* All rights reserved.

* See the COPYING file for more information.

*/

#pragma once

#include <memory>

#include <Swiften/Base/API.h>

#include <Swiften/Base/SafeString.h>

#include <Swiften/Base/URL.h>

#include <Swiften/TLS/TLSOptions.h>

namespace Swift {

class HTTPTrafficFilter;

struct SWIFTEN_API ClientOptions {

enum UseTLS {

NeverUseTLS,

UseTLSWhenAvailable,

RequireTLS

};

enum ProxyType {

NoProxy,

SystemConfiguredProxy,

SOCKS5Proxy,

HTTPConnectProxy

};

}

/**

* Whether ZLib stream compression should be used when available.

*

* Default: true

*/

/**

* Sets whether TLS encryption should be used.

*

* Default: UseTLSWhenAvailable

*/

/**

* Sets whether plaintext authentication is

* allowed over non-TLS-encrypted connections.

*

* Default: false

*/

/**

* Use XEP-196 stream resumption when available.

*

* Default: false

*/

/**

* Forget the password once it's used.

* This makes the Client useless after the first login attempt.

*

* FIXME: This is a temporary workaround.

*

* Default: false

*/

/**

* Use XEP-0198 acks in the stream when available.

* Default: true

*/

/**

* Use Single Sign On.

* Default: false

*/

/**

* The hostname to connect to.

* Leave this empty for standard XMPP connection, based on the JID domain.

*/

/**

* The port to connect to.

* Leave this to -1 to use the port discovered by SRV lookups, and 5222 as a

* fallback.

*/

/**

* The type of proxy to use for connecting to the XMPP

* server.

*/

/**

* Override the system-configured proxy hostname.

*/

/**

* Override the system-configured proxy port.

*/

/**

* If non-empty, use BOSH instead of direct TCP, with the given URL.

* Default: empty (no BOSH)

*/

/**

* If non-empty, BOSH connections will try to connect over this HTTP CONNECT

* proxy instead of directly.

* Default: empty (no proxy)

*/

/**

* If this and matching Password are non-empty, BOSH connections over

* HTTP CONNECT proxies will use these credentials for proxy access.

* Default: empty (no authentication needed by the proxy)

*/

/**

* This can be initialized with a custom HTTPTrafficFilter, which allows HTTP CONNECT

* proxy initialization to be customized.

*/

std::shared_ptr<HTTPTrafficFilter> httpTrafficFilter;

/**

* Options passed to the TLS stack

*/

TLSOptions tlsOptions;

};

}

/*

* Copyright (c) 2010-2016 Isode Limited.

* All rights reserved.

* See the COPYING file for more information.

*/

#include <Swiften/Client/ClientSession.h>

#include <boost/bind.hpp>

#include <boost/uuid/uuid.hpp>

#include <boost/uuid/uuid_io.hpp>

#include <boost/uuid/uuid_generators.hpp>

#include <Swiften/Base/Log.h>

#include <Swiften/Elements/AuthChallenge.h>

#include <Swiften/Elements/AuthResponse.h>

#include <Swiften/Elements/CompressFailure.h>

#include <Swiften/Elements/CompressRequest.h>

#include <Swiften/Elements/EnableStreamManagement.h>

#include <Swiften/Elements/IQ.h>

#include <Swiften/Elements/ResourceBind.h>

#include <Swiften/SASL/EXTERNALClientAuthenticator.h>

#include <Swiften/SASL/SCRAMSHA1ClientAuthenticator.h>

#include <Swiften/Session/SessionStream.h>

#include <Swiften/TLS/CertificateTrustChecker.h>

#include <Swiften/TLS/ServerIdentityVerifier.h>

#ifdef SWIFTEN_PLATFORM_WIN32

#include <Swiften/Base/WindowsRegistry.h>

#include <Swiften/SASL/WindowsGSSAPIClientAuthenticator.h>

#endif

#define CHECK_STATE_OR_RETURN(a) \

if (!checkState(a)) { return; }

namespace Swift {

ClientSession::ClientSession(

const JID& jid,

std::shared_ptr<SessionStream> stream,

IDNConverter* idnConverter,

localJID(jid),

stream(stream),

idnConverter(idnConverter),

crypto(crypto),

allowPLAINOverNonTLS(false),

useStreamCompression(true),

useTLS(UseTLSWhenAvailable),

useAcks(true),

needSessionStart(false),

needResourceBind(false),

needAcking(false),

rosterVersioningSupported(false),

authenticator(nullptr),

certificateTrustChecker(nullptr),

singleSignOn(false),

authenticationPort(-1) {

#ifdef SWIFTEN_PLATFORM_WIN32

if (WindowsRegistry::isFIPSEnabled()) {

SWIFT_LOG(info) << "Windows is running in FIPS-140 mode. Some authentication methods will be unavailable." << std::endl;

}

#endif

}

ClientSession::~ClientSession() {

}

void ClientSession::start() {

stream->onStreamStartReceived.connect(boost::bind(&ClientSession::handleStreamStart, shared_from_this(), _1));

stream->onElementReceived.connect(boost::bind(&ClientSession::handleElement, shared_from_this(), _1));

stream->onClosed.connect(boost::bind(&ClientSession::handleStreamClosed, shared_from_this(), _1));

stream->onTLSEncrypted.connect(boost::bind(&ClientSession::handleTLSEncrypted, shared_from_this()));

sendStreamHeader();

}

void ClientSession::sendStreamHeader() {

ProtocolHeader header;

header.setTo(getRemoteJID());

stream->writeHeader(header);

}

void ClientSession::sendStanza(std::shared_ptr<Stanza> stanza) {

stream->writeElement(stanza);

if (stanzaAckRequester_) {

stanzaAckRequester_->handleStanzaSent(stanza);

}

}

void ClientSession::handleStreamStart(const ProtocolHeader&) {

}

void ClientSession::handleElement(std::shared_ptr<ToplevelElement> element) {

if (std::shared_ptr<Stanza> stanza = std::dynamic_pointer_cast<Stanza>(element)) {

if (stanzaAckResponder_) {

stanzaAckResponder_->handleStanzaReceived();

}

onStanzaReceived(stanza);

}

else if (std::shared_ptr<IQ> iq = std::dynamic_pointer_cast<IQ>(element)) {

std::shared_ptr<ResourceBind> resourceBind(iq->getPayload<ResourceBind>());

if (iq->getType() == IQ::Error && iq->getID() == "session-bind") {

finishSession(Error::ResourceBindError);

}

else if (!resourceBind) {

finishSession(Error::UnexpectedElementError);

}

else if (iq->getType() == IQ::Result) {

localJID = resourceBind->getJID();

if (!localJID.isValid()) {

finishSession(Error::ResourceBindError);

}

needResourceBind = false;

continueSessionInitialization();

}

else {

finishSession(Error::UnexpectedElementError);

}

}

if (iq->getType() == IQ::Result) {

needSessionStart = false;

continueSessionInitialization();

}

else if (iq->getType() == IQ::Error) {

finishSession(Error::SessionStartError);

}

else {

finishSession(Error::UnexpectedElementError);

}

}

else {

finishSession(Error::UnexpectedElementError);

}

}

}

else if (std::dynamic_pointer_cast<StanzaAckRequest>(element)) {

if (stanzaAckResponder_) {

stanzaAckResponder_->handleAckRequestReceived();

}

}

else if (std::shared_ptr<StanzaAck> ack = std::dynamic_pointer_cast<StanzaAck>(element)) {

if (stanzaAckRequester_) {

if (ack->isValid()) {

stanzaAckRequester_->handleAckReceived(ack->getHandledStanzasCount());

}

else {

SWIFT_LOG(warning) << "Got invalid ack from server";

}

}

else {

SWIFT_LOG(warning) << "Ignoring ack";

}

}

else if (StreamError::ref streamError = std::dynamic_pointer_cast<StreamError>(element)) {

finishSession(Error::StreamError);

}

std::shared_ptr<Stanza> stanza = std::dynamic_pointer_cast<Stanza>(element);

if (stanza) {

if (stanzaAckResponder_) {

stanzaAckResponder_->handleStanzaReceived();

}

onStanzaReceived(stanza);

}

}

else if (StreamFeatures* streamFeatures = dynamic_cast<StreamFeatures*>(element.get())) {

if (streamFeatures->hasStartTLS() && stream->supportsTLSEncryption() && useTLS != NeverUseTLS) {

stream->writeElement(std::make_shared<StartTLSRequest>());

}

else if (useTLS == RequireTLS && !stream->isTLSEncrypted()) {

finishSession(Error::NoSupportedAuthMechanismsError);

}

else if (useStreamCompression && stream->supportsZLibCompression() && streamFeatures->hasCompressionMethod("zlib")) {

stream->writeElement(std::make_shared<CompressRequest>("zlib"));

}

else if (streamFeatures->hasAuthenticationMechanisms()) {

#ifdef SWIFTEN_PLATFORM_WIN32

if (singleSignOn) {

const boost::optional<std::string> authenticationHostname = streamFeatures->getAuthenticationHostname();

bool gssapiSupported = streamFeatures->hasAuthenticationMechanism("GSSAPI") && authenticationHostname && !authenticationHostname->empty();

if (!gssapiSupported) {

finishSession(Error::NoSupportedAuthMechanismsError);

}

else {

WindowsGSSAPIClientAuthenticator* gssapiAuthenticator = new WindowsGSSAPIClientAuthenticator(*authenticationHostname, localJID.getDomain(), authenticationPort);

std::shared_ptr<Error> error = std::make_shared<Error>(Error::AuthenticationFailedError);

authenticator = gssapiAuthenticator;

if (!gssapiAuthenticator->isError()) {

stream->writeElement(std::make_shared<AuthRequest>(authenticator->getName(), authenticator->getResponse()));

}

else {

error->errorCode = gssapiAuthenticator->getErrorCode();

finishSession(error);

}

}

}

else

#endif

if (stream->hasTLSCertificate()) {

if (streamFeatures->hasAuthenticationMechanism("EXTERNAL")) {

authenticator = new EXTERNALClientAuthenticator();

stream->writeElement(std::make_shared<AuthRequest>("EXTERNAL", createSafeByteArray("")));

}

else {

finishSession(Error::TLSClientCertificateError);

}

}

else if (streamFeatures->hasAuthenticationMechanism("EXTERNAL")) {

authenticator = new EXTERNALClientAuthenticator();

stream->writeElement(std::make_shared<AuthRequest>("EXTERNAL", createSafeByteArray("")));

}

else if (streamFeatures->hasAuthenticationMechanism("SCRAM-SHA-1") || streamFeatures->hasAuthenticationMechanism("SCRAM-SHA-1-PLUS")) {

std::ostringstream s;

ByteArray finishMessage;

bool plus = streamFeatures->hasAuthenticationMechanism("SCRAM-SHA-1-PLUS");

if (stream->isTLSEncrypted()) {

finishMessage = stream->getTLSFinishMessage();

plus &= !finishMessage.empty();

}

s << boost::uuids::random_generator()();

SCRAMSHA1ClientAuthenticator* scramAuthenticator = new SCRAMSHA1ClientAuthenticator(s.str(), plus, idnConverter, crypto);

if (!finishMessage.empty()) {

scramAuthenticator->setTLSChannelBindingData(finishMessage);

}

authenticator = scramAuthenticator;

onNeedCredentials();

}

else if ((stream->isTLSEncrypted() || allowPLAINOverNonTLS) && streamFeatures->hasAuthenticationMechanism("PLAIN")) {

authenticator = new PLAINClientAuthenticator();

onNeedCredentials();

}

else if (streamFeatures->hasAuthenticationMechanism("DIGEST-MD5") && crypto->isMD5AllowedForCrypto()) {

std::ostringstream s;

s << boost::uuids::random_generator()();

// FIXME: Host should probably be the actual host

authenticator = new DIGESTMD5ClientAuthenticator(localJID.getDomain(), s.str(), crypto);

onNeedCredentials();

}

else {

finishSession(Error::NoSupportedAuthMechanismsError);

}

}

else {

// Start the session

rosterVersioningSupported = streamFeatures->hasRosterVersioning();

stream->setWhitespacePingEnabled(true);

needSessionStart = streamFeatures->hasSession();

needResourceBind = streamFeatures->hasResourceBind();

needAcking = streamFeatures->hasStreamManagement() && useAcks;

if (!needResourceBind) {

// Resource binding is a MUST

finishSession(Error::ResourceBindError);

}

else {

continueSessionInitialization();

}

}

}

else if (std::dynamic_pointer_cast<Compressed>(element)) {

stream->addZLibCompression();

stream->resetXMPPParser();

sendStreamHeader();

}

else if (std::dynamic_pointer_cast<CompressFailure>(element)) {

finishSession(Error::CompressionFailedError);

}

else if (std::dynamic_pointer_cast<StreamManagementEnabled>(element)) {

stanzaAckRequester_ = std::make_shared<StanzaAckRequester>();

stanzaAckRequester_->onRequestAck.connect(boost::bind(&ClientSession::requestAck, shared_from_this()));

stanzaAckRequester_->onStanzaAcked.connect(boost::bind(&ClientSession::handleStanzaAcked, shared_from_this(), _1));

stanzaAckResponder_ = std::make_shared<StanzaAckResponder>();

stanzaAckResponder_->onAck.connect(boost::bind(&ClientSession::ack, shared_from_this(), _1));

needAcking = false;

continueSessionInitialization();

}

else if (std::dynamic_pointer_cast<StreamManagementFailed>(element)) {

needAcking = false;

continueSessionInitialization();

}

else if (AuthChallenge* challenge = dynamic_cast<AuthChallenge*>(element.get())) {

assert(authenticator);

if (authenticator->setChallenge(challenge->getValue())) {

stream->writeElement(std::make_shared<AuthResponse>(authenticator->getResponse()));

}

#ifdef SWIFTEN_PLATFORM_WIN32

else if (WindowsGSSAPIClientAuthenticator* gssapiAuthenticator = dynamic_cast<WindowsGSSAPIClientAuthenticator*>(authenticator)) {

std::shared_ptr<Error> error = std::make_shared<Error>(Error::AuthenticationFailedError);

error->errorCode = gssapiAuthenticator->getErrorCode();

finishSession(error);

}

#endif

else {

finishSession(Error::AuthenticationFailedError);

}

}

else if (AuthSuccess* authSuccess = dynamic_cast<AuthSuccess*>(element.get())) {

assert(authenticator);

if (!authenticator->setChallenge(authSuccess->getValue())) {

finishSession(Error::ServerVerificationFailedError);

}

else {

delete authenticator;

authenticator = nullptr;

stream->resetXMPPParser();

sendStreamHeader();

}

}

else if (dynamic_cast<AuthFailure*>(element.get())) {

finishSession(Error::AuthenticationFailedError);

}

else if (dynamic_cast<TLSProceed*>(element.get())) {

stream->addTLSEncryption();

}

else if (dynamic_cast<StartTLSFailure*>(element.get())) {

finishSession(Error::TLSError);

}

else {

// FIXME Not correct?

onInitialized();

}

}

void ClientSession::continueSessionInitialization() {

if (needResourceBind) {

std::shared_ptr<ResourceBind> resourceBind(std::make_shared<ResourceBind>());

if (!localJID.getResource().empty()) {

resourceBind->setResource(localJID.getResource());

}

sendStanza(IQ::createRequest(IQ::Set, JID(), "session-bind", resourceBind));

}

else if (needAcking) {

stream->writeElement(std::make_shared<EnableStreamManagement>());

}

else if (needSessionStart) {

sendStanza(IQ::createRequest(IQ::Set, JID(), "session-start", std::make_shared<StartSession>()));

}

else {

onInitialized();

}

}

bool ClientSession::checkState(State state) {

if (this->state != state) {

finishSession(Error::UnexpectedElementError);

return false;

}

return true;

}

void ClientSession::sendCredentials(const SafeByteArray& password) {

assert(authenticator);

authenticator->setCredentials(localJID.getNode(), password);

stream->writeElement(std::make_shared<AuthRequest>(authenticator->getName(), authenticator->getResponse()));

}

void ClientSession::handleTLSEncrypted() {

std::vector<Certificate::ref> certificateChain = stream->getPeerCertificateChain();

std::shared_ptr<CertificateVerificationError> verificationError = stream->getPeerCertificateVerificationError();

if (verificationError) {

checkTrustOrFinish(certificateChain, verificationError);

}

else {

ServerIdentityVerifier identityVerifier(localJID, idnConverter);

if (!certificateChain.empty() && identityVerifier.certificateVerifies(certificateChain[0])) {

continueAfterTLSEncrypted();

}

else {

checkTrustOrFinish(certificateChain, std::make_shared<CertificateVerificationError>(CertificateVerificationError::InvalidServerIdentity));

}

}

}

void ClientSession::checkTrustOrFinish(const std::vector<Certificate::ref>& certificateChain, std::shared_ptr<CertificateVerificationError> error) {

if (certificateTrustChecker && certificateTrustChecker->isCertificateTrusted(certificateChain)) {

continueAfterTLSEncrypted();

}

else {

finishSession(error);

}

}

void ClientSession::continueAfterTLSEncrypted() {

stream->resetXMPPParser();

sendStreamHeader();

}

void ClientSession::handleStreamClosed(std::shared_ptr<Swift::Error> streamError) {

State previousState = state;

if (stanzaAckRequester_) {

stanzaAckRequester_->onRequestAck.disconnect(boost::bind(&ClientSession::requestAck, shared_from_this()));

stanzaAckRequester_->onStanzaAcked.disconnect(boost::bind(&ClientSession::handleStanzaAcked, shared_from_this(), _1));

stanzaAckRequester_.reset();

}

if (stanzaAckResponder_) {

stanzaAckResponder_->onAck.disconnect(boost::bind(&ClientSession::ack, shared_from_this(), _1));

stanzaAckResponder_.reset();

}

stream->setWhitespacePingEnabled(false);

stream->onStreamStartReceived.disconnect(boost::bind(&ClientSession::handleStreamStart, shared_from_this(), _1));

stream->onElementReceived.disconnect(boost::bind(&ClientSession::handleElement, shared_from_this(), _1));

stream->onClosed.disconnect(boost::bind(&ClientSession::handleStreamClosed, shared_from_this(), _1));

stream->onTLSEncrypted.disconnect(boost::bind(&ClientSession::handleTLSEncrypted, shared_from_this()));

onFinished(error_);

}

else {

onFinished(streamError);

}

}

void ClientSession::finish() {

}

void ClientSession::finishSession(Error::Type error) {

finishSession(std::make_shared<Swift::ClientSession::Error>(error));

}

void ClientSession::finishSession(std::shared_ptr<Swift::Error> error) {

if (!error_) {

error_ = error;

}

else {

SWIFT_LOG(warning) << "Session finished twice";

}

assert(stream->isOpen());

if (stanzaAckResponder_) {

stanzaAckResponder_->handleAckRequestReceived();

}

if (authenticator) {

delete authenticator;

authenticator = nullptr;

}

}

void ClientSession::requestAck() {

stream->writeElement(std::make_shared<StanzaAckRequest>());

}

void ClientSession::handleStanzaAcked(std::shared_ptr<Stanza> stanza) {

onStanzaAcked(stanza);

}

void ClientSession::ack(unsigned int handledStanzasCount) {

stream->writeElement(std::make_shared<StanzaAck>(handledStanzasCount));

}

}

/*

* Copyright (c) 2010-2016 Isode Limited.

* All rights reserved.

* See the COPYING file for more information.

*/

#pragma once

#include <memory>

#include <string>

#include <boost/signals2.hpp>

#include <Swiften/Base/API.h>

#include <Swiften/Base/Error.h>

#include <Swiften/Elements/ToplevelElement.h>

#include <Swiften/JID/JID.h>

#include <Swiften/Session/SessionStream.h>

namespace Swift {

class CertificateTrustChecker;

class CryptoProvider;

class SWIFTEN_API ClientSession : public std::enable_shared_from_this<ClientSession> {

public:

Initial,

WaitingForStreamStart,

Negotiating,

Compressing,

WaitingForEncrypt,

Encrypting,

WaitingForCredentials,

Authenticating,

EnablingSessionManagement,

BindingResource,

StartingSession,

Initialized,

Finishing,

Finished

};

struct Error : public Swift::Error {

enum Type {

AuthenticationFailedError,

CompressionFailedError,

ServerVerificationFailedError,

NoSupportedAuthMechanismsError,

UnexpectedElementError,

ResourceBindError,

SessionStartError,

TLSClientCertificateError,

TLSError,

} type;

std::shared_ptr<boost::system::error_code> errorCode;

Error(Type type) : type(type) {}

};

enum UseTLS {

NeverUseTLS,

UseTLSWhenAvailable,

RequireTLS

};

~ClientSession();

}

State getState() const {

return state;

}

void setAllowPLAINOverNonTLS(bool b) {

allowPLAINOverNonTLS = b;

}

void setUseStreamCompression(bool b) {

useStreamCompression = b;

}

void setUseTLS(UseTLS b) {

useTLS = b;

}

void setUseAcks(bool b) {

useAcks = b;

}

bool getStreamManagementEnabled() const {

// Explicitly convert to bool. In C++11, it would be cleaner to

// compare to nullptr.

return static_cast<bool>(stanzaAckRequester_);

}

bool getRosterVersioningSupported() const {

return rosterVersioningSupported;

}

std::vector<Certificate::ref> getPeerCertificateChain() const {

return stream->getPeerCertificateChain();

}

const JID& getLocalJID() const {

return localJID;

}

void start();

void finish();

bool isFinished() const {

}

void sendCredentials(const SafeByteArray& password);

void sendStanza(std::shared_ptr<Stanza>);

void setCertificateTrustChecker(CertificateTrustChecker* checker) {

certificateTrustChecker = checker;

}

void setSingleSignOn(bool b) {

singleSignOn = b;

}

/**

* Sets the port number used in Kerberos authentication

* Does not affect network connectivity.

*/

void setAuthenticationPort(int i) {

authenticationPort = i;

}

public:

boost::signals2::signal<void ()> onNeedCredentials;

boost::signals2::signal<void ()> onInitialized;

boost::signals2::signal<void (std::shared_ptr<Swift::Error>)> onFinished;

boost::signals2::signal<void (std::shared_ptr<Stanza>)> onStanzaReceived;

boost::signals2::signal<void (std::shared_ptr<Stanza>)> onStanzaAcked;

private:

ClientSession(

const JID& jid,

std::shared_ptr<SessionStream>,

IDNConverter* idnConverter,

void finishSession(Error::Type error);

void finishSession(std::shared_ptr<Swift::Error> error);

JID getRemoteJID() const {

return JID("", localJID.getDomain());

}

void sendStreamHeader();

void handleElement(std::shared_ptr<ToplevelElement>);

void handleStreamStart(const ProtocolHeader&);

void handleStreamClosed(std::shared_ptr<Swift::Error>);

void handleTLSEncrypted();

bool checkState(State);

void continueSessionInitialization();

void requestAck();

void handleStanzaAcked(std::shared_ptr<Stanza> stanza);

void ack(unsigned int handledStanzasCount);

void continueAfterTLSEncrypted();

void checkTrustOrFinish(const std::vector<Certificate::ref>& certificateChain, std::shared_ptr<CertificateVerificationError> error);

private:

JID localJID;

State state;

std::shared_ptr<SessionStream> stream;

bool allowPLAINOverNonTLS;

bool useStreamCompression;

UseTLS useTLS;

bool useAcks;

bool needSessionStart;

bool needResourceBind;

bool needAcking;

bool rosterVersioningSupported;

ClientAuthenticator* authenticator;

std::shared_ptr<StanzaAckRequester> stanzaAckRequester_;

std::shared_ptr<StanzaAckResponder> stanzaAckResponder_;

std::shared_ptr<Swift::Error> error_;

CertificateTrustChecker* certificateTrustChecker;

bool singleSignOn;

int authenticationPort;

};

}

#pragma once

#include <memory>

#include <Swiften/Base/API.h>

#include <Swiften/Base/IDGenerator.h>

#include <Swiften/Client/ClientSession.h>

#include <Swiften/Client/StanzaChannel.h>

#include <Swiften/Elements/IQ.h>

#include <Swiften/Elements/Message.h>

#include <Swiften/Elements/Presence.h>

namespace Swift {

/**

* StanzaChannel implementation around a ClientSession.

*/

class SWIFTEN_API ClientSessionStanzaChannel : public StanzaChannel {

public:

virtual ~ClientSessionStanzaChannel();

void setSession(std::shared_ptr<ClientSession> session);

void sendIQ(std::shared_ptr<IQ> iq);

void sendMessage(std::shared_ptr<Message> message);

void sendPresence(std::shared_ptr<Presence> presence);

bool getStreamManagementEnabled() const;

virtual std::vector<Certificate::ref> getPeerCertificateChain() const;

bool isAvailable() const {

}

private:

std::string getNewIQID();

void send(std::shared_ptr<Stanza> stanza);

void handleSessionFinished(std::shared_ptr<Error> error);

void handleStanza(std::shared_ptr<Stanza> stanza);

void handleStanzaAcked(std::shared_ptr<Stanza> stanza);

void handleSessionInitialized();

private:

IDGenerator idGenerator;

std::shared_ptr<ClientSession> session;

};

}

std::shared_ptr<BOSHSessionStream> boshSessionStream_ = std::shared_ptr<BOSHSessionStream>(new BOSHSessionStream(

options.boshURL,

getPayloadParserFactories(),

getPayloadSerializers(),

networkFactories->getConnectionFactory(),

networkFactories->getTLSContextFactory(),

networkFactories->getTimerFactory(),

networkFactories->getXMLParserFactory(),

networkFactories->getEventLoop(),

networkFactories->getDomainNameResolver(),

host,

options.boshHTTPConnectProxyURL,

options.boshHTTPConnectProxyAuthID,

options.boshHTTPConnectProxyAuthPassword,

options.tlsOptions,

options.httpTrafficFilter));

sessionStream_ = boshSessionStream_;

sessionStream_->onDataRead.connect(boost::bind(&CoreClient::handleDataRead, this, _1));

sessionStream_->onDataWritten.connect(boost::bind(&CoreClient::handleDataWritten, this, _1));

if (certificate_ && !certificate_->isNull()) {

SWIFT_LOG(debug) << "set certificate" << std::endl;

sessionStream_->setTLSCertificate(certificate_);

}

boshSessionStream_->open();

bindSessionToStream();

}

}

void CoreClient::bindSessionToStream() {

session_->setCertificateTrustChecker(certificateTrustChecker);

session_->setUseStreamCompression(options.useStreamCompression);

session_->setAllowPLAINOverNonTLS(options.allowPLAINWithoutTLS);

session_->setSingleSignOn(options.singleSignOn);

session_->setAuthenticationPort(options.manualPort);

switch(options.useTLS) {

case ClientOptions::UseTLSWhenAvailable:

session_->setUseTLS(ClientSession::UseTLSWhenAvailable);

break;

case ClientOptions::NeverUseTLS:

session_->setUseTLS(ClientSession::NeverUseTLS);

break;

case ClientOptions::RequireTLS:

session_->setUseTLS(ClientSession::RequireTLS);

break;

}

session_->setUseAcks(options.useAcks);

stanzaChannel_->setSession(session_);

session_->onFinished.connect(boost::bind(&CoreClient::handleSessionFinished, this, _1));

session_->onNeedCredentials.connect(boost::bind(&CoreClient::handleNeedCredentials, this));

session_->start();

}

/**

* Only called for TCP sessions. BOSH is handled inside the BOSHSessionStream.

*/

void CoreClient::handleConnectorFinished(std::shared_ptr<Connection> connection, std::shared_ptr<Error> error) {

resetConnector();

if (!connection) {

if (options.forgetPassword) {

purgePassword();

}

boost::optional<ClientError> clientError;

if (!disconnectRequested_) {

clientError = std::dynamic_pointer_cast<DomainNameResolveError>(error) ? boost::optional<ClientError>(ClientError::DomainNameResolveError) : boost::optional<ClientError>(ClientError::ConnectionError);

case ClientSession::Error::AuthenticationFailedError:

clientError = ClientError(ClientError::AuthenticationFailedError);

break;

case ClientSession::Error::CompressionFailedError:

clientError = ClientError(ClientError::CompressionFailedError);

break;

case ClientSession::Error::ServerVerificationFailedError:

clientError = ClientError(ClientError::ServerVerificationFailedError);

break;

case ClientSession::Error::NoSupportedAuthMechanismsError:

clientError = ClientError(ClientError::NoSupportedAuthMechanismsError);

break;

case ClientSession::Error::UnexpectedElementError:

clientError = ClientError(ClientError::UnexpectedElementError);

break;

case ClientSession::Error::ResourceBindError:

clientError = ClientError(ClientError::ResourceBindError);

break;

case ClientSession::Error::SessionStartError:

clientError = ClientError(ClientError::SessionStartError);

break;

case ClientSession::Error::TLSError:

clientError = ClientError(ClientError::TLSError);

break;

case ClientSession::Error::TLSClientCertificateError:

clientError = ClientError(ClientError::ClientCertificateError);

break;

case ClientSession::Error::StreamError:

clientError = ClientError(ClientError::StreamError);

break;

}

clientError.setErrorCode(actualError->errorCode);

}

else if (std::shared_ptr<TLSError> actualError = std::dynamic_pointer_cast<TLSError>(error)) {

switch(actualError->getType()) {

case TLSError::CertificateCardRemoved:

clientError = ClientError(ClientError::CertificateCardRemoved);

break;

case TLSError::UnknownError:

clientError = ClientError(ClientError::TLSError);

break;

}

}

else if (std::shared_ptr<SessionStream::SessionStreamError> actualError = std::dynamic_pointer_cast<SessionStream::SessionStreamError>(error)) {

switch(actualError->type) {

case SessionStream::SessionStreamError::ParseError:

clientError = ClientError(ClientError::XMLError);

break;

case SessionStream::SessionStreamError::TLSError:

clientError = ClientError(ClientError::TLSError);

break;

case SessionStream::SessionStreamError::InvalidTLSCertificateError:

clientError = ClientError(ClientError::ClientCertificateLoadError);

break;

case SessionStream::SessionStreamError::ConnectionReadError:

clientError = ClientError(ClientError::ConnectionReadError);

break;

case SessionStream::SessionStreamError::ConnectionWriteError:

clientError = ClientError(ClientError::ConnectionWriteError);

break;

/*

* Copyright (c) 2010-2016 Isode Limited.

* All rights reserved.

* See the COPYING file for more information.

*/

#include <deque>

#include <memory>

#include <boost/bind.hpp>

#include <boost/optional.hpp>

#include <cppunit/extensions/HelperMacros.h>

#include <cppunit/extensions/TestFactoryRegistry.h>

#include <Swiften/Client/ClientSession.h>

#include <Swiften/Crypto/CryptoProvider.h>

#include <Swiften/Crypto/PlatformCryptoProvider.h>

#include <Swiften/Elements/AuthChallenge.h>

#include <Swiften/Elements/AuthFailure.h>

#include <Swiften/Elements/AuthRequest.h>

#include <Swiften/Elements/AuthSuccess.h>

#include <Swiften/Elements/EnableStreamManagement.h>

#include <Swiften/Elements/IQ.h>

#include <Swiften/Elements/Message.h>

#include <Swiften/Elements/ResourceBind.h>

#include <Swiften/Elements/StanzaAck.h>

#include <Swiften/Elements/StartTLSFailure.h>

#include <Swiften/Elements/StartTLSRequest.h>

#include <Swiften/Elements/StreamError.h>

#include <Swiften/Elements/StreamFeatures.h>

#include <Swiften/Elements/StreamManagementEnabled.h>

#include <Swiften/Elements/StreamManagementFailed.h>

#include <Swiften/Elements/TLSProceed.h>

#include <Swiften/IDN/IDNConverter.h>

#include <Swiften/IDN/PlatformIDNConverter.h>

#include <Swiften/Session/SessionStream.h>

#include <Swiften/TLS/BlindCertificateTrustChecker.h>

#include <Swiften/TLS/SimpleCertificate.h>

using namespace Swift;

class ClientSessionTest : public CppUnit::TestFixture {

CPPUNIT_TEST_SUITE(ClientSessionTest);

CPPUNIT_TEST(testStart_Error);

CPPUNIT_TEST(testStart_StreamError);

CPPUNIT_TEST(testStartTLS);

CPPUNIT_TEST(testStartTLS_ServerError);

CPPUNIT_TEST(testStartTLS_ConnectError);

CPPUNIT_TEST(testStartTLS_InvalidIdentity);

CPPUNIT_TEST(testStart_StreamFeaturesWithoutResourceBindingFails);

CPPUNIT_TEST(testAuthenticate);

CPPUNIT_TEST(testAuthenticate_Unauthorized);

CPPUNIT_TEST(testAuthenticate_NoValidAuthMechanisms);

CPPUNIT_TEST(testAuthenticate_PLAINOverNonTLS);

CPPUNIT_TEST(testAuthenticate_RequireTLS);

CPPUNIT_TEST(testAuthenticate_EXTERNAL);

CPPUNIT_TEST(testStreamManagement);

CPPUNIT_TEST(testStreamManagement_Failed);

CPPUNIT_TEST(testUnexpectedChallenge);

CPPUNIT_TEST(testFinishAcksStanzas);

/*

CPPUNIT_TEST(testResourceBind);

CPPUNIT_TEST(testResourceBind_ChangeResource);

CPPUNIT_TEST(testResourceBind_EmptyResource);

CPPUNIT_TEST(testResourceBind_Error);

CPPUNIT_TEST(testSessionStart);

CPPUNIT_TEST(testSessionStart_Error);

CPPUNIT_TEST(testSessionStart_AfterResourceBind);

CPPUNIT_TEST(testWhitespacePing);

CPPUNIT_TEST(testReceiveElementAfterSessionStarted);

CPPUNIT_TEST(testSendElement);

*/

CPPUNIT_TEST_SUITE_END();

public:

void setUp() {

crypto = std::shared_ptr<CryptoProvider>(PlatformCryptoProvider::create());

idnConverter = std::shared_ptr<IDNConverter>(PlatformIDNConverter::create());

server = std::make_shared<MockSessionStream>();

sessionFinishedReceived = false;

needCredentials = false;

blindCertificateTrustChecker = new BlindCertificateTrustChecker();

}

void tearDown() {

delete blindCertificateTrustChecker;

}

void testStart_Error() {

std::shared_ptr<ClientSession> session(createSession());

session->start();

server->breakConnection();

CPPUNIT_ASSERT(sessionFinishedReceived);

CPPUNIT_ASSERT(sessionFinishedError);

}

void testStart_StreamError() {

std::shared_ptr<ClientSession> session(createSession());

session->start();

server->sendStreamStart();

server->sendStreamError();

CPPUNIT_ASSERT(sessionFinishedReceived);

CPPUNIT_ASSERT(sessionFinishedError);

}

void testStartTLS() {

std::shared_ptr<ClientSession> session(createSession());

session->setCertificateTrustChecker(blindCertificateTrustChecker);

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithStartTLS();

server->receiveStartTLS();

CPPUNIT_ASSERT(!server->tlsEncrypted);

server->sendTLSProceed();

CPPUNIT_ASSERT(server->tlsEncrypted);

server->onTLSEncrypted();

server->receiveStreamStart();

server->sendStreamStart();

session->finish();

}

void testStartTLS_ServerError() {

std::shared_ptr<ClientSession> session(createSession());

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithStartTLS();

server->receiveStartTLS();

server->sendTLSFailure();

CPPUNIT_ASSERT(!server->tlsEncrypted);

CPPUNIT_ASSERT(sessionFinishedReceived);

CPPUNIT_ASSERT(sessionFinishedError);

}

void testStartTLS_ConnectError() {

std::shared_ptr<ClientSession> session(createSession());

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithStartTLS();

server->receiveStartTLS();

server->sendTLSProceed();

server->breakTLS();

CPPUNIT_ASSERT(sessionFinishedReceived);

CPPUNIT_ASSERT(sessionFinishedError);

}

void testStartTLS_InvalidIdentity() {

std::shared_ptr<ClientSession> session(createSession());

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithStartTLS();

server->receiveStartTLS();

CPPUNIT_ASSERT(!server->tlsEncrypted);

server->sendTLSProceed();

CPPUNIT_ASSERT(server->tlsEncrypted);

server->onTLSEncrypted();

CPPUNIT_ASSERT(sessionFinishedReceived);

CPPUNIT_ASSERT(sessionFinishedError);

CPPUNIT_ASSERT_EQUAL(CertificateVerificationError::InvalidServerIdentity, std::dynamic_pointer_cast<CertificateVerificationError>(sessionFinishedError)->getType());

}

void testStart_StreamFeaturesWithoutResourceBindingFails() {

std::shared_ptr<ClientSession> session(createSession());

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendEmptyStreamFeatures();

CPPUNIT_ASSERT(sessionFinishedReceived);

CPPUNIT_ASSERT(sessionFinishedError);

}

void testAuthenticate() {

std::shared_ptr<ClientSession> session(createSession());

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithPLAINAuthentication();

CPPUNIT_ASSERT(needCredentials);

session->sendCredentials(createSafeByteArray("mypass"));

server->receiveAuthRequest("PLAIN");

server->sendAuthSuccess();

server->receiveStreamStart();

session->finish();

}

void testAuthenticate_Unauthorized() {

std::shared_ptr<ClientSession> session(createSession());

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithPLAINAuthentication();

CPPUNIT_ASSERT(needCredentials);

session->sendCredentials(createSafeByteArray("mypass"));

server->receiveAuthRequest("PLAIN");

server->sendAuthFailure();

CPPUNIT_ASSERT(sessionFinishedReceived);

CPPUNIT_ASSERT(sessionFinishedError);

}

void testAuthenticate_PLAINOverNonTLS() {

std::shared_ptr<ClientSession> session(createSession());

session->setAllowPLAINOverNonTLS(false);

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithPLAINAuthentication();

CPPUNIT_ASSERT(sessionFinishedReceived);

CPPUNIT_ASSERT(sessionFinishedError);

}

void testAuthenticate_RequireTLS() {

std::shared_ptr<ClientSession> session(createSession());

session->setUseTLS(ClientSession::RequireTLS);

session->setAllowPLAINOverNonTLS(true);

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithMultipleAuthentication();

CPPUNIT_ASSERT(sessionFinishedReceived);

CPPUNIT_ASSERT(sessionFinishedError);

}

void testAuthenticate_NoValidAuthMechanisms() {

std::shared_ptr<ClientSession> session(createSession());

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithUnknownAuthentication();

CPPUNIT_ASSERT(sessionFinishedReceived);

CPPUNIT_ASSERT(sessionFinishedError);

}

void testAuthenticate_EXTERNAL() {

std::shared_ptr<ClientSession> session(createSession());

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithEXTERNALAuthentication();

server->receiveAuthRequest("EXTERNAL");

server->sendAuthSuccess();

server->receiveStreamStart();

session->finish();

}

void testUnexpectedChallenge() {

std::shared_ptr<ClientSession> session(createSession());

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithEXTERNALAuthentication();

server->receiveAuthRequest("EXTERNAL");

server->sendChallenge();

server->sendChallenge();

CPPUNIT_ASSERT(sessionFinishedReceived);

CPPUNIT_ASSERT(sessionFinishedError);

}

void testStreamManagement() {

std::shared_ptr<ClientSession> session(createSession());

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithPLAINAuthentication();

session->sendCredentials(createSafeByteArray("mypass"));

server->receiveAuthRequest("PLAIN");

server->sendAuthSuccess();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithBindAndStreamManagement();

server->receiveBind();

server->sendBindResult();

server->receiveStreamManagementEnable();

server->sendStreamManagementEnabled();

CPPUNIT_ASSERT(session->getStreamManagementEnabled());

// TODO: Test if the requesters & responders do their work

session->finish();

}

void testStreamManagement_Failed() {

std::shared_ptr<ClientSession> session(createSession());

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithPLAINAuthentication();

session->sendCredentials(createSafeByteArray("mypass"));

server->receiveAuthRequest("PLAIN");

server->sendAuthSuccess();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithBindAndStreamManagement();

server->receiveBind();

server->sendBindResult();

server->receiveStreamManagementEnable();

server->sendStreamManagementFailed();

CPPUNIT_ASSERT(!session->getStreamManagementEnabled());

session->finish();

}

void testFinishAcksStanzas() {

std::shared_ptr<ClientSession> session(createSession());

initializeSession(session);

server->sendMessage();

server->sendMessage();

server->sendMessage();

session->finish();

server->receiveAck(3);

}

private:

std::shared_ptr<ClientSession> createSession() {

session->onFinished.connect(boost::bind(&ClientSessionTest::handleSessionFinished, this, _1));

session->onNeedCredentials.connect(boost::bind(&ClientSessionTest::handleSessionNeedCredentials, this));

session->setAllowPLAINOverNonTLS(true);

return session;

}

void initializeSession(std::shared_ptr<ClientSession> session) {

session->start();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithPLAINAuthentication();

session->sendCredentials(createSafeByteArray("mypass"));

server->receiveAuthRequest("PLAIN");

server->sendAuthSuccess();

server->receiveStreamStart();

server->sendStreamStart();

server->sendStreamFeaturesWithBindAndStreamManagement();

server->receiveBind();

server->sendBindResult();

server->receiveStreamManagementEnable();

server->sendStreamManagementEnabled();

}

void handleSessionFinished(std::shared_ptr<Error> error) {

sessionFinishedReceived = true;

sessionFinishedError = error;

}

void handleSessionNeedCredentials() {

needCredentials = true;

CPPUNIT_ASSERT(event.element);

std::shared_ptr<StanzaAck> ack = std::dynamic_pointer_cast<StanzaAck>(event.element);

CPPUNIT_ASSERT(ack);

CPPUNIT_ASSERT_EQUAL(n, ack->getHandledStanzasCount());

}

Event popEvent() {

CPPUNIT_ASSERT(!receivedEvents.empty());

Event event = receivedEvents.front();

receivedEvents.pop_front();

return event;

}

bool available;

bool canTLSEncrypt;

bool tlsEncrypted;

bool compressed;

bool whitespacePingEnabled;

std::string bindID;

int resetCount;

std::deque<Event> receivedEvents;

};

std::shared_ptr<IDNConverter> idnConverter;

std::shared_ptr<MockSessionStream> server;

bool sessionFinishedReceived;

bool needCredentials;

std::shared_ptr<Error> sessionFinishedError;

BlindCertificateTrustChecker* blindCertificateTrustChecker;

std::shared_ptr<CryptoProvider> crypto;

};

CPPUNIT_TEST_SUITE_REGISTRATION(ClientSessionTest);

#if 0

void testAuthenticate() {

std::shared_ptr<MockSession> session(createSession("me@foo.com/Bar"));

session->onNeedCredentials.connect(boost::bind(&ClientSessionTest::setNeedCredentials, this));

getMockServer()->expectStreamStart();

getMockServer()->sendStreamStart();

getMockServer()->sendStreamFeaturesWithAuthentication();

session->startSession();

processEvents();

CPPUNIT_ASSERT_EQUAL(ClientSession::WaitingForCredentials, session->getState());

CPPUNIT_ASSERT(needCredentials_);

getMockServer()->expectAuth("me", "mypass");

getMockServer()->sendAuthSuccess();

getMockServer()->expectStreamStart();

getMockServer()->sendStreamStart();

session->sendCredentials("mypass");

CPPUNIT_ASSERT_EQUAL(ClientSession::Authenticating, session->getState());

processEvents();

CPPUNIT_ASSERT_EQUAL(ClientSession::Negotiating, session->getState());

}

void testAuthenticate_Unauthorized() {

std::shared_ptr<MockSession> session(createSession("me@foo.com/Bar"));

getMockServer()->expectStreamStart();

getMockServer()->sendStreamStart();