this.hpp> #include <Swiften/Base/API.h> +#include <Swiften/Base/Error.h> +#include <Swiften/Base/String.h> +#include <Swiften/Base/URL.h> #include <Swiften/Network/Connection.h> #include <Swiften/Network/Connector.h> #include <Swiften/Network/HostAddressPort.h> -#include <Swiften/Base/String.h> -#include <Swiften/Base/URL.h> -#include <Swiften/Base/Error.h> #include <Swiften/Session/SessionStream.h> +#include <Swiften/TLS/TLSError.h> namespace boost { class thread; @@ -36,27 +37,31 @@ class BOSHConnectionTest; namespace Swift { class XMLParserFactory; class TLSContextFactory; + class TLSLayer; + struct TLSOptions; + class HighLayer; - class SWIFTEN_API BOSHError : public SessionStream::SessionStreamError { - public: - enum Type {BadRequest, HostGone, HostUnknown, ImproperAddressing, - InternalServerError, ItemNotFound, OtherRequest, PolicyViolation, - RemoteConnectionFailed, RemoteStreamError, SeeOtherURI, SystemShutdown, UndefinedCondition, - NoError}; - BOSHError(Type type) : SessionStream::SessionStreamError(SessionStream::SessionStreamError::ConnectionReadError), type(type) {} - Type getType() {return type;} - typedef boost::shared_ptr<BOSHError> ref; - private: - Type type; - - }; + class SWIFTEN_API BOSHError : public SessionStream::SessionStreamError { + public: + enum Type { + BadRequest, HostGone, HostUnknown, ImproperAddressing, + InternalServerError, ItemNotFound, OtherRequest, PolicyViolation, + RemoteConnectionFailed, RemoteStreamError, SeeOtherURI, SystemShutdown, UndefinedCondition, + NoError}; + BOSHError(Type type) : SessionStream::SessionStreamError(SessionStream::SessionStreamError::ConnectionReadError), type(type) {} + Type getType() {return type;} + typedef boost::shared_ptr<BOSHError> ref; + + private: + Type type; + }; class SWIFTEN_API BOSHConnection : public boost::enable_shared_from_this<BOSHConnection> { public: typedef boost::shared_ptr<BOSHConnection> ref; - static ref create(const URL& boshURL, Connector::ref connector, XMLParserFactory* parserFactory) { - return ref(new BOSHConnection(boshURL, connector, parserFactory)); + static ref create(const URL& boshURL, Connector::ref connector, XMLParserFactory* parserFactory, TLSContextFactory* tlsContextFactory, const TLSOptions& tlsOptions) { + return ref(new BOSHConnection(boshURL, connector, parserFactory, tlsContextFactory, tlsOptions)); } virtual ~BOSHConnection(); virtual void connect(); @@ -71,6 +76,10 @@ namespace Swift { bool isReadyToSend(); void restartStream(); + bool setClientCertificate(CertificateWithKey::ref cert); + Certificate::ref getPeerCertificate() const; + std::vector<Certificate::ref> getPeerCertificateChain() const; + CertificateVerificationError::ref getPeerCertificateVerificationError() const; boost::signal<void (bool /* error */)> onConnectFinished; boost::signal<void (bool /* error */)> onDisconnected; @@ -84,7 +93,7 @@ namespace Swift { private: friend class ::BOSHConnectionTest; - BOSHConnection(const URL& boshURL, Connector::ref connector, XMLParserFactory* parserFactory); + BOSHConnection(const URL& boshURL, Connector::ref connector, XMLParserFactory* parserFactory, TLSContextFactory* tlsContextFactory, const TLSOptions& tlsOptions); static std::pair<SafeByteArray, size_t> createHTTPRequest(const SafeByteArray& data, bool streamRestart, bool terminate, unsigned long long rid, const std::string& sid, const URL& boshURL); void handleConnectFinished(Connection::ref); @@ -94,10 +103,19 @@ namespace Swift { BOSHError::Type parseTerminationCondition(const std::string& text); void cancelConnector(); + void handleTLSConnected(); + void handleTLSApplicationDataRead(const SafeByteArray& data); + void handleTLSNetowrkDataWriteRequest(const SafeByteArray& data); + void handleRawDataRead(boost::shared_ptr<SafeByteArray> data); + void handleTLSError(boost::shared_ptr<TLSError> error); + void writeData(const SafeByteArray& data); + URL boshURL_; Connector::ref connector_; XMLParserFactory* parserFactory_; boost::shared_ptr<Connection> connection_; + boost::shared_ptr<HighLayer> dummyLayer_; + boost::shared_ptr<TLSLayer> tlsLayer_; std::string sid_; bool waitingForStartResponse_; unsigned long long rid_; |