Swiftdiff options
| -rw-r--r-- | Swift/Controllers/Storages/CertificateStorageTrustChecker.h | 2 | ||||
| -rw-r--r-- | Swiften/Client/ClientSession.cpp | 11 | ||||
| -rw-r--r-- | Swiften/Client/ClientSession.h | 2 | ||||
| -rw-r--r-- | Swiften/TLS/BlindCertificateTrustChecker.h | 2 | ||||
| -rw-r--r-- | Swiften/TLS/CertificateTrustChecker.h | 8 | ||||
| -rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.cpp | 10 | ||||
| -rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.h | 1 | ||||
| -rw-r--r-- | Swiften/TLS/Schannel/SchannelContext.cpp | 8 | ||||
| -rw-r--r-- | Swiften/TLS/Schannel/SchannelContext.h | 1 | ||||
| -rw-r--r-- | Swiften/TLS/TLSContext.cpp | 5 | ||||
| -rw-r--r-- | Swiften/TLS/TLSContext.h | 2 |
11 files changed, 18 insertions, 34 deletions
diff --git a/Swift/Controllers/Storages/CertificateStorageTrustChecker.h b/Swift/Controllers/Storages/CertificateStorageTrustChecker.h index a73590a..df15575 100644 --- a/Swift/Controllers/Storages/CertificateStorageTrustChecker.h +++ b/Swift/Controllers/Storages/CertificateStorageTrustChecker.h @@ -18,7 +18,7 @@ namespace Swift { CertificateStorageTrustChecker(CertificateStorage* storage) : storage(storage) { } - virtual bool isCertificateTrusted(Certificate::ref, const std::vector<Certificate::ref>& certificateChain) { + virtual bool isCertificateTrusted(const std::vector<Certificate::ref>& certificateChain) { lastCertificateChain = std::vector<Certificate::ref>(certificateChain.begin(), certificateChain.end()); return certificateChain.empty() ? false : storage->hasCertificate(certificateChain[0]); } diff --git a/Swiften/Client/ClientSession.cpp b/Swiften/Client/ClientSession.cpp index c2dc3ae..7e1f517 100644 --- a/Swiften/Client/ClientSession.cpp +++ b/Swiften/Client/ClientSession.cpp @@ -370,25 +370,24 @@ void ClientSession::sendCredentials(const SafeByteArray& password) { void ClientSession::handleTLSEncrypted() { checkState(Encrypting); - Certificate::ref certificate = stream->getPeerCertificate(); std::vector<Certificate::ref> certificateChain = stream->getPeerCertificateChain(); boost::shared_ptr<CertificateVerificationError> verificationError = stream->getPeerCertificateVerificationError(); if (verificationError) { - checkTrustOrFinish(certificate, certificateChain, verificationError); + checkTrustOrFinish(certificateChain, verificationError); } else { ServerIdentityVerifier identityVerifier(localJID); - if (identityVerifier.certificateVerifies(certificate)) { + if (!certificateChain.empty() && identityVerifier.certificateVerifies(certificateChain[0])) { continueAfterTLSEncrypted(); } else { - checkTrustOrFinish(certificate, certificateChain, boost::make_shared<CertificateVerificationError>(CertificateVerificationError::InvalidServerIdentity)); + checkTrustOrFinish(certificateChain, boost::make_shared<CertificateVerificationError>(CertificateVerificationError::InvalidServerIdentity)); } } } -void ClientSession::checkTrustOrFinish(Certificate::ref certificate, const std::vector<Certificate::ref>& certificateChain, boost::shared_ptr<CertificateVerificationError> error) { - if (certificateTrustChecker && certificateTrustChecker->isCertificateTrusted(certificate, certificateChain)) { +void ClientSession::checkTrustOrFinish(const std::vector<Certificate::ref>& certificateChain, boost::shared_ptr<CertificateVerificationError> error) { + if (certificateTrustChecker && certificateTrustChecker->isCertificateTrusted(certificateChain)) { continueAfterTLSEncrypted(); } else { diff --git a/Swiften/Client/ClientSession.h b/Swiften/Client/ClientSession.h index 9c4b980..66a90ed 100644 --- a/Swiften/Client/ClientSession.h +++ b/Swiften/Client/ClientSession.h @@ -154,7 +154,7 @@ namespace Swift { void handleStanzaAcked(boost::shared_ptr<Stanza> stanza); void ack(unsigned int handledStanzasCount); void continueAfterTLSEncrypted(); - void checkTrustOrFinish(Certificate::ref certificate, const std::vector<Certificate::ref>& certificateChain, boost::shared_ptr<CertificateVerificationError> error); + void checkTrustOrFinish(const std::vector<Certificate::ref>& certificateChain, boost::shared_ptr<CertificateVerificationError> error); private: JID localJID; diff --git a/Swiften/TLS/BlindCertificateTrustChecker.h b/Swiften/TLS/BlindCertificateTrustChecker.h index 9ed7ff2..d91ec25 100644 --- a/Swiften/TLS/BlindCertificateTrustChecker.h +++ b/Swiften/TLS/BlindCertificateTrustChecker.h @@ -19,7 +19,7 @@ namespace Swift { */ class BlindCertificateTrustChecker : public CertificateTrustChecker { public: - virtual bool isCertificateTrusted(Certificate::ref, const std::vector<Certificate::ref>&) { + virtual bool isCertificateTrusted(const std::vector<Certificate::ref>&) { return true; } }; diff --git a/Swiften/TLS/CertificateTrustChecker.h b/Swiften/TLS/CertificateTrustChecker.h index 91cc530..2ba6b40 100644 --- a/Swiften/TLS/CertificateTrustChecker.h +++ b/Swiften/TLS/CertificateTrustChecker.h @@ -21,13 +21,13 @@ namespace Swift { virtual ~CertificateTrustChecker(); /** - * This method is called to find out whether a certificate is + * This method is called to find out whether a certificate (chain) is * trusted. This usually happens when a certificate's validation * fails, to check whether to proceed with the connection or not. * - * certificateChain contains the chain of certificates, if available. - * This chain includes certificate. + * certificateChain contains the chain of certificates. The first certificate + * is the subject certificate. */ - virtual bool isCertificateTrusted(Certificate::ref certificate, const std::vector<Certificate::ref>& certificateChain) = 0; + virtual bool isCertificateTrusted(const std::vector<Certificate::ref>& certificateChain) = 0; }; } diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index 58a8d05..2364c2e 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp @@ -232,16 +232,6 @@ bool OpenSSLContext::setClientCertificate(CertificateWithKey::ref certificate) { return true; } -Certificate::ref OpenSSLContext::getPeerCertificate() const { - boost::shared_ptr<X509> x509Cert(SSL_get_peer_certificate(handle_), X509_free); - if (x509Cert) { - return boost::make_shared<OpenSSLCertificate>(x509Cert); - } - else { - return Certificate::ref(); - } -} - std::vector<Certificate::ref> OpenSSLContext::getPeerCertificateChain() const { std::vector<Certificate::ref> result; STACK_OF(X509)* chain = SSL_get_peer_cert_chain(handle_); diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.h b/Swiften/TLS/OpenSSL/OpenSSLContext.h index cee4f79..d4327ca 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.h +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.h @@ -27,7 +27,6 @@ namespace Swift { void handleDataFromNetwork(const SafeByteArray&); void handleDataFromApplication(const SafeByteArray&); - Certificate::ref getPeerCertificate() const; std::vector<Certificate::ref> getPeerCertificateChain() const; boost::shared_ptr<CertificateVerificationError> getPeerCertificateVerificationError() const; diff --git a/Swiften/TLS/Schannel/SchannelContext.cpp b/Swiften/TLS/Schannel/SchannelContext.cpp index 997d760..b4b2843 100644 --- a/Swiften/TLS/Schannel/SchannelContext.cpp +++ b/Swiften/TLS/Schannel/SchannelContext.cpp @@ -625,14 +625,6 @@ void SchannelContext::handleCertificateCardRemoved() { //------------------------------------------------------------------------ -Certificate::ref SchannelContext::getPeerCertificate() const { - ScopedCertContext pServerCert; - SECURITY_STATUS status = QueryContextAttributes(m_ctxtHandle, SECPKG_ATTR_REMOTE_CERT_CONTEXT, pServerCert.Reset()); - return status == SEC_E_OK ? boost::make_shared<SchannelCertificate>(pServerCert) : SchannelCertificate::ref(); -} - -//------------------------------------------------------------------------ - std::vector<Certificate::ref> SchannelContext::getPeerCertificateChain() const { std::vector<Certificate::ref> certificateChain; ScopedCertContext pServerCert; diff --git a/Swiften/TLS/Schannel/SchannelContext.h b/Swiften/TLS/Schannel/SchannelContext.h index 2d65a8a..8603498 100644 --- a/Swiften/TLS/Schannel/SchannelContext.h +++ b/Swiften/TLS/Schannel/SchannelContext.h @@ -50,7 +50,6 @@ namespace Swift virtual void handleDataFromNetwork(const SafeByteArray& data); virtual void handleDataFromApplication(const SafeByteArray& data); - virtual Certificate::ref getPeerCertificate() const; virtual std::vector<Certificate::ref> getPeerCertificateChain() const; virtual CertificateVerificationError::ref getPeerCertificateVerificationError() const; diff --git a/Swiften/TLS/TLSContext.cpp b/Swiften/TLS/TLSContext.cpp index 026ae70..d461d91 100644 --- a/Swiften/TLS/TLSContext.cpp +++ b/Swiften/TLS/TLSContext.cpp @@ -11,4 +11,9 @@ namespace Swift { TLSContext::~TLSContext() { } +Certificate::ref TLSContext::getPeerCertificate() const { + std::vector<Certificate::ref> chain = getPeerCertificateChain(); + return chain.empty() ? Certificate::ref() : chain[0]; +} + } diff --git a/Swiften/TLS/TLSContext.h b/Swiften/TLS/TLSContext.h index 388f8ee..5fee021 100644 --- a/Swiften/TLS/TLSContext.h +++ b/Swiften/TLS/TLSContext.h @@ -28,7 +28,7 @@ namespace Swift { virtual void handleDataFromNetwork(const SafeByteArray&) = 0; virtual void handleDataFromApplication(const SafeByteArray&) = 0; - virtual Certificate::ref getPeerCertificate() const = 0; + Certificate::ref getPeerCertificate() const; virtual std::vector<Certificate::ref> getPeerCertificateChain() const = 0; virtual CertificateVerificationError::ref getPeerCertificateVerificationError() const = 0; |