Swift
summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Swiften/TLS/ServerIdentityVerifier.cpp6
-rw-r--r--Swiften/TLS/ServerIdentityVerifier.h3
-rw-r--r--Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp20
3 files changed, 26 insertions, 3 deletions
diff --git a/Swiften/TLS/ServerIdentityVerifier.cpp b/Swiften/TLS/ServerIdentityVerifier.cpp
index 226e94b..da116e5 100644
--- a/Swiften/TLS/ServerIdentityVerifier.cpp
+++ b/Swiften/TLS/ServerIdentityVerifier.cpp
@@ -12,7 +12,7 @@
12 12
13namespace Swift { 13namespace Swift {
14 14
15ServerIdentityVerifier::ServerIdentityVerifier(const JID& jid, IDNConverter* idnConverter) : domainValid(false) { 15ServerIdentityVerifier::ServerIdentityVerifier(const JID& jid, IDNConverter* idnConverter, bool checkServer) : domainValid(false), checkServer_(checkServer) {
16 domain = jid.getDomain(); 16 domain = jid.getDomain();
17 boost::optional<std::string> domainResult = idnConverter->getIDNAEncoded(domain); 17 boost::optional<std::string> domainResult = idnConverter->getIDNAEncoded(domain);
18 if (!!domainResult) { 18 if (!!domainResult) {
@@ -36,12 +36,14 @@ bool ServerIdentityVerifier::certificateVerifies(Certificate::ref certificate) {
36 } 36 }
37 hasSAN |= !dnsNames.empty(); 37 hasSAN |= !dnsNames.empty();
38 38
39 std::string prefix = (checkServer_) ? "_xmpp-server." : "_xmpp-client.";
40
39 // SRV names 41 // SRV names
40 std::vector<std::string> srvNames = certificate->getSRVNames(); 42 std::vector<std::string> srvNames = certificate->getSRVNames();
41 for (const auto& srvName : srvNames) { 43 for (const auto& srvName : srvNames) {
42 // Only match SRV names that begin with the service; this isn't required per 44 // Only match SRV names that begin with the service; this isn't required per
43 // spec, but we're being purist about this. 45 // spec, but we're being purist about this.
44 if (boost::starts_with(srvName, "_xmpp-client.") && matchesDomain(srvName.substr(std::string("_xmpp-client.").size(), srvName.npos))) { 46 if (boost::starts_with(srvName, prefix) && matchesDomain(srvName.substr(prefix.size(), srvName.npos))) {
45 return true; 47 return true;
46 } 48 }
47 } 49 }
diff --git a/Swiften/TLS/ServerIdentityVerifier.h b/Swiften/TLS/ServerIdentityVerifier.h
index f40c683..f2cf46f 100644
--- a/Swiften/TLS/ServerIdentityVerifier.h
+++ b/Swiften/TLS/ServerIdentityVerifier.h
@@ -18,7 +18,7 @@ namespace Swift {
18 18
19 class SWIFTEN_API ServerIdentityVerifier { 19 class SWIFTEN_API ServerIdentityVerifier {
20 public: 20 public:
21 ServerIdentityVerifier(const JID& jid, IDNConverter* idnConverter); 21 ServerIdentityVerifier(const JID& jid, IDNConverter* idnConverter, bool checkServer=false);
22 22
23 bool certificateVerifies(Certificate::ref); 23 bool certificateVerifies(Certificate::ref);
24 24
@@ -30,5 +30,6 @@ namespace Swift {
30 std::string domain; 30 std::string domain;
31 std::string encodedDomain; 31 std::string encodedDomain;
32 bool domainValid; 32 bool domainValid;
33 bool checkServer_;
33 }; 34 };
34} 35}
diff --git a/Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp b/Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp
index 30fe423..7379b69 100644
--- a/Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp
+++ b/Swiften/TLS/UnitTest/ServerIdentityVerifierTest.cpp
@@ -35,6 +35,8 @@ class ServerIdentityVerifierTest : public CppUnit::TestFixture {
35 CPPUNIT_TEST(testCertificateVerifies_WithMatchingInternationalXmppAddr); 35 CPPUNIT_TEST(testCertificateVerifies_WithMatchingInternationalXmppAddr);
36 CPPUNIT_TEST(testCertificateVerifies_WithMatchingCNWithoutSAN); 36 CPPUNIT_TEST(testCertificateVerifies_WithMatchingCNWithoutSAN);
37 CPPUNIT_TEST(testCertificateVerifies_WithMatchingCNWithSAN); 37 CPPUNIT_TEST(testCertificateVerifies_WithMatchingCNWithSAN);
38 CPPUNIT_TEST(testCertificateVerifies_WithMatchingSRVNameWithServerExpected);
39 CPPUNIT_TEST(testCertificateVerifies_WithMatchingSRVNameWithClientUnexpected);
38 CPPUNIT_TEST_SUITE_END(); 40 CPPUNIT_TEST_SUITE_END();
39 41
40 public: 42 public:
@@ -131,6 +133,24 @@ class ServerIdentityVerifierTest : public CppUnit::TestFixture {
131 CPPUNIT_ASSERT(!testling.certificateVerifies(certificate)); 133 CPPUNIT_ASSERT(!testling.certificateVerifies(certificate));
132 } 134 }
133 135
136 void testCertificateVerifies_WithMatchingSRVNameWithServerExpected() {
137 // Server-mode test which gets cert with "xmpp-server" SRV name
138 ServerIdentityVerifier testling(JID("foo@bar.com/baz"), idnConverter.get(), true);
139 SimpleCertificate::ref certificate(new SimpleCertificate());
140 certificate->addSRVName("_xmpp-server.bar.com");
141
142 CPPUNIT_ASSERT(testling.certificateVerifies(certificate));
143 }
144
145 void testCertificateVerifies_WithMatchingSRVNameWithClientUnexpected() {
146 // Server-mode test which gets cert with "xmpp-client" SRV name
147 ServerIdentityVerifier testling(JID("foo@bar.com/baz"), idnConverter.get(), true);
148 SimpleCertificate::ref certificate(new SimpleCertificate());
149 certificate->addSRVName("_xmpp-client.bar.com");
150
151 CPPUNIT_ASSERT(!testling.certificateVerifies(certificate));
152 }
153
134 void testCertificateVerifies_WithMatchingXmppAddr() { 154 void testCertificateVerifies_WithMatchingXmppAddr() {
135 ServerIdentityVerifier testling(JID("foo@bar.com/baz"), idnConverter.get()); 155 ServerIdentityVerifier testling(JID("foo@bar.com/baz"), idnConverter.get());
136 SimpleCertificate::ref certificate(new SimpleCertificate()); 156 SimpleCertificate::ref certificate(new SimpleCertificate());