diff options
author | Tobias Markmann <tm@ayena.de> | 2016-03-31 14:57:35 (GMT) |
---|---|---|
committer | Tobias Markmann <tm@ayena.de> | 2016-03-31 14:57:35 (GMT) |
commit | cfbdb43d2cadd40aa87338d41548e4bf89e146e6 (patch) | |
tree | 18d94153a302445196fc0c18586abf44a1ce4a38 /Swiften/TLS/SecureTransport | |
parent | 1d545a4a7fb877f021508094b88c1f17b30d8b4e (diff) | |
download | swift-cfbdb43d2cadd40aa87338d41548e4bf89e146e6.zip swift-cfbdb43d2cadd40aa87338d41548e4bf89e146e6.tar.bz2 |
Convert tabs to 4 spaces for all source files
Removed trailing spaces and whitespace on empty lines
in the process.
Changed CheckTabs.py tool to disallow hard tabs in source
files.
Test-Information:
Manually checked 30 random files that the conversion worked
as expected.
Change-Id: I874f99d617bd3d2bb55f02d58f22f58f9b094480
Diffstat (limited to 'Swiften/TLS/SecureTransport')
7 files changed, 541 insertions, 541 deletions
diff --git a/Swiften/TLS/SecureTransport/SecureTransportCertificate.h b/Swiften/TLS/SecureTransport/SecureTransportCertificate.h index b8d3728..625c2ae 100644 --- a/Swiften/TLS/SecureTransport/SecureTransportCertificate.h +++ b/Swiften/TLS/SecureTransport/SecureTransportCertificate.h @@ -17,29 +17,29 @@ namespace Swift { class SecureTransportCertificate : public Certificate { public: - SecureTransportCertificate(SecCertificateRef certificate); - SecureTransportCertificate(const ByteArray& der); - virtual ~SecureTransportCertificate(); + SecureTransportCertificate(SecCertificateRef certificate); + SecureTransportCertificate(const ByteArray& der); + virtual ~SecureTransportCertificate(); - virtual std::string getSubjectName() const; - virtual std::vector<std::string> getCommonNames() const; - virtual std::vector<std::string> getSRVNames() const; - virtual std::vector<std::string> getDNSNames() const; - virtual std::vector<std::string> getXMPPAddresses() const; + virtual std::string getSubjectName() const; + virtual std::vector<std::string> getCommonNames() const; + virtual std::vector<std::string> getSRVNames() const; + virtual std::vector<std::string> getDNSNames() const; + virtual std::vector<std::string> getXMPPAddresses() const; - virtual ByteArray toDER() const; + virtual ByteArray toDER() const; private: - void parse(); - typedef boost::remove_pointer<SecCertificateRef>::type SecCertificate; + void parse(); + typedef boost::remove_pointer<SecCertificateRef>::type SecCertificate; private: - boost::shared_ptr<SecCertificate> certificateHandle_; - std::string subjectName_; - std::vector<std::string> commonNames_; - std::vector<std::string> srvNames_; - std::vector<std::string> dnsNames_; - std::vector<std::string> xmppAddresses_; + boost::shared_ptr<SecCertificate> certificateHandle_; + std::string subjectName_; + std::vector<std::string> commonNames_; + std::vector<std::string> srvNames_; + std::vector<std::string> dnsNames_; + std::vector<std::string> xmppAddresses_; }; } diff --git a/Swiften/TLS/SecureTransport/SecureTransportCertificate.mm b/Swiften/TLS/SecureTransport/SecureTransportCertificate.mm index 6f8e158..398829c 100644 --- a/Swiften/TLS/SecureTransport/SecureTransportCertificate.mm +++ b/Swiften/TLS/SecureTransport/SecureTransportCertificate.mm @@ -19,7 +19,7 @@ template <typename T, typename S> T bridge_cast(S source) { #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wold-style-cast" - return (__bridge T)(source); + return (__bridge T)(source); #pragma clang diagnostic pop } @@ -29,11 +29,11 @@ namespace { inline std::string ns2StdString(NSString* _Nullable nsString); inline std::string ns2StdString(NSString* _Nullable nsString) { - std::string stdString; - if (nsString != nil) { - stdString = std::string([nsString cStringUsingEncoding:NSUTF8StringEncoding]); - } - return stdString; + std::string stdString; + if (nsString != nil) { + stdString = std::string([nsString cStringUsingEncoding:NSUTF8StringEncoding]); + } + return stdString; } } @@ -41,21 +41,21 @@ inline std::string ns2StdString(NSString* _Nullable nsString) { namespace Swift { SecureTransportCertificate::SecureTransportCertificate(SecCertificateRef certificate) { - assert(certificate); - CFRetain(certificate); - certificateHandle_ = boost::shared_ptr<SecCertificate>(certificate, CFRelease); - parse(); + assert(certificate); + CFRetain(certificate); + certificateHandle_ = boost::shared_ptr<SecCertificate>(certificate, CFRelease); + parse(); } SecureTransportCertificate::SecureTransportCertificate(const ByteArray& der) { - CFDataRef derData = CFDataCreateWithBytesNoCopy(NULL, der.data(), static_cast<CFIndex>(der.size()), NULL); - // certificate will take ownership of derData and free it on its release. - SecCertificateRef certificate = SecCertificateCreateWithData(NULL, derData); - if (certificate) { - certificateHandle_ = boost::shared_ptr<SecCertificate>(certificate, CFRelease); - parse(); - } + CFDataRef derData = CFDataCreateWithBytesNoCopy(NULL, der.data(), static_cast<CFIndex>(der.size()), NULL); + // certificate will take ownership of derData and free it on its release. + SecCertificateRef certificate = SecCertificateCreateWithData(NULL, derData); + if (certificate) { + certificateHandle_ = boost::shared_ptr<SecCertificate>(certificate, CFRelease); + parse(); + } } SecureTransportCertificate::~SecureTransportCertificate() { @@ -63,89 +63,89 @@ SecureTransportCertificate::~SecureTransportCertificate() { } void SecureTransportCertificate::parse() { - assert(certificateHandle_); - CFErrorRef error = NULL; - - // The SecCertificateCopyValues function is not part of the iOS Secure Transport API. - CFDictionaryRef valueDict = SecCertificateCopyValues(certificateHandle_.get(), 0, &error); - if (valueDict) { - // Handle subject. - CFStringRef subject = SecCertificateCopySubjectSummary(certificateHandle_.get()); - if (subject) { - NSString* subjectStr = bridge_cast<NSString*>(subject); - subjectName_ = ns2StdString(subjectStr); - CFRelease(subject); - } - - // Handle a single Common Name. - CFStringRef commonName = NULL; - OSStatus error = SecCertificateCopyCommonName(certificateHandle_.get(), &commonName); - if (!error && commonName) { - NSString* commonNameStr = bridge_cast<NSString*>(commonName); - commonNames_.push_back(ns2StdString(commonNameStr)); - } - if (commonName) { - CFRelease(commonName); - } - - // Handle Subject Alternative Names - NSDictionary* certDict = bridge_cast<NSDictionary*>(valueDict); - NSDictionary* subjectAltNamesDict = certDict[@"2.5.29.17"][@"value"]; - - for (NSDictionary* entry in subjectAltNamesDict) { - if ([entry[@"label"] isEqualToString:static_cast<NSString * _Nonnull>([NSString stringWithUTF8String:ID_ON_XMPPADDR_OID])]) { - xmppAddresses_.push_back(ns2StdString(entry[@"value"])); - } - else if ([entry[@"label"] isEqualToString:static_cast<NSString * _Nonnull>([NSString stringWithUTF8String:ID_ON_DNSSRV_OID])]) { - srvNames_.push_back(ns2StdString(entry[@"value"])); - } - else if ([entry[@"label"] isEqualToString:@"DNS Name"]) { - dnsNames_.push_back(ns2StdString(entry[@"value"])); - } - } - CFRelease(valueDict); - } - - if (error) { - CFRelease(error); - } + assert(certificateHandle_); + CFErrorRef error = NULL; + + // The SecCertificateCopyValues function is not part of the iOS Secure Transport API. + CFDictionaryRef valueDict = SecCertificateCopyValues(certificateHandle_.get(), 0, &error); + if (valueDict) { + // Handle subject. + CFStringRef subject = SecCertificateCopySubjectSummary(certificateHandle_.get()); + if (subject) { + NSString* subjectStr = bridge_cast<NSString*>(subject); + subjectName_ = ns2StdString(subjectStr); + CFRelease(subject); + } + + // Handle a single Common Name. + CFStringRef commonName = NULL; + OSStatus error = SecCertificateCopyCommonName(certificateHandle_.get(), &commonName); + if (!error && commonName) { + NSString* commonNameStr = bridge_cast<NSString*>(commonName); + commonNames_.push_back(ns2StdString(commonNameStr)); + } + if (commonName) { + CFRelease(commonName); + } + + // Handle Subject Alternative Names + NSDictionary* certDict = bridge_cast<NSDictionary*>(valueDict); + NSDictionary* subjectAltNamesDict = certDict[@"2.5.29.17"][@"value"]; + + for (NSDictionary* entry in subjectAltNamesDict) { + if ([entry[@"label"] isEqualToString:static_cast<NSString * _Nonnull>([NSString stringWithUTF8String:ID_ON_XMPPADDR_OID])]) { + xmppAddresses_.push_back(ns2StdString(entry[@"value"])); + } + else if ([entry[@"label"] isEqualToString:static_cast<NSString * _Nonnull>([NSString stringWithUTF8String:ID_ON_DNSSRV_OID])]) { + srvNames_.push_back(ns2StdString(entry[@"value"])); + } + else if ([entry[@"label"] isEqualToString:@"DNS Name"]) { + dnsNames_.push_back(ns2StdString(entry[@"value"])); + } + } + CFRelease(valueDict); + } + + if (error) { + CFRelease(error); + } } std::string SecureTransportCertificate::getSubjectName() const { - return subjectName_; + return subjectName_; } std::vector<std::string> SecureTransportCertificate::getCommonNames() const { - return commonNames_; + return commonNames_; } std::vector<std::string> SecureTransportCertificate::getSRVNames() const { - return srvNames_; + return srvNames_; } std::vector<std::string> SecureTransportCertificate::getDNSNames() const { - return dnsNames_; + return dnsNames_; } std::vector<std::string> SecureTransportCertificate::getXMPPAddresses() const { - return xmppAddresses_; + return xmppAddresses_; } ByteArray SecureTransportCertificate::toDER() const { - ByteArray der; - if (certificateHandle_) { - CFDataRef derData = SecCertificateCopyData(certificateHandle_.get()); - if (derData) { - try { - size_t dataSize = boost::numeric_cast<size_t>(CFDataGetLength(derData)); - der.resize(dataSize); - CFDataGetBytes(derData, CFRangeMake(0,CFDataGetLength(derData)), der.data()); - } catch (...) { - } - CFRelease(derData); - } - } - return der; + ByteArray der; + if (certificateHandle_) { + CFDataRef derData = SecCertificateCopyData(certificateHandle_.get()); + if (derData) { + try { + size_t dataSize = boost::numeric_cast<size_t>(CFDataGetLength(derData)); + der.resize(dataSize); + CFDataGetBytes(derData, CFRangeMake(0,CFDataGetLength(derData)), der.data()); + } catch (...) { + } + CFRelease(derData); + } + } + return der; } } diff --git a/Swiften/TLS/SecureTransport/SecureTransportCertificateFactory.h b/Swiften/TLS/SecureTransport/SecureTransportCertificateFactory.h index 1f86541..3ea469d 100644 --- a/Swiften/TLS/SecureTransport/SecureTransportCertificateFactory.h +++ b/Swiften/TLS/SecureTransport/SecureTransportCertificateFactory.h @@ -10,11 +10,11 @@ #include <Swiften/TLS/SecureTransport/SecureTransportCertificate.h> namespace Swift { - + class SecureTransportCertificateFactory : public CertificateFactory { - public: - virtual Certificate* createCertificateFromDER(const ByteArray& der) { - return new SecureTransportCertificate(der); - } - }; + public: + virtual Certificate* createCertificateFromDER(const ByteArray& der) { + return new SecureTransportCertificate(der); + } + }; } diff --git a/Swiften/TLS/SecureTransport/SecureTransportContext.h b/Swiften/TLS/SecureTransport/SecureTransportContext.h index aa17c66..4d45f52 100644 --- a/Swiften/TLS/SecureTransport/SecureTransportContext.h +++ b/Swiften/TLS/SecureTransport/SecureTransportContext.h @@ -13,46 +13,46 @@ namespace Swift { class SecureTransportContext : public TLSContext { - public: - SecureTransportContext(bool checkCertificateRevocation); - virtual ~SecureTransportContext(); + public: + SecureTransportContext(bool checkCertificateRevocation); + virtual ~SecureTransportContext(); - virtual void connect(); + virtual void connect(); - virtual bool setClientCertificate(CertificateWithKey::ref cert); + virtual bool setClientCertificate(CertificateWithKey::ref cert); - virtual void handleDataFromNetwork(const SafeByteArray&); - virtual void handleDataFromApplication(const SafeByteArray&); + virtual void handleDataFromNetwork(const SafeByteArray&); + virtual void handleDataFromApplication(const SafeByteArray&); - virtual std::vector<Certificate::ref> getPeerCertificateChain() const; - virtual CertificateVerificationError::ref getPeerCertificateVerificationError() const; + virtual std::vector<Certificate::ref> getPeerCertificateChain() const; + virtual CertificateVerificationError::ref getPeerCertificateVerificationError() const; - virtual ByteArray getFinishMessage() const; - - private: - static OSStatus SSLSocketReadCallback(SSLConnectionRef connection, void *data, size_t *dataLength); - static OSStatus SSLSocketWriteCallback(SSLConnectionRef connection, const void *data, size_t *dataLength); + virtual ByteArray getFinishMessage() const; - private: - enum State { None, Handshake, HandshakeDone, Error}; - static std::string stateToString(State state); - void setState(State newState); + private: + static OSStatus SSLSocketReadCallback(SSLConnectionRef connection, void *data, size_t *dataLength); + static OSStatus SSLSocketWriteCallback(SSLConnectionRef connection, const void *data, size_t *dataLength); - static boost::shared_ptr<TLSError> nativeToTLSError(OSStatus error); - boost::shared_ptr<CertificateVerificationError> CSSMErrorToVerificationError(OSStatus resultCode); + private: + enum State { None, Handshake, HandshakeDone, Error}; + static std::string stateToString(State state); + void setState(State newState); - void processHandshake(); - void verifyServerCertificate(); + static boost::shared_ptr<TLSError> nativeToTLSError(OSStatus error); + boost::shared_ptr<CertificateVerificationError> CSSMErrorToVerificationError(OSStatus resultCode); - void fatalError(boost::shared_ptr<TLSError> error, boost::shared_ptr<CertificateVerificationError> certificateError); + void processHandshake(); + void verifyServerCertificate(); - private: - boost::shared_ptr<SSLContext> sslContext_; - SafeByteArray readingBuffer_; - State state_; - CertificateVerificationError::ref verificationError_; - CertificateWithKey::ref clientCertificate_; - bool checkCertificateRevocation_; + void fatalError(boost::shared_ptr<TLSError> error, boost::shared_ptr<CertificateVerificationError> certificateError); + + private: + boost::shared_ptr<SSLContext> sslContext_; + SafeByteArray readingBuffer_; + State state_; + CertificateVerificationError::ref verificationError_; + CertificateWithKey::ref clientCertificate_; + bool checkCertificateRevocation_; }; } diff --git a/Swiften/TLS/SecureTransport/SecureTransportContext.mm b/Swiften/TLS/SecureTransport/SecureTransportContext.mm index ca6c5bb..62889fd 100644 --- a/Swiften/TLS/SecureTransport/SecureTransportContext.mm +++ b/Swiften/TLS/SecureTransport/SecureTransportContext.mm @@ -21,15 +21,15 @@ #import <Security/SecImportExport.h> namespace { - typedef boost::remove_pointer<CFArrayRef>::type CFArray; - typedef boost::remove_pointer<SecTrustRef>::type SecTrust; + typedef boost::remove_pointer<CFArrayRef>::type CFArray; + typedef boost::remove_pointer<SecTrustRef>::type SecTrust; } template <typename T, typename S> T bridge_cast(S source) { #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wold-style-cast" - return (__bridge T)(source); + return (__bridge T)(source); #pragma clang diagnostic pop } @@ -37,162 +37,162 @@ namespace Swift { namespace { - + CFArrayRef CreateClientCertificateChainAsCFArrayRef(CertificateWithKey::ref key) { - boost::shared_ptr<PKCS12Certificate> pkcs12 = boost::dynamic_pointer_cast<PKCS12Certificate>(key); - if (!key) { - return NULL; - } - - SafeByteArray safePassword = pkcs12->getPassword(); - CFIndex passwordSize = 0; - try { - passwordSize = boost::numeric_cast<CFIndex>(safePassword.size()); - } catch (...) { - return NULL; - } - - CFMutableArrayRef certChain = CFArrayCreateMutable(NULL, 0, 0); - - OSStatus securityError = errSecSuccess; - CFStringRef password = CFStringCreateWithBytes(kCFAllocatorDefault, safePassword.data(), passwordSize, kCFStringEncodingUTF8, false); - const void* keys[] = { kSecImportExportPassphrase }; - const void* values[] = { password }; - - CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL); - - CFArrayRef items = NULL; - CFDataRef pkcs12Data = bridge_cast<CFDataRef>([NSData dataWithBytes: static_cast<const void *>(pkcs12->getData().data()) length:pkcs12->getData().size()]); - securityError = SecPKCS12Import(pkcs12Data, options, &items); - CFRelease(options); - NSArray* nsItems = bridge_cast<NSArray*>(items); - - switch(securityError) { - case errSecSuccess: - break; - case errSecAuthFailed: - // Password did not work for decoding the certificate. - SWIFT_LOG(warning) << "Invalid password." << std::endl; - break; - case errSecDecode: - // Other decoding error. - SWIFT_LOG(warning) << "PKCS12 decoding error." << std::endl; - break; - default: - SWIFT_LOG(warning) << "Unknown error." << std::endl; - } - - if (securityError != errSecSuccess) { - if (items) { - CFRelease(items); - items = NULL; - } - CFRelease(certChain); - certChain = NULL; - } - - if (certChain) { - CFArrayAppendValue(certChain, nsItems[0][@"identity"]); - - for (CFIndex index = 0; index < CFArrayGetCount(bridge_cast<CFArrayRef>(nsItems[0][@"chain"])); index++) { - CFArrayAppendValue(certChain, CFArrayGetValueAtIndex(bridge_cast<CFArrayRef>(nsItems[0][@"chain"]), index)); - } - } - return certChain; + boost::shared_ptr<PKCS12Certificate> pkcs12 = boost::dynamic_pointer_cast<PKCS12Certificate>(key); + if (!key) { + return NULL; + } + + SafeByteArray safePassword = pkcs12->getPassword(); + CFIndex passwordSize = 0; + try { + passwordSize = boost::numeric_cast<CFIndex>(safePassword.size()); + } catch (...) { + return NULL; + } + + CFMutableArrayRef certChain = CFArrayCreateMutable(NULL, 0, 0); + + OSStatus securityError = errSecSuccess; + CFStringRef password = CFStringCreateWithBytes(kCFAllocatorDefault, safePassword.data(), passwordSize, kCFStringEncodingUTF8, false); + const void* keys[] = { kSecImportExportPassphrase }; + const void* values[] = { password }; + + CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL); + + CFArrayRef items = NULL; + CFDataRef pkcs12Data = bridge_cast<CFDataRef>([NSData dataWithBytes: static_cast<const void *>(pkcs12->getData().data()) length:pkcs12->getData().size()]); + securityError = SecPKCS12Import(pkcs12Data, options, &items); + CFRelease(options); + NSArray* nsItems = bridge_cast<NSArray*>(items); + + switch(securityError) { + case errSecSuccess: + break; + case errSecAuthFailed: + // Password did not work for decoding the certificate. + SWIFT_LOG(warning) << "Invalid password." << std::endl; + break; + case errSecDecode: + // Other decoding error. + SWIFT_LOG(warning) << "PKCS12 decoding error." << std::endl; + break; + default: + SWIFT_LOG(warning) << "Unknown error." << std::endl; + } + + if (securityError != errSecSuccess) { + if (items) { + CFRelease(items); + items = NULL; + } + CFRelease(certChain); + certChain = NULL; + } + + if (certChain) { + CFArrayAppendValue(certChain, nsItems[0][@"identity"]); + + for (CFIndex index = 0; index < CFArrayGetCount(bridge_cast<CFArrayRef>(nsItems[0][@"chain"])); index++) { + CFArrayAppendValue(certChain, CFArrayGetValueAtIndex(bridge_cast<CFArrayRef>(nsItems[0][@"chain"]), index)); + } + } + return certChain; } } SecureTransportContext::SecureTransportContext(bool checkCertificateRevocation) : state_(None), checkCertificateRevocation_(checkCertificateRevocation) { - sslContext_ = boost::shared_ptr<SSLContext>(SSLCreateContext(NULL, kSSLClientSide, kSSLStreamType), CFRelease); - - OSStatus error = noErr; - // set IO callbacks - error = SSLSetIOFuncs(sslContext_.get(), &SecureTransportContext::SSLSocketReadCallback, &SecureTransportContext::SSLSocketWriteCallback); - if (error != noErr) { - SWIFT_LOG(error) << "Unable to set IO functions to SSL context." << std::endl; - sslContext_.reset(); - } - - error = SSLSetConnection(sslContext_.get(), this); - if (error != noErr) { - SWIFT_LOG(error) << "Unable to set connection to SSL context." << std::endl; - sslContext_.reset(); - } - - - error = SSLSetSessionOption(sslContext_.get(), kSSLSessionOptionBreakOnServerAuth, true); - if (error != noErr) { - SWIFT_LOG(error) << "Unable to set kSSLSessionOptionBreakOnServerAuth on session." << std::endl; - sslContext_.reset(); - } + sslContext_ = boost::shared_ptr<SSLContext>(SSLCreateContext(NULL, kSSLClientSide, kSSLStreamType), CFRelease); + + OSStatus error = noErr; + // set IO callbacks + error = SSLSetIOFuncs(sslContext_.get(), &SecureTransportContext::SSLSocketReadCallback, &SecureTransportContext::SSLSocketWriteCallback); + if (error != noErr) { + SWIFT_LOG(error) << "Unable to set IO functions to SSL context." << std::endl; + sslContext_.reset(); + } + + error = SSLSetConnection(sslContext_.get(), this); + if (error != noErr) { + SWIFT_LOG(error) << "Unable to set connection to SSL context." << std::endl; + sslContext_.reset(); + } + + + error = SSLSetSessionOption(sslContext_.get(), kSSLSessionOptionBreakOnServerAuth, true); + if (error != noErr) { + SWIFT_LOG(error) << "Unable to set kSSLSessionOptionBreakOnServerAuth on session." << std::endl; + sslContext_.reset(); + } } SecureTransportContext::~SecureTransportContext() { - if (sslContext_) { - SSLClose(sslContext_.get()); - } + if (sslContext_) { + SSLClose(sslContext_.get()); + } } std::string SecureTransportContext::stateToString(State state) { - std::string returnValue; - switch(state) { - case Handshake: - returnValue = "Handshake"; - break; - case HandshakeDone: - returnValue = "HandshakeDone"; - break; - case None: - returnValue = "None"; - break; - case Error: - returnValue = "Error"; - break; - } - return returnValue; + std::string returnValue; + switch(state) { + case Handshake: + returnValue = "Handshake"; + break; + case HandshakeDone: + returnValue = "HandshakeDone"; + break; + case None: + returnValue = "None"; + break; + case Error: + returnValue = "Error"; + break; + } + return returnValue; } void SecureTransportContext::setState(State newState) { - SWIFT_LOG(debug) << "Switch state from " << stateToString(state_) << " to " << stateToString(newState) << "." << std::endl; - state_ = newState; + SWIFT_LOG(debug) << "Switch state from " << stateToString(state_) << " to " << stateToString(newState) << "." << std::endl; + state_ = newState; } void SecureTransportContext::connect() { - SWIFT_LOG_ASSERT(state_ == None, error) << "current state '" << stateToString(state_) << " invalid." << std::endl; - if (clientCertificate_) { - CFArrayRef certs = CreateClientCertificateChainAsCFArrayRef(clientCertificate_); - if (certs) { - boost::shared_ptr<CFArray> certRefs(certs, CFRelease); - OSStatus result = SSLSetCertificate(sslContext_.get(), certRefs.get()); - if (result != noErr) { - SWIFT_LOG(error) << "SSLSetCertificate failed with error " << result << "." << std::endl; - } - } - } - processHandshake(); + SWIFT_LOG_ASSERT(state_ == None, error) << "current state '" << stateToString(state_) << " invalid." << std::endl; + if (clientCertificate_) { + CFArrayRef certs = CreateClientCertificateChainAsCFArrayRef(clientCertificate_); + if (certs) { + boost::shared_ptr<CFArray> certRefs(certs, CFRelease); + OSStatus result = SSLSetCertificate(sslContext_.get(), certRefs.get()); + if (result != noErr) { + SWIFT_LOG(error) << "SSLSetCertificate failed with error " << result << "." << std::endl; + } + } + } + processHandshake(); } void SecureTransportContext::processHandshake() { - SWIFT_LOG_ASSERT(state_ == None || state_ == Handshake, error) << "current state '" << stateToString(state_) << " invalid." << std::endl; - OSStatus error = SSLHandshake(sslContext_.get()); - if (error == errSSLWouldBlock) { - setState(Handshake); - } - else if (error == noErr) { - SWIFT_LOG(debug) << "TLS handshake successful." << std::endl; - setState(HandshakeDone); - onConnected(); - } - else if (error == errSSLPeerAuthCompleted) { - SWIFT_LOG(debug) << "Received server certificate. Start verification." << std::endl; - setState(Handshake); - verifyServerCertificate(); - } - else { - SWIFT_LOG(debug) << "Error returned from SSLHandshake call is " << error << "." << std::endl; - fatalError(nativeToTLSError(error), boost::make_shared<CertificateVerificationError>()); - } + SWIFT_LOG_ASSERT(state_ == None || state_ == Handshake, error) << "current state '" << stateToString(state_) << " invalid." << std::endl; + OSStatus error = SSLHandshake(sslContext_.get()); + if (error == errSSLWouldBlock) { + setState(Handshake); + } + else if (error == noErr) { + SWIFT_LOG(debug) << "TLS handshake successful." << std::endl; + setState(HandshakeDone); + onConnected(); + } + else if (error == errSSLPeerAuthCompleted) { + SWIFT_LOG(debug) << "Received server certificate. Start verification." << std::endl; + setState(Handshake); + verifyServerCertificate(); + } + else { + SWIFT_LOG(debug) << "Error returned from SSLHandshake call is " << error << "." << std::endl; + fatalError(nativeToTLSError(error), boost::make_shared<CertificateVerificationError>()); + } } @@ -200,296 +200,296 @@ void SecureTransportContext::processHandshake() { #pragma clang diagnostic ignored "-Wdeprecated-declarations" void SecureTransportContext::verifyServerCertificate() { - SecTrustRef trust = NULL; - OSStatus error = SSLCopyPeerTrust(sslContext_.get(), &trust); - if (error != noErr) { - fatalError(boost::make_shared<TLSError>(), boost::make_shared<CertificateVerificationError>()); - return; - } - boost::shared_ptr<SecTrust> trustRef = boost::shared_ptr<SecTrust>(trust, CFRelease); - - if (checkCertificateRevocation_) { - error = SecTrustSetOptions(trust, kSecTrustOptionRequireRevPerCert | kSecTrustOptionFetchIssuerFromNet); - if (error != noErr) { - fatalError(boost::make_shared<TLSError>(), boost::make_shared<CertificateVerificationError>()); - return; - } - } - - SecTrustResultType trustResult; - error = SecTrustEvaluate(trust, &trustResult); - if (error != errSecSuccess) { - fatalError(boost::make_shared<TLSError>(), boost::make_shared<CertificateVerificationError>()); - return; - } - - OSStatus cssmResult = 0; - switch(trustResult) { - case kSecTrustResultUnspecified: - SWIFT_LOG(warning) << "Successful implicit validation. Result unspecified." << std::endl; - break; - case kSecTrustResultProceed: - SWIFT_LOG(warning) << "Validation resulted in explicitly trusted." << std::endl; - break; - case kSecTrustResultRecoverableTrustFailure: - SWIFT_LOG(warning) << "recoverable trust failure" << std::endl; - error = SecTrustGetCssmResultCode(trust, &cssmResult); - if (error == errSecSuccess) { - verificationError_ = CSSMErrorToVerificationError(cssmResult); - if (cssmResult == CSSMERR_TP_VERIFY_ACTION_FAILED || cssmResult == CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK ) { - // Find out the reason why the verification failed. - CFArrayRef certChain; - CSSM_TP_APPLE_EVIDENCE_INFO* statusChain; - error = SecTrustGetResult(trustRef.get(), &trustResult, &certChain, &statusChain); - if (error == errSecSuccess) { - boost::shared_ptr<CFArray> certChainRef = boost::shared_ptr<CFArray>(certChain, CFRelease); - for (CFIndex index = 0; index < CFArrayGetCount(certChainRef.get()); index++) { - for (CFIndex n = 0; n < statusChain[index].NumStatusCodes; n++) { - // Even though Secure Transport reported CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK on the whole certificate - // chain, the actual cause can be that a revocation check for a specific cert returned CSSMERR_TP_CERT_REVOKED. - if (!verificationError_ || verificationError_->getType() == CertificateVerificationError::RevocationCheckFailed) { - verificationError_ = CSSMErrorToVerificationError(statusChain[index].StatusCodes[n]); - } - } - } - } - else { - - } - } - } - else { - verificationError_ = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::UnknownError); - } - break; - case kSecTrustResultOtherError: - verificationError_ = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::UnknownError); - break; - default: - SWIFT_LOG(warning) << "Unhandled trust result " << trustResult << "." << std::endl; - break; - } - - // We proceed with the TLS handshake here to give the application an opportunity - // to apply custom validation and trust management. The application is responsible - // to call \ref getPeerCertificateVerificationError directly after the \ref onConnected - // signal is called and before any application data is send to the context. - processHandshake(); + SecTrustRef trust = NULL; + OSStatus error = SSLCopyPeerTrust(sslContext_.get(), &trust); + if (error != noErr) { + fatalError(boost::make_shared<TLSError>(), boost::make_shared<CertificateVerificationError>()); + return; + } + boost::shared_ptr<SecTrust> trustRef = boost::shared_ptr<SecTrust>(trust, CFRelease); + + if (checkCertificateRevocation_) { + error = SecTrustSetOptions(trust, kSecTrustOptionRequireRevPerCert | kSecTrustOptionFetchIssuerFromNet); + if (error != noErr) { + fatalError(boost::make_shared<TLSError>(), boost::make_shared<CertificateVerificationError>()); + return; + } + } + + SecTrustResultType trustResult; + error = SecTrustEvaluate(trust, &trustResult); + if (error != errSecSuccess) { + fatalError(boost::make_shared<TLSError>(), boost::make_shared<CertificateVerificationError>()); + return; + } + + OSStatus cssmResult = 0; + switch(trustResult) { + case kSecTrustResultUnspecified: + SWIFT_LOG(warning) << "Successful implicit validation. Result unspecified." << std::endl; + break; + case kSecTrustResultProceed: + SWIFT_LOG(warning) << "Validation resulted in explicitly trusted." << std::endl; + break; + case kSecTrustResultRecoverableTrustFailure: + SWIFT_LOG(warning) << "recoverable trust failure" << std::endl; + error = SecTrustGetCssmResultCode(trust, &cssmResult); + if (error == errSecSuccess) { + verificationError_ = CSSMErrorToVerificationError(cssmResult); + if (cssmResult == CSSMERR_TP_VERIFY_ACTION_FAILED || cssmResult == CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK ) { + // Find out the reason why the verification failed. + CFArrayRef certChain; + CSSM_TP_APPLE_EVIDENCE_INFO* statusChain; + error = SecTrustGetResult(trustRef.get(), &trustResult, &certChain, &statusChain); + if (error == errSecSuccess) { + boost::shared_ptr<CFArray> certChainRef = boost::shared_ptr<CFArray>(certChain, CFRelease); + for (CFIndex index = 0; index < CFArrayGetCount(certChainRef.get()); index++) { + for (CFIndex n = 0; n < statusChain[index].NumStatusCodes; n++) { + // Even though Secure Transport reported CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK on the whole certificate + // chain, the actual cause can be that a revocation check for a specific cert returned CSSMERR_TP_CERT_REVOKED. + if (!verificationError_ || verificationError_->getType() == CertificateVerificationError::RevocationCheckFailed) { + verificationError_ = CSSMErrorToVerificationError(statusChain[index].StatusCodes[n]); + } + } + } + } + else { + + } + } + } + else { + verificationError_ = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::UnknownError); + } + break; + case kSecTrustResultOtherError: + verificationError_ = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::UnknownError); + break; + default: + SWIFT_LOG(warning) << "Unhandled trust result " << trustResult << "." << std::endl; + break; + } + + // We proceed with the TLS handshake here to give the application an opportunity + // to apply custom validation and trust management. The application is responsible + // to call \ref getPeerCertificateVerificationError directly after the \ref onConnected + // signal is called and before any application data is send to the context. + processHandshake(); } #pragma clang diagnostic pop bool SecureTransportContext::setClientCertificate(CertificateWithKey::ref cert) { - CFArrayRef nativeClientChain = CreateClientCertificateChainAsCFArrayRef(cert); - if (nativeClientChain) { - clientCertificate_ = cert; - CFRelease(nativeClientChain); - return true; - } - else { - return false; - } + CFArrayRef nativeClientChain = CreateClientCertificateChainAsCFArrayRef(cert); + if (nativeClientChain) { + clientCertificate_ = cert; + CFRelease(nativeClientChain); + return true; + } + else { + return false; + } } void SecureTransportContext::handleDataFromNetwork(const SafeByteArray& data) { - SWIFT_LOG(debug) << std::endl; - SWIFT_LOG_ASSERT(state_ == HandshakeDone || state_ == Handshake, error) << "current state '" << stateToString(state_) << " invalid." << std::endl; - - append(readingBuffer_, data); - - size_t bytesRead = 0; - OSStatus error = noErr; - SafeByteArray applicationData; - - switch(state_) { - case None: - assert(false && "Invalid state 'None'."); - break; - case Handshake: - processHandshake(); - break; - case HandshakeDone: - while (error == noErr) { - applicationData.resize(readingBuffer_.size()); - error = SSLRead(sslContext_.get(), applicationData.data(), applicationData.size(), &bytesRead); - if (error == noErr) { - // Read successful. - } - else if (error == errSSLWouldBlock) { - // Secure Transport does not want more data. - break; - } - else { - SWIFT_LOG(error) << "SSLRead failed with error " << error << ", read bytes: " << bytesRead << "." << std::endl; - fatalError(boost::make_shared<TLSError>(), boost::make_shared<CertificateVerificationError>()); - return; - } - - if (bytesRead > 0) { - applicationData.resize(bytesRead); - onDataForApplication(applicationData); - } - else { - break; - } - } - break; - case Error: - SWIFT_LOG(debug) << "Igoring received data in error state." << std::endl; - break; - } + SWIFT_LOG(debug) << std::endl; + SWIFT_LOG_ASSERT(state_ == HandshakeDone || state_ == Handshake, error) << "current state '" << stateToString(state_) << " invalid." << std::endl; + + append(readingBuffer_, data); + + size_t bytesRead = 0; + OSStatus error = noErr; + SafeByteArray applicationData; + + switch(state_) { + case None: + assert(false && "Invalid state 'None'."); + break; + case Handshake: + processHandshake(); + break; + case HandshakeDone: + while (error == noErr) { + applicationData.resize(readingBuffer_.size()); + error = SSLRead(sslContext_.get(), applicationData.data(), applicationData.size(), &bytesRead); + if (error == noErr) { + // Read successful. + } + else if (error == errSSLWouldBlock) { + // Secure Transport does not want more data. + break; + } + else { + SWIFT_LOG(error) << "SSLRead failed with error " << error << ", read bytes: " << bytesRead << "." << std::endl; + fatalError(boost::make_shared<TLSError>(), boost::make_shared<CertificateVerificationError>()); + return; + } + + if (bytesRead > 0) { + applicationData.resize(bytesRead); + onDataForApplication(applicationData); + } + else { + break; + } + } + break; + case Error: + SWIFT_LOG(debug) << "Igoring received data in error state." << std::endl; + break; + } } void SecureTransportContext::handleDataFromApplication(const SafeByteArray& data) { - size_t processedBytes = 0; - OSStatus error = SSLWrite(sslContext_.get(), data.data(), data.size(), &processedBytes); - switch(error) { - case errSSLWouldBlock: - SWIFT_LOG(warning) << "Unexpected because the write callback does not block." << std::endl; - return; - case errSSLClosedGraceful: - case noErr: - return; - default: - SWIFT_LOG(warning) << "SSLWrite returned error code: " << error << ", processed bytes: " << processedBytes << std::endl; - fatalError(boost::make_shared<TLSError>(), boost::shared_ptr<CertificateVerificationError>()); - } + size_t processedBytes = 0; + OSStatus error = SSLWrite(sslContext_.get(), data.data(), data.size(), &processedBytes); + switch(error) { + case errSSLWouldBlock: + SWIFT_LOG(warning) << "Unexpected because the write callback does not block." << std::endl; + return; + case errSSLClosedGraceful: + case noErr: + return; + default: + SWIFT_LOG(warning) << "SSLWrite returned error code: " << error << ", processed bytes: " << processedBytes << std::endl; + fatalError(boost::make_shared<TLSError>(), boost::shared_ptr<CertificateVerificationError>()); + } } std::vector<Certificate::ref> SecureTransportContext::getPeerCertificateChain() const { - std::vector<Certificate::ref> peerCertificateChain; - - if (sslContext_) { - typedef boost::remove_pointer<SecTrustRef>::type SecTrust; - boost::shared_ptr<SecTrust> securityTrust; - - SecTrustRef secTrust = NULL;; - OSStatus error = SSLCopyPeerTrust(sslContext_.get(), &secTrust); - if (error == noErr) { - securityTrust = boost::shared_ptr<SecTrust>(secTrust, CFRelease); - - CFIndex chainSize = SecTrustGetCertificateCount(securityTrust.get()); - for (CFIndex n = 0; n < chainSize; n++) { - SecCertificateRef certificate = SecTrustGetCertificateAtIndex(securityTrust.get(), n); - if (certificate) { - peerCertificateChain.push_back(boost::make_shared<SecureTransportCertificate>(certificate)); - } - } - } - else { - SWIFT_LOG(warning) << "Failed to obtain peer trust structure; error = " << error << "." << std::endl; - } - } - - return peerCertificateChain; + std::vector<Certificate::ref> peerCertificateChain; + + if (sslContext_) { + typedef boost::remove_pointer<SecTrustRef>::type SecTrust; + boost::shared_ptr<SecTrust> securityTrust; + + SecTrustRef secTrust = NULL;; + OSStatus error = SSLCopyPeerTrust(sslContext_.get(), &secTrust); + if (error == noErr) { + securityTrust = boost::shared_ptr<SecTrust>(secTrust, CFRelease); + + CFIndex chainSize = SecTrustGetCertificateCount(securityTrust.get()); + for (CFIndex n = 0; n < chainSize; n++) { + SecCertificateRef certificate = SecTrustGetCertificateAtIndex(securityTrust.get(), n); + if (certificate) { + peerCertificateChain.push_back(boost::make_shared<SecureTransportCertificate>(certificate)); + } + } + } + else { + SWIFT_LOG(warning) << "Failed to obtain peer trust structure; error = " << error << "." << std::endl; + } + } + + return peerCertificateChain; } CertificateVerificationError::ref SecureTransportContext::getPeerCertificateVerificationError() const { - return verificationError_; + return verificationError_; } ByteArray SecureTransportContext::getFinishMessage() const { - SWIFT_LOG(warning) << "Access to TLS handshake finish message is not part of OS X Secure Transport APIs." << std::endl; - return ByteArray(); + SWIFT_LOG(warning) << "Access to TLS handshake finish message is not part of OS X Secure Transport APIs." << std::endl; + return ByteArray(); } /** - * This I/O callback simulates an asynchronous read to the read buffer of the context. If it is empty, it returns errSSLWouldBlock; else + * This I/O callback simulates an asynchronous read to the read buffer of the context. If it is empty, it returns errSSLWouldBlock; else * the data within the buffer is returned. */ OSStatus SecureTransportContext::SSLSocketReadCallback(SSLConnectionRef connection, void *data, size_t *dataLength) { - SecureTransportContext* context = const_cast<SecureTransportContext*>(static_cast<const SecureTransportContext*>(connection)); - OSStatus retValue = noErr; - - if (context->readingBuffer_.size() < *dataLength) { - // Would block because Secure Transport is trying to read more data than there currently is available in the buffer. - *dataLength = 0; - retValue = errSSLWouldBlock; - } - else { - size_t bufferLen = *dataLength; - size_t copyToBuffer = bufferLen < context->readingBuffer_.size() ? bufferLen : context->readingBuffer_.size(); - - memcpy(data, context->readingBuffer_.data(), copyToBuffer); - - context->readingBuffer_ = SafeByteArray(context->readingBuffer_.data() + copyToBuffer, context->readingBuffer_.data() + context->readingBuffer_.size()); - *dataLength = copyToBuffer; - } - return retValue; + SecureTransportContext* context = const_cast<SecureTransportContext*>(static_cast<const SecureTransportContext*>(connection)); + OSStatus retValue = noErr; + + if (context->readingBuffer_.size() < *dataLength) { + // Would block because Secure Transport is trying to read more data than there currently is available in the buffer. + *dataLength = 0; + retValue = errSSLWouldBlock; + } + else { + size_t bufferLen = *dataLength; + size_t copyToBuffer = bufferLen < context->readingBuffer_.size() ? bufferLen : context->readingBuffer_.size(); + + memcpy(data, context->readingBuffer_.data(), copyToBuffer); + + context->readingBuffer_ = SafeByteArray(context->readingBuffer_.data() + copyToBuffer, context->readingBuffer_.data() + context->readingBuffer_.size()); + *dataLength = copyToBuffer; + } + return retValue; } OSStatus SecureTransportContext::SSLSocketWriteCallback(SSLConnectionRef connection, const void *data, size_t *dataLength) { - SecureTransportContext* context = const_cast<SecureTransportContext*>(static_cast<const SecureTransportContext*>(connection)); - OSStatus retValue = noErr; - - SafeByteArray safeData; - safeData.resize(*dataLength); - memcpy(safeData.data(), data, safeData.size()); - - context->onDataForNetwork(safeData); - return retValue; + SecureTransportContext* context = const_cast<SecureTransportContext*>(static_cast<const SecureTransportContext*>(connection)); + OSStatus retValue = noErr; + + SafeByteArray safeData; + safeData.resize(*dataLength); + memcpy(safeData.data(), data, safeData.size()); + + context->onDataForNetwork(safeData); + return retValue; } boost::shared_ptr<TLSError> SecureTransportContext::nativeToTLSError(OSStatus /* error */) { - boost::shared_ptr<TLSError> swiftenError; - swiftenError = boost::make_shared<TLSError>(); - return swiftenError; + boost::shared_ptr<TLSError> swiftenError; + swiftenError = boost::make_shared<TLSError>(); + return swiftenError; } boost::shared_ptr<CertificateVerificationError> SecureTransportContext::CSSMErrorToVerificationError(OSStatus resultCode) { - boost::shared_ptr<CertificateVerificationError> error; - switch(resultCode) { - case CSSMERR_TP_NOT_TRUSTED: - SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_NOT_TRUSTED" << std::endl; - error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::Untrusted); - break; - case CSSMERR_TP_CERT_NOT_VALID_YET: - SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_CERT_NOT_VALID_YET" << std::endl; - error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::NotYetValid); - break; - case CSSMERR_TP_CERT_EXPIRED: - SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_CERT_EXPIRED" << std::endl; - error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::Expired); - break; - case CSSMERR_TP_CERT_REVOKED: - SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_CERT_REVOKED" << std::endl; - error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::Revoked); - break; - case CSSMERR_TP_VERIFY_ACTION_FAILED: - SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_VERIFY_ACTION_FAILED" << std::endl; - break; - case CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK: - SWIFT_LOG(debug) << "CSSM result code: CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK" << std::endl; - if (checkCertificateRevocation_) { - error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::RevocationCheckFailed); - } - break; - case CSSMERR_APPLETP_OCSP_UNAVAILABLE: - SWIFT_LOG(debug) << "CSSM result code: CSSMERR_APPLETP_OCSP_UNAVAILABLE" << std::endl; - if (checkCertificateRevocation_) { - error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::RevocationCheckFailed); - } - break; - case CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE: - SWIFT_LOG(debug) << "CSSM result code: CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE" << std::endl; - error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::InvalidPurpose); - break; - default: - SWIFT_LOG(warning) << "unhandled CSSM error: " << resultCode << ", CSSM_TP_BASE_TP_ERROR: " << CSSM_TP_BASE_TP_ERROR << std::endl; - error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::UnknownError); - break; - } - return error; + boost::shared_ptr<CertificateVerificationError> error; + switch(resultCode) { + case CSSMERR_TP_NOT_TRUSTED: + SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_NOT_TRUSTED" << std::endl; + error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::Untrusted); + break; + case CSSMERR_TP_CERT_NOT_VALID_YET: + SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_CERT_NOT_VALID_YET" << std::endl; + error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::NotYetValid); + break; + case CSSMERR_TP_CERT_EXPIRED: + SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_CERT_EXPIRED" << std::endl; + error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::Expired); + break; + case CSSMERR_TP_CERT_REVOKED: + SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_CERT_REVOKED" << std::endl; + error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::Revoked); + break; + case CSSMERR_TP_VERIFY_ACTION_FAILED: + SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_VERIFY_ACTION_FAILED" << std::endl; + break; + case CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK: + SWIFT_LOG(debug) << "CSSM result code: CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK" << std::endl; + if (checkCertificateRevocation_) { + error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::RevocationCheckFailed); + } + break; + case CSSMERR_APPLETP_OCSP_UNAVAILABLE: + SWIFT_LOG(debug) << "CSSM result code: CSSMERR_APPLETP_OCSP_UNAVAILABLE" << std::endl; + if (checkCertificateRevocation_) { + error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::RevocationCheckFailed); + } + break; + case CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE: + SWIFT_LOG(debug) << "CSSM result code: CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE" << std::endl; + error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::InvalidPurpose); + break; + default: + SWIFT_LOG(warning) << "unhandled CSSM error: " << resultCode << ", CSSM_TP_BASE_TP_ERROR: " << CSSM_TP_BASE_TP_ERROR << std::endl; + error = boost::make_shared<CertificateVerificationError>(CertificateVerificationError::UnknownError); + break; + } + return error; } void SecureTransportContext::fatalError(boost::shared_ptr<TLSError> error, boost::shared_ptr<CertificateVerificationError> certificateError) { - setState(Error); - if (sslContext_) { - SSLClose(sslContext_.get()); - } - verificationError_ = certificateError; - onError(error); + setState(Error); + if (sslContext_) { + SSLClose(sslContext_.get()); + } + verificationError_ = certificateError; + onError(error); } } diff --git a/Swiften/TLS/SecureTransport/SecureTransportContextFactory.cpp b/Swiften/TLS/SecureTransport/SecureTransportContextFactory.cpp index ce19839..1fac1fb 100644 --- a/Swiften/TLS/SecureTransport/SecureTransportContextFactory.cpp +++ b/Swiften/TLS/SecureTransport/SecureTransportContextFactory.cpp @@ -23,22 +23,22 @@ SecureTransportContextFactory::~SecureTransportContextFactory() { } bool SecureTransportContextFactory::canCreate() const { - return true; + return true; } TLSContext* SecureTransportContextFactory::createTLSContext(const TLSOptions& /* tlsOptions */) { - return new SecureTransportContext(checkCertificateRevocation_); + return new SecureTransportContext(checkCertificateRevocation_); } void SecureTransportContextFactory::setCheckCertificateRevocation(bool b) { - checkCertificateRevocation_ = b; + checkCertificateRevocation_ = b; } void SecureTransportContextFactory::setDisconnectOnCardRemoval(bool b) { - disconnectOnCardRemoval_ = b; - if (disconnectOnCardRemoval_) { - SWIFT_LOG(warning) << "Smart cards have not been tested yet" << std::endl; - } + disconnectOnCardRemoval_ = b; + if (disconnectOnCardRemoval_) { + SWIFT_LOG(warning) << "Smart cards have not been tested yet" << std::endl; + } } } diff --git a/Swiften/TLS/SecureTransport/SecureTransportContextFactory.h b/Swiften/TLS/SecureTransport/SecureTransportContextFactory.h index f490768..74c598f 100644 --- a/Swiften/TLS/SecureTransport/SecureTransportContextFactory.h +++ b/Swiften/TLS/SecureTransport/SecureTransportContextFactory.h @@ -11,19 +11,19 @@ namespace Swift { class SecureTransportContextFactory : public TLSContextFactory { - public: - SecureTransportContextFactory(); - virtual ~SecureTransportContextFactory(); + public: + SecureTransportContextFactory(); + virtual ~SecureTransportContextFactory(); - virtual bool canCreate() const; + virtual bool canCreate() const; - virtual TLSContext* createTLSContext(const TLSOptions& tlsOptions); - virtual void setCheckCertificateRevocation(bool b); - virtual void setDisconnectOnCardRemoval(bool b); + virtual TLSContext* createTLSContext(const TLSOptions& tlsOptions); + virtual void setCheckCertificateRevocation(bool b); + virtual void setDisconnectOnCardRemoval(bool b); - private: - bool checkCertificateRevocation_; - bool disconnectOnCardRemoval_; + private: + bool checkCertificateRevocation_; + bool disconnectOnCardRemoval_; }; } |