Treat cert verify errors as non-fatal in OS X TLS backend

Our TLS backends need to tread TLS verification errors, e.g. outdated certificate, untrusted CA, non-matching host, etc., as non-fatal, so the application can apply custom key pinning verification or similar. This patch changes the OS X SecureTransport backend to behave accordingly and adjusts the CertificateErrorTest to mirror this behavior. This commit also fixes a double-free in SecureTransportCertificate. Test-Information: Connected to a host with an untrusted CA and non-matching domain in the certificate and was prompted with the Swift certificate trust dialog on OS X 10.11.3. Swiften/QA/TLSTest run successfully on OS X 10.11.3. Change-Id: I4c8ce2178540d79a5f328e2e0558d4deb4295134
author: Tobias Markmann <tm@ayena.de> 2016-02-08 15:06:54 (GMT)
committer: Tobias Markmann <tm@ayena.de> 2016-02-08 15:06:54 (GMT)
commit: 27211ac2ca11c6ac259bc09bb81a7ed297a9d07d (patch)
tree: 6663eb8edcbc44f1c9af3777805404adc5d92a9b /Swiften/QA/TLSTest/CertificateErrorTest.cpp
parent: de378c0b47268aea03177165156627659e28dde3 (diff)
download: swift-27211ac2ca11c6ac259bc09bb81a7ed297a9d07d.zip
swift-27211ac2ca11c6ac259bc09bb81a7ed297a9d07d.tar.bz2
1 files changed, 7 insertions, 7 deletions
diff --git a/Swiften/QA/TLSTest/CertificateErrorTest.cpp b/Swiften/QA/TLSTest/CertificateErrorTest.cpp
index e69af0b..3b33e8e 100644
--- a/Swiften/QA/TLSTest/CertificateErrorTest.cpp
+++ b/Swiften/QA/TLSTest/CertificateErrorTest.cpp
@@ -1,47 +1,47 @@
 /*
- * Copyright (c) 2015 Isode Limited.
+ * Copyright (c) 2015-2016 Isode Limited.
  * All rights reserved.
  * See the COPYING file for more information.
  */
 
  /*
 	This file uses http://www.tls-o-matic.com/ to test the currently configured TLS backend for correct certificate validation behavior.
  */
 
 #include <cppunit/extensions/HelperMacros.h>
 #include <cppunit/extensions/TestFactoryRegistry.h>
 
 #include <Swiften/Base/Log.h>
 #include <Swiften/EventLoop/DummyEventLoop.h>
-#include <Swiften/IDN/PlatformIDNConverter.h>
 #include <Swiften/IDN/IDNConverter.h>
+#include <Swiften/IDN/PlatformIDNConverter.h>
 #include <Swiften/Network/BoostConnectionFactory.h>
 #include <Swiften/Network/BoostIOServiceThread.h>
 #include <Swiften/Network/HostAddressPort.h>
 #include <Swiften/Network/PlatformDomainNameResolver.h>
 #include <Swiften/Network/TLSConnection.h>
 #include <Swiften/Network/TLSConnectionFactory.h>
 #include <Swiften/TLS/CertificateVerificationError.h>
 #include <Swiften/TLS/PlatformTLSFactories.h>
 #include <Swiften/TLS/TLSContext.h>
 #include <Swiften/TLS/TLSContextFactory.h>
 
 using namespace Swift;
 
 class CertificateErrorTest : public CppUnit::TestFixture {
 		CPPUNIT_TEST_SUITE(CertificateErrorTest);
 
 		// These test require the TLS-O-Matic testing CA to be trusted. For more info see https://www.tls-o-matic.com/https/test1 .
 		CPPUNIT_TEST(testTLS_O_MaticTrusted);
 		CPPUNIT_TEST(testTLS_O_MaticCertificateFromTheFuture);
 		CPPUNIT_TEST(testTLS_O_MaticCertificateFromThePast);
 		CPPUNIT_TEST(testTLS_O_MaticCertificateFromUnknownCA);
 		CPPUNIT_TEST(testTLS_O_MaticCertificateWrongPurpose);
 
 #if !defined(HAVE_OPENSSL)
 		// Our OpenSSL backend does not support revocation. We excluded it from the revocation tests.
 		CPPUNIT_TEST(testRevokedCertificateRevocationDisabled);
 		CPPUNIT_TEST(testRevokedCertificateRevocationEnabled);
 #endif
 
 		CPPUNIT_TEST_SUITE_END();
@@ -95,118 +95,118 @@ class CertificateErrorTest : public CppUnit::TestFixture {
 		}
 
 		void connectToServer(boost::shared_ptr<TLSConnection> connection, const std::string& hostname, int port) {
 			connection->onConnectFinished.connect(boost::bind(&CertificateErrorTest::handleConnectFinished, this, _1));
 
 			HostAddress address = resolveName(hostname);
 
 			connection->connect(HostAddressPort(address, port));
 
 			while (!connectFinished_) {
 				eventLoop_->processEvents();
 			}
 		}
 
 		void testTLS_O_MaticTrusted() {
 			boost::shared_ptr<TLSConnection> connection = boost::dynamic_pointer_cast<TLSConnection>(tlsConnectionFactory_->createConnection());
 			TLSContext* context = connection->getTLSContext();
 
 			connectToServer(connection, "test1.tls-o-matic.com", 443);
 	
 			CPPUNIT_ASSERT_EQUAL(false, connectFinishedWithError_);
 			CPPUNIT_ASSERT_EQUAL(CertificateVerificationError::ref(), context->getPeerCertificateVerificationError());
 		}
 
 		void testTLS_O_MaticCertificateFromTheFuture() {
 			boost::shared_ptr<TLSConnection> connection = boost::dynamic_pointer_cast<TLSConnection>(tlsConnectionFactory_->createConnection());
 			TLSContext* context = connection->getTLSContext();
 
 			connectToServer(connection, "test5.tls-o-matic.com", 405);
 
-			CPPUNIT_ASSERT_EQUAL(true, connectFinishedWithError_);
+			CPPUNIT_ASSERT_EQUAL(false, connectFinishedWithError_);
 			CPPUNIT_ASSERT(context->getPeerCertificateVerificationError());
 			CPPUNIT_ASSERT_EQUAL(CertificateVerificationError::NotYetValid, context->getPeerCertificateVerificationError()->getType());
 		}
 
 		void testTLS_O_MaticCertificateFromThePast() {
 			boost::shared_ptr<TLSConnection> connection = boost::dynamic_pointer_cast<TLSConnection>(tlsConnectionFactory_->createConnection());
 			TLSContext* context = connection->getTLSContext();
 
 			connectToServer(connection, "test6.tls-o-matic.com", 406);
 
-			CPPUNIT_ASSERT_EQUAL(true, connectFinishedWithError_);
+			CPPUNIT_ASSERT_EQUAL(false, connectFinishedWithError_);
 			CPPUNIT_ASSERT(context->getPeerCertificateVerificationError());
 			CPPUNIT_ASSERT_EQUAL(CertificateVerificationError::Expired, context->getPeerCertificateVerificationError()->getType());
 		}
 
 		void testTLS_O_MaticCertificateFromUnknownCA() {
 			boost::shared_ptr<TLSConnection> connection = boost::dynamic_pointer_cast<TLSConnection>(tlsConnectionFactory_->createConnection());
 			TLSContext* context = connection->getTLSContext();
 
 			connectToServer(connection, "test7.tls-o-matic.com", 407);
 
-			CPPUNIT_ASSERT_EQUAL(true, connectFinishedWithError_);
+			CPPUNIT_ASSERT_EQUAL(false, connectFinishedWithError_);
 			CPPUNIT_ASSERT(context->getPeerCertificateVerificationError());
 			CPPUNIT_ASSERT_EQUAL(CertificateVerificationError::Untrusted, context->getPeerCertificateVerificationError()->getType());
 		}
 
 		// test14.tls-o-matic.com:414
 		void testTLS_O_MaticCertificateWrongPurpose() {
 			boost::shared_ptr<TLSConnection> connection = boost::dynamic_pointer_cast<TLSConnection>(tlsConnectionFactory_->createConnection());
 			TLSContext* context = connection->getTLSContext();
 
 			connectToServer(connection, "test14.tls-o-matic.com", 414);
 
-			CPPUNIT_ASSERT_EQUAL(true, connectFinishedWithError_);
+			CPPUNIT_ASSERT_EQUAL(false, connectFinishedWithError_);
 			CPPUNIT_ASSERT(context->getPeerCertificateVerificationError());
 			CPPUNIT_ASSERT_EQUAL(CertificateVerificationError::InvalidPurpose, context->getPeerCertificateVerificationError()->getType());
 		}
 
 		void testRevokedCertificateRevocationDisabled() {
 			tlsContextFactory_->setCheckCertificateRevocation(false);
 			boost::shared_ptr<TLSConnection> connection = boost::dynamic_pointer_cast<TLSConnection>(tlsConnectionFactory_->createConnection());
 			TLSContext* context = connection->getTLSContext();
 
 			connectToServer(connection, "revoked.grc.com", 443);
 
 			CPPUNIT_ASSERT_EQUAL(false, connectFinishedWithError_);
 			CPPUNIT_ASSERT(!context->getPeerCertificateVerificationError());
 		}
 
 		void testRevokedCertificateRevocationEnabled() {
 			tlsContextFactory_->setCheckCertificateRevocation(true);
 			boost::shared_ptr<TLSConnection> connection = boost::dynamic_pointer_cast<TLSConnection>(tlsConnectionFactory_->createConnection());
 			TLSContext* context = connection->getTLSContext();
 
 			connectToServer(connection, "revoked.grc.com", 443);
 
-			CPPUNIT_ASSERT_EQUAL(true, connectFinishedWithError_);
+			CPPUNIT_ASSERT_EQUAL(false, connectFinishedWithError_);
 			CPPUNIT_ASSERT(context->getPeerCertificateVerificationError());
 			CPPUNIT_ASSERT_EQUAL(CertificateVerificationError::Revoked, context->getPeerCertificateVerificationError()->getType());
 		}
 
 	private:
 		void handleAddressQueryResult(const std::vector<HostAddress>& address, boost::optional<DomainNameResolveError> /* error */) {
 			if (address.size() > 0) {
 				lastResoverResult_ = address[0];
 			}
 			resolvingDone_ = true;
 		}
 
 		void handleConnectFinished(bool error) {
 			connectFinished_ = true;
 			connectFinishedWithError_ = error;
 		}
 	
 	private:
 		BoostIOServiceThread* boostIOServiceThread_;
 		boost::shared_ptr<boost::asio::io_service> boostIOService_;
 		DummyEventLoop* eventLoop_;
 		ConnectionFactory* connectionFactory_;
 		PlatformTLSFactories* tlsFactories_;
 		TLSContextFactory* tlsContextFactory_;
 		TLSConnectionFactory* tlsConnectionFactory_;
 		
 		IDNConverter* idnConverter_;
 		DomainNameResolver* domainNameResolver_;
 		HostAddress lastResoverResult_;
 		bool resolvingDone_;
author	Tobias Markmann <tm@ayena.de>	2016-02-08 15:06:54 (GMT)
committer	Tobias Markmann <tm@ayena.de>	2016-02-08 15:06:54 (GMT)
commit	27211ac2ca11c6ac259bc09bb81a7ed297a9d07d (patch)
tree	6663eb8edcbc44f1c9af3777805404adc5d92a9b /Swiften/QA/TLSTest/CertificateErrorTest.cpp
parent	de378c0b47268aea03177165156627659e28dde3 (diff)
download	swift-27211ac2ca11c6ac259bc09bb81a7ed297a9d07d.zip swift-27211ac2ca11c6ac259bc09bb81a7ed297a9d07d.tar.bz2