summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNick Hudson <nick.hudson@isode.com>2013-09-23 14:28:16 (GMT)
committerNick Hudson <nick.hudson@isode.com>2013-09-23 15:20:42 (GMT)
commit9a8a9267bd3a7c959ee026dcd2e20a569a8cdfc7 (patch)
treecd8b92749bad36b7f46d5733341f1ac28575aa6b /Swiften/TLS
parent9399f2bdad72aa6d14620277cbef5b136d47d8a3 (diff)
downloadswift-9a8a9267bd3a7c959ee026dcd2e20a569a8cdfc7.zip
swift-9a8a9267bd3a7c959ee026dcd2e20a569a8cdfc7.tar.bz2
Don't crash if server doesn't send cert in TLS handshake
This patch reflects a change to Stroke, which is described as follows: If a TLS connection results in the server choosing an anonymous cipher suite, then no server certificate will be returned by the server. This ought not to happen, since XMPP clients are expected only to propose non-anonymous cipher suites, but it could be that a client is coded to propose anonymous suites, or that a bug in the server means that it fails to return a server certificate. This change updates the ServerIdentityVerifier to make it resilient against these situations, treating this situation as equivalent to "certificate presented by server does not verify". Test-information: Tested in Stroke. Untested in Swiften Change-Id: Iec815b09b6be675edad1d479d1a0a9d6b0b91bf3
Diffstat (limited to 'Swiften/TLS')
-rw-r--r--Swiften/TLS/ServerIdentityVerifier.cpp3
1 files changed, 3 insertions, 0 deletions
diff --git a/Swiften/TLS/ServerIdentityVerifier.cpp b/Swiften/TLS/ServerIdentityVerifier.cpp
index cc6e68a..02459b9 100644
--- a/Swiften/TLS/ServerIdentityVerifier.cpp
+++ b/Swiften/TLS/ServerIdentityVerifier.cpp
@@ -21,6 +21,9 @@ ServerIdentityVerifier::ServerIdentityVerifier(const JID& jid, IDNConverter* idn
bool ServerIdentityVerifier::certificateVerifies(Certificate::ref certificate) {
bool hasSAN = false;
+ if (certificate == NULL) {
+ return false;
+ }
// DNS names
std::vector<std::string> dnsNames = certificate->getDNSNames();
foreach (const std::string& dnsName, dnsNames) {