+ * Copyright (c) 2010-2015 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <Swiften/Base/API.h>

+ /**

+ * A certificate trust checker that trusts any ceritficate.

+ *

+ * This can be used to ignore any TLS certificate errors occurring

+ * during connection.

+ *

+ * \see Client::setAlwaysTrustCertificates()

+ */

+ class SWIFTEN_API BlindCertificateTrustChecker : public CertificateTrustChecker {

+ public:

+ virtual bool isCertificateTrusted(const std::vector<Certificate::ref>&) {

+ return true;

+ }

+ };

+ * Copyright (c) 2012-2019 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <boost/bind.hpp>

+

+#include <Swiften/Base/Log.h>

+#include <Swiften/Network/TimerFactory.h>

+#include <Swiften/StringCodecs/Hexify.h>

+#include <Swiften/TLS/Schannel/SchannelUtil.h>

+#define DEBUG_SCARD_STATUS(function, status) \

+{ \

+ std::shared_ptr<boost::system::error_code> errorCode = std::make_shared<boost::system::error_code>(status, boost::system::system_category()); \

+ SWIFT_LOG(debug) << std::hex << function << ": status: 0x" << status << ": " << errorCode->message(); \

+}

+CAPICertificate::CAPICertificate(const std::string& capiUri, TimerFactory* timerFactory) :

+ valid_(false),

+ uri_(capiUri),

+ certStoreHandle_(0),

+ scardContext_(0),

+ cardHandle_(0),

+ certStore_(),

+ certName_(),

+ smartCardReaderName_(),

+ timerFactory_(timerFactory),

+ lastPollingResult_(true) {

+ assert(timerFactory_);

+

+ setUri(capiUri);

+ SWIFT_LOG(debug) << "Destroying the CAPICertificate";

+ if (smartCardTimer_) {

+ smartCardTimer_->stop();

+ smartCardTimer_->onTick.disconnect(boost::bind(&CAPICertificate::handleSmartCardTimerTick, this));

+ smartCardTimer_.reset();

+ }

+

+ if (certStoreHandle_) {

+ if (CertCloseStore(certStoreHandle_, 0) == FALSE) {

+ SWIFT_LOG(debug) << "Failed to close the certificate store handle";

+ }

+ }

+

+ if (cardHandle_) {

+ LONG result = SCardDisconnect(cardHandle_, SCARD_LEAVE_CARD);

+ DEBUG_SCARD_STATUS("SCardDisconnect", result);

+ }

+

+ if (scardContext_) {

+ LONG result = SCardReleaseContext(scardContext_);

+ DEBUG_SCARD_STATUS("SCardReleaseContext", result);

+ }

+ return uri_.empty() || !valid_;

+ return certStore_;

+ return certName_;

+ return smartCardReaderName_;

+PCCERT_CONTEXT findCertificateInStore(HCERTSTORE certStoreHandle, const std::string &certName) {

+ if (!boost::iequals(certName.substr(0, 5), "sha1:")) {

+ // Find client certificate. Note that this sample just searches for a

+ // certificate that contains the user name somewhere in the subject name.

+ return CertFindCertificateInStore(certStoreHandle, X509_ASN_ENCODING, /*dwFindFlags*/ 0, CERT_FIND_SUBJECT_STR_A, /* *pvFindPara*/certName.c_str(), /*pPrevCertContext*/ NULL);

+ }

+ std::string hexstring = certName.substr(5);

+ ByteArray byteArray = Hexify::unhexify(hexstring);

+ CRYPT_HASH_BLOB HashBlob;

+ if (byteArray.size() != SHA1_HASH_LEN) {

+ return NULL;

+ }

+ HashBlob.cbData = SHA1_HASH_LEN;

+ HashBlob.pbData = static_cast<BYTE *>(vecptr(byteArray));

+ // Find client certificate. Note that this sample just searches for a

+ // certificate that contains the user name somewhere in the subject name.

+ return CertFindCertificateInStore(certStoreHandle, X509_ASN_ENCODING, /* dwFindFlags */ 0, CERT_FIND_HASH, &HashBlob, /* pPrevCertContext */ NULL);

+void CAPICertificate::setUri(const std::string& capiUri) {

+ valid_ = false;

+

+ /* Syntax: "certstore:" <cert_store> ":" <hash> ":" <hash_of_cert> */

+

+ if (!boost::iequals(capiUri.substr(0, 10), "certstore:")) {

+ return;

+ }

+

+ /* Substring of subject: uses "storename" */

+ std::string capiIdentity = capiUri.substr(10);

+ std::string newCertStoreName;

+ size_t pos = capiIdentity.find_first_of(':');

+

+ if (pos == std::string::npos) {

+ /* Using the default certificate store */

+ newCertStoreName = "MY";

+ certName_ = capiIdentity;

+ }

+ else {

+ newCertStoreName = capiIdentity.substr(0, pos);

+ certName_ = capiIdentity.substr(pos + 1);

+ }

+

+ if (certStoreHandle_ != NULL) {

+ if (newCertStoreName != certStore_) {

+ CertCloseStore(certStoreHandle_, 0);

+ certStoreHandle_ = NULL;

+ }

+ }

+

+ if (certStoreHandle_ == NULL) {

+ certStoreHandle_ = CertOpenSystemStore(0, newCertStoreName.c_str());

+ if (!certStoreHandle_) {

+ return;

+ }

+ }

+

+ certStore_ = newCertStoreName;

+

+ ScopedCertContext certContext(findCertificateInStore(certStoreHandle_, certName_));

+ if (!certContext) {

+ return;

+ }

+

+ /* Now verify that we can have access to the corresponding private key */

+

+ DWORD len;

+ if (!CertGetCertificateContextProperty(certContext,

+ CERT_KEY_PROV_INFO_PROP_ID,

+ NULL,

+ &len)) {

+ SWIFT_LOG(error) << "Error while retrieving context properties";

+ return;

+ }

+

+ std::shared_ptr<CRYPT_KEY_PROV_INFO> pinfo(static_cast<CRYPT_KEY_PROV_INFO *>(malloc(len)), free);

+ if (!pinfo) {

+ return;

+ }

+

+ if (!CertGetCertificateContextProperty(certContext, CERT_KEY_PROV_INFO_PROP_ID, pinfo.get(), &len)) {

+ return;

+ }

+ certContext.FreeContext();

+

+ HCRYPTPROV hprov;

+ // Now verify if we have access to the private key

+ if (!CryptAcquireContextW(&hprov, pinfo->pwszContainerName, pinfo->pwszProvName, pinfo->dwProvType, 0)) {

+ return;

+ }

+

+ char smartCardReader[1024];

+ DWORD bufferLength = sizeof(smartCardReader);

+ if (!CryptGetProvParam(hprov, PP_SMARTCARD_READER, (BYTE *)&smartCardReader, &bufferLength, 0)) {

+ DWORD error = GetLastError();

+ smartCardReaderName_ = "";

+ }

+ else {

+ smartCardReaderName_ = smartCardReader;

+

+ LONG result = SCardEstablishContext(SCARD_SCOPE_USER, NULL, NULL, &scardContext_);

+ DEBUG_SCARD_STATUS("SCardEstablishContext", result);

+ if (SCARD_S_SUCCESS == result) {

+ // Initiate monitoring for smartcard ejection

+ smartCardTimer_ = timerFactory_->createTimer(SMARTCARD_EJECTION_CHECK_FREQUENCY_MILLISECONDS);

+ }

+ else {

+ CryptReleaseContext(hprov, 0);

+ return;

+ }

+ }

+

+ HCRYPTKEY key;

+ if (!CryptGetUserKey(hprov, pinfo->dwKeySpec, &key)) {

+ CryptReleaseContext(hprov, 0);

+ return;

+ }

+

+ CryptDestroyKey(key);

+ CryptReleaseContext(hprov, 0);

+

+ if (smartCardTimer_) {

+ smartCardTimer_->onTick.connect(boost::bind(&CAPICertificate::handleSmartCardTimerTick, this));

+ smartCardTimer_->start();

+ }

+

+ valid_ = true;

+static void smartcard_check_status(SCARDCONTEXT hContext,

+ const char* pReader,

+ SCARDHANDLE hCardHandle, /* Can be 0 on the first call */

+ SCARDHANDLE* newCardHandle, /* The handle returned */

+ DWORD* pdwState) {

+ DWORD shareMode = SCARD_SHARE_SHARED;

+ DWORD preferredProtocols = SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1;

+ DWORD dwAP;

+ LONG result;

+

+ if (hCardHandle == 0) {

+ result = SCardConnect(hContext, pReader, shareMode, preferredProtocols, &hCardHandle, &dwAP);

+ DEBUG_SCARD_STATUS("SCardConnect", result);

+ if (SCARD_S_SUCCESS != result) {

+ hCardHandle = 0;

+ }

+ }

+

+ char szReader[200];

+ DWORD cch = sizeof(szReader);

+ BYTE bAttr[32];

+ DWORD cByte = 32;

+ size_t countStatusAttempts = 0;

+

+ while (hCardHandle && (countStatusAttempts < 2)) {

+ *pdwState = SCARD_UNKNOWN;

+

+ result = SCardStatus(hCardHandle, /* Unfortunately we can't use NULL here */ szReader, &cch, pdwState, NULL, (LPBYTE)&bAttr, &cByte);

+ DEBUG_SCARD_STATUS("SCardStatus", result);

+ countStatusAttempts++;

+

+ if ((SCARD_W_RESET_CARD == result) && (countStatusAttempts < 2)) {

+ result = SCardReconnect(hCardHandle, shareMode, preferredProtocols, SCARD_RESET_CARD, &dwAP);

+ DEBUG_SCARD_STATUS("SCardReconnect", result);

+ if (SCARD_S_SUCCESS != result) {

+ break;

+ }

+ }

+ else {

+ break;

+ }

+ }

+

+ if (SCARD_S_SUCCESS != result) {

+ if (SCARD_E_NO_SMARTCARD == result || SCARD_W_REMOVED_CARD == result) {

+ *pdwState = SCARD_ABSENT;

+ }

+ else {

+ *pdwState = SCARD_UNKNOWN;

+ }

+ }

+

+ if (newCardHandle == NULL) {

+ result = SCardDisconnect(hCardHandle, SCARD_LEAVE_CARD);

+ DEBUG_SCARD_STATUS("SCardDisconnect", result);

+ }

+ else {

+ *newCardHandle = hCardHandle;

+ }

+bool CAPICertificate::checkIfSmartCardPresent() {

+ if (!smartCardReaderName_.empty()) {

+ DWORD dwState;

+ smartcard_check_status(scardContext_, smartCardReaderName_.c_str(), cardHandle_, &cardHandle_, &dwState);

+

+ switch (dwState) {

+ case SCARD_ABSENT:

+ SWIFT_LOG(debug) << "Card absent.";

+ break;

+ case SCARD_PRESENT:

+ SWIFT_LOG(debug) << "Card present.";

+ break;

+ case SCARD_SWALLOWED:

+ SWIFT_LOG(debug) << "Card swallowed.";

+ break;

+ case SCARD_POWERED:

+ SWIFT_LOG(debug) << "Card has power.";

+ break;

+ case SCARD_NEGOTIABLE:

+ SWIFT_LOG(debug) << "Card reset and waiting PTS negotiation.";

+ break;

+ case SCARD_SPECIFIC:

+ SWIFT_LOG(debug) << "Card has specific communication protocols set.";

+ break;

+ default:

+ SWIFT_LOG(debug) << "Unknown or unexpected card state.";

+ break;

+ }

+

+ switch (dwState) {

+ case SCARD_ABSENT:

+ return false;

+

+ case SCARD_PRESENT:

+ case SCARD_SWALLOWED:

+ case SCARD_POWERED:

+ case SCARD_NEGOTIABLE:

+ case SCARD_SPECIFIC:

+ return true;

+

+ default:

+ return false;

+ }

+ }

+ else {

+ return false;

+ }

+ bool poll = checkIfSmartCardPresent();

+ if (lastPollingResult_ && !poll) {

+ SWIFT_LOG(debug) << "CAPI Certificate detected that the certificate card was removed";

+ onCertificateCardRemoved();

+ }

+ lastPollingResult_ = poll;

+ smartCardTimer_->start();

+/*

+ * Copyright (c) 2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#include <boost/signals2.hpp>

+#define SMARTCARD_EJECTION_CHECK_FREQUENCY_MILLISECONDS 1000

+ class TimerFactory;

+ class SWIFTEN_API CAPICertificate : public Swift::CertificateWithKey {

+ public:

+ CAPICertificate(const std::string& capiUri, TimerFactory* timerFactory);

+ virtual ~CAPICertificate();

+ virtual bool isNull() const;

+ const std::string& getCertStoreName() const;

+ const std::string& getCertName() const;

+ const std::string& getSmartCardReaderName() const;

+ public:

+ boost::signals2::signal<void ()> onCertificateCardRemoved;

+ private:

+ void setUri (const std::string& capiUri);

+ void handleSmartCardTimerTick();

+ bool checkIfSmartCardPresent();

+ private:

+ bool valid_;

+ std::string uri_;

+ HCERTSTORE certStoreHandle_;

+ SCARDCONTEXT scardContext_;

+ SCARDHANDLE cardHandle_;

+ /* Parsed components of the uri_ */

+ std::string certStore_;

+ std::string certName_;

+ std::string smartCardReaderName_;

+ std::shared_ptr<Timer> smartCardTimer_;

+ TimerFactory* timerFactory_;

+ bool lastPollingResult_;

+ };

+ * Copyright (c) 2010-2013 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ ByteArray hash = crypto->getSHA1Hash(certificate->toDER());

+ std::ostringstream s;

+ for (size_t i = 0; i < hash.size(); ++i) {

+ if (i > 0) {

+ s << ":";

+ }

+ s << Hexify::hexify(hash[i]);

+ }

+ return std::string(s.str());

+ * Copyright (c) 2010-2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <memory>

+#include <vector>

+

+ class CryptoProvider;

+ class SWIFTEN_API Certificate {

+ public:

+ typedef std::shared_ptr<Certificate> ref;

+ virtual ~Certificate();

+ /**

+ * Returns the textual representation of the full Subject

+ * name.

+ */

+ virtual std::string getSubjectName() const = 0;

+ virtual std::vector<std::string> getCommonNames() const = 0;

+ virtual std::vector<std::string> getSRVNames() const = 0;

+ virtual std::vector<std::string> getDNSNames() const = 0;

+ virtual std::vector<std::string> getXMPPAddresses() const = 0;

+ virtual ByteArray toDER() const = 0;

+ static std::string getSHA1Fingerprint(Certificate::ref, CryptoProvider* crypto);

+ protected:

+ static const char* ID_ON_XMPPADDR_OID;

+ static const char* ID_ON_DNSSRV_OID;

+ };

+ * Copyright (c) 2010-2018 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <cassert>

+#include <memory>

+#include <sstream>

+#include <string>

+

+#include <boost/algorithm/string/predicate.hpp>

+#include <boost/optional.hpp>

+

+#include <Swiften/Base/Log.h>

+#include <Swiften/StringCodecs/Base64.h>

+#include <Swiften/TLS/PrivateKey.h>

+

+std::vector<std::shared_ptr<Certificate>> CertificateFactory::createCertificateChain(const ByteArray& /* data */) {

+ assert(false);

+ return std::vector<std::shared_ptr<Certificate>>();

+}

+

+PrivateKey::ref CertificateFactory::createPrivateKey(const SafeByteArray& data, boost::optional<SafeByteArray> password) {

+ return std::make_shared<PrivateKey>(data, password);

+}

+

+ * Copyright (c) 2010-2018 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <boost/optional.hpp>

+

+#include <Swiften/Base/API.h>

+#include <Swiften/Base/SafeByteArray.h>

+#include <Swiften/TLS/PrivateKey.h>

+ class SWIFTEN_API CertificateFactory {

+ public:

+ virtual ~CertificateFactory();

+ virtual Certificate* createCertificateFromDER(const ByteArray& der) = 0;

+ virtual std::vector<std::shared_ptr<Certificate>> createCertificateChain(const ByteArray& data);

+ PrivateKey::ref createPrivateKey(const SafeByteArray& data, boost::optional<SafeByteArray> password = boost::optional<SafeByteArray>());

+ };

+ * Copyright (c) 2010 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ * Copyright (c) 2010-2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <memory>

+ /**

+ * A class to implement a check for certificate trust.

+ */

+ class SWIFTEN_API CertificateTrustChecker {

+ public:

+ virtual ~CertificateTrustChecker();

+ /**

+ * This method is called to find out whether a certificate (chain) is

+ * trusted. This usually happens when a certificate's validation

+ * fails, to check whether to proceed with the connection or not.

+ *

+ * certificateChain contains the chain of certificates. The first certificate

+ * is the subject certificate.

+ */

+ virtual bool isCertificateTrusted(const std::vector<Certificate::ref>& certificateChain) = 0;

+ };

+ * Copyright (c) 2010-2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <memory>

+

+#include <Swiften/Base/API.h>

+ class SWIFTEN_API CertificateVerificationError : public Error {

+ public:

+ typedef std::shared_ptr<CertificateVerificationError> ref;

+

+ enum Type {

+ UnknownError,

+ Expired,

+ NotYetValid,

+ SelfSigned,

+ Rejected,

+ Untrusted,

+ InvalidPurpose,

+ PathLengthExceeded,

+ InvalidSignature,

+ InvalidCA,

+ InvalidServerIdentity,

+ Revoked,

+ RevocationCheckFailed

+ };

+

+ CertificateVerificationError(Type type = UnknownError) : type(type) {}

+

+ Type getType() const {

+ return type;

+ }

+

+ private:

+ Type type;

+ };

+ * Copyright (c) 2010-2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <Swiften/Base/API.h>

+ class SWIFTEN_API CertificateWithKey {

+ public:

+ typedef std::shared_ptr<CertificateWithKey> ref;

+ CertificateWithKey() {}

+ virtual ~CertificateWithKey() {}

+ virtual bool isNull() const = 0;

+ };

+ * Copyright (c) 2010-2019 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+OpenSSLCertificate::OpenSSLCertificate(std::shared_ptr<X509> cert) : cert(cert) {

+ parse();

+ unsigned char* p = const_cast<unsigned char*>(vecptr(der));

+ const unsigned char* p = vecptr(der);

+#endif

+ cert = std::shared_ptr<X509>(d2i_X509(nullptr, &p, der.size()), X509_free);

+ if (!cert) {

+// SWIFT_LOG(warning) << "Error creating certificate from DER data";

+ }

+ parse();

+}

+

+void OpenSSLCertificate::incrementReferenceCount() const {

+#if OPENSSL_VERSION_NUMBER >= 0x10100000L

+ X509_up_ref(cert.get());

+#else

+ CRYPTO_add(&(cert.get()->references), 1, CRYPTO_LOCK_EVP_PKEY);

+ ByteArray result;

+ if (!cert) {

+ return result;

+ }

+ result.resize(i2d_X509(cert.get(), nullptr));

+ unsigned char* p = vecptr(result);

+ i2d_X509(cert.get(), &p);

+ return result;

+ if (!cert) {

+ return;

+ }

+ // Subject name

+ X509_NAME* subjectName = X509_get_subject_name(cert.get());

+ if (subjectName) {

+ // Subject name

+ ByteArray subjectNameData;

+ subjectNameData.resize(256);

+ X509_NAME_oneline(X509_get_subject_name(cert.get()), reinterpret_cast<char*>(vecptr(subjectNameData)), static_cast<unsigned int>(subjectNameData.size()));

+ this->subjectName = byteArrayToString(subjectNameData);

+ // Common name

+ int cnLoc = X509_NAME_get_index_by_NID(subjectName, NID_commonName, -1);

+ while (cnLoc != -1) {

+ X509_NAME_ENTRY* cnEntry = X509_NAME_get_entry(subjectName, cnLoc);

+ ASN1_STRING* cnData = X509_NAME_ENTRY_get_data(cnEntry);

+ commonNames.push_back(byteArrayToString(createByteArray(reinterpret_cast<const char*>(cnData->data), cnData->length)));

+ cnLoc = X509_NAME_get_index_by_NID(subjectName, NID_commonName, cnLoc);

+ }

+ }

+ // subjectAltNames

+ int subjectAltNameLoc = X509_get_ext_by_NID(cert.get(), NID_subject_alt_name, -1);

+ if(subjectAltNameLoc != -1) {

+ X509_EXTENSION* extension = X509_get_ext(cert.get(), subjectAltNameLoc);

+ std::shared_ptr<GENERAL_NAMES> generalNames(reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(extension)), GENERAL_NAMES_free);

+ std::shared_ptr<ASN1_OBJECT> xmppAddrObject(OBJ_txt2obj(ID_ON_XMPPADDR_OID, 1), ASN1_OBJECT_free);

+ std::shared_ptr<ASN1_OBJECT> dnsSRVObject(OBJ_txt2obj(ID_ON_DNSSRV_OID, 1), ASN1_OBJECT_free);

+ for (int i = 0; i < sk_GENERAL_NAME_num(generalNames.get()); ++i) {

+ GENERAL_NAME* generalName = sk_GENERAL_NAME_value(generalNames.get(), i);

+ if (generalName->type == GEN_OTHERNAME) {

+ OTHERNAME* otherName = generalName->d.otherName;

+ if (OBJ_cmp(otherName->type_id, xmppAddrObject.get()) == 0) {

+ // XmppAddr

+ if (otherName->value->type != V_ASN1_UTF8STRING) {

+ continue;

+ }

+ ASN1_UTF8STRING* xmppAddrValue = otherName->value->value.utf8string;

+ addXMPPAddress(byteArrayToString(createByteArray(reinterpret_cast<const char*>(ASN1_STRING_data(xmppAddrValue)), ASN1_STRING_length(xmppAddrValue))));

+ }

+ else if (OBJ_cmp(otherName->type_id, dnsSRVObject.get()) == 0) {

+ // SRVName

+ if (otherName->value->type != V_ASN1_IA5STRING) {

+ continue;

+ }

+ ASN1_IA5STRING* srvNameValue = otherName->value->value.ia5string;

+ addSRVName(byteArrayToString(createByteArray(reinterpret_cast<const char*>(ASN1_STRING_data(srvNameValue)), ASN1_STRING_length(srvNameValue))));

+ }

+ }

+ else if (generalName->type == GEN_DNS) {

+ // DNSName

+ addDNSName(byteArrayToString(createByteArray(ASN1_STRING_data(generalName->d.dNSName), ASN1_STRING_length(generalName->d.dNSName))));

+ }

+ }

+ }

+ * Copyright (c) 2010-2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <memory>

+#include <string>

+

+ class OpenSSLCertificate : public Certificate {

+ public:

+ OpenSSLCertificate(std::shared_ptr<X509>);

+ OpenSSLCertificate(const ByteArray& der);

+

+ std::string getSubjectName() const {

+ return subjectName;

+ }

+

+ std::vector<std::string> getCommonNames() const {

+ return commonNames;

+ }

+

+ std::vector<std::string> getSRVNames() const {

+ return srvNames;

+ }

+

+ std::vector<std::string> getDNSNames() const {

+ return dnsNames;

+ }

+

+ std::vector<std::string> getXMPPAddresses() const {

+ return xmppAddresses;

+ }

+

+ ByteArray toDER() const;

+

+ std::shared_ptr<X509> getInternalX509() const {

+ return cert;

+ }

+

+ void incrementReferenceCount() const;

+

+ private:

+ void parse();

+

+ void addSRVName(const std::string& name) {

+ srvNames.push_back(name);

+ }

+

+ void addDNSName(const std::string& name) {

+ dnsNames.push_back(name);

+ }

+

+ void addXMPPAddress(const std::string& addr) {

+ xmppAddresses.push_back(addr);

+ }

+

+ private:

+ std::shared_ptr<X509> cert;

+ std::string subjectName;

+ std::vector<std::string> commonNames;

+ std::vector<std::string> dnsNames;

+ std::vector<std::string> xmppAddresses;

+ std::vector<std::string> srvNames;

+ };

+/*

+ * Copyright (c) 2018 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#include <Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.h>

+

+#include <openssl/pem.h>

+#include <openssl/err.h>

+

+namespace Swift {

+

+OpenSSLCertificateFactory::OpenSSLCertificateFactory() {

+}

+

+OpenSSLCertificateFactory::~OpenSSLCertificateFactory() {

+}

+

+Certificate* OpenSSLCertificateFactory::createCertificateFromDER(const ByteArray& der) {

+ return new OpenSSLCertificate(der);

+}

+

+std::vector<std::shared_ptr<Certificate>> OpenSSLCertificateFactory::createCertificateChain(const ByteArray& data) {

+ std::vector<std::shared_ptr<Certificate>> certificateChain;

+

+ if (data.size() > std::numeric_limits<int>::max()) {

+ return certificateChain;

+ }

+

+ auto bio = std::shared_ptr<BIO>(BIO_new(BIO_s_mem()), BIO_free);

+ BIO_write(bio.get(), vecptr(data), int(data.size()));

+

+ // Attempt parsing data as PEM

+ X509* openSSLCert = nullptr;

+ auto x509certFromPEM = PEM_read_bio_X509(bio.get(), &openSSLCert, nullptr, nullptr);

+ if (x509certFromPEM && openSSLCert) {

+ std::shared_ptr<X509> x509Cert(openSSLCert, X509_free);

+ certificateChain.emplace_back(std::make_shared<OpenSSLCertificate>(x509Cert));

+ openSSLCert = nullptr;

+ while ((x509certFromPEM = PEM_read_bio_X509(bio.get(), &openSSLCert, nullptr, nullptr)) != nullptr) {

+ std::shared_ptr<X509> x509Cert(openSSLCert, X509_free);

+ certificateChain.emplace_back(std::make_shared<OpenSSLCertificate>(x509Cert));

+ openSSLCert = nullptr;

+ }

+ }

+

+ // Clear any (expected) errors which resulted from PEM parsing

+ // If we don't do this, any existing TLS context will detect these

+ // spurious errors and fail to work

+ ERR_clear_error();

+

+ return certificateChain;

+}

+

+}

+ * Copyright (c) 2010-2018 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ class OpenSSLCertificateFactory : public CertificateFactory {

+ public:

+ OpenSSLCertificateFactory();

+ virtual ~OpenSSLCertificateFactory() override final;

+

+ virtual Certificate* createCertificateFromDER(const ByteArray& der) override final;

+ virtual std::vector<std::shared_ptr<Certificate>> createCertificateChain(const ByteArray& data) override final;

+ };

+ * Copyright (c) 2010-2019 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+

+#include <cassert>

+#include <memory>

+

+

+#include <openssl/bio.h>

+#include <Swiften/Base/Log.h>

+#include <Swiften/Base/Algorithm.h>

+#define SSL_DEFAULT_VERIFY_DEPTH 5

+

+// Callback function declarations for certificate verification

+extern "C" {

+ static int certVerifyCallback(X509_STORE_CTX *store_ctx, void*);

+ static int verifyCallback(int preverify_ok, X509_STORE_CTX *ctx);

+}

+

+ sk_X509_free(stack);

+namespace {

+ class OpenSSLInitializerFinalizer {

+ public:

+ OpenSSLInitializerFinalizer() {

+ SSL_load_error_strings();

+ SSL_library_init();

+ OpenSSL_add_all_algorithms();

+

+ // Disable compression

+ /*

+ STACK_OF(SSL_COMP)* compressionMethods = SSL_COMP_get_compression_methods();

+ sk_SSL_COMP_zero(compressionMethods);*/

+ }

+

+ ~OpenSSLInitializerFinalizer() {

+ EVP_cleanup();

+ }

+

+ OpenSSLInitializerFinalizer(const OpenSSLInitializerFinalizer &) = delete;

+ };

+

+ std::unique_ptr<SSL_CTX> createSSL_CTX(OpenSSLContext::Mode mode) {

+ std::unique_ptr<SSL_CTX> sslCtx;

+ switch (mode) {

+ case OpenSSLContext::Mode::Client:

+ sslCtx = std::unique_ptr<SSL_CTX>(SSL_CTX_new(SSLv23_client_method()));

+ break;

+ case OpenSSLContext::Mode::Server:

+ sslCtx = std::unique_ptr<SSL_CTX>(SSL_CTX_new(SSLv23_server_method()));

+ break;

+ }

+ return sslCtx;

+ }

+

+ std::string openSSLInternalErrorToString() {

+ auto bio = std::shared_ptr<BIO>(BIO_new(BIO_s_mem()), BIO_free);

+ ERR_print_errors(bio.get());

+ std::string errorString;

+ errorString.resize(BIO_pending(bio.get()));

+ BIO_read(bio.get(), (void*)errorString.data(), errorString.size());

+ return errorString;

+ }

+ }

+

+OpenSSLContext::OpenSSLContext(const TLSOptions& options, Mode mode) : mode_(mode), state_(State::Start) {

+ ensureLibraryInitialized();

+ context_ = createSSL_CTX(mode_);

+ SSL_CTX_set_options(context_.get(), SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

+

+ if (mode_ == Mode::Server) {

+#if OPENSSL_VERSION_NUMBER < 0x1010

+ // Automatically select highest preference curve used for ECDH temporary keys used during

+ // key exchange if possible.

+ // Since version 1.1.0, this option is always enabled.

+ SSL_CTX_set_ecdh_auto(context_.get(), 1);

+#endif

+

+ SSL_CTX_set_tlsext_servername_arg(context_.get(), this);

+ SSL_CTX_set_tlsext_servername_callback(context_.get(), OpenSSLContext::handleServerNameCallback);

+ }

+

+ // TODO: implement CRL checking

+ // TODO: download CRL (HTTP transport)

+ // TODO: cache CRL downloads for configurable time period

+ // TODO: implement OCSP support

+ // TODO: handle OCSP stapling see https://www.rfc-editor.org/rfc/rfc4366.txt

+ // Default for ignoreSystemTrustAnchors is false, i.e. load System TAs by default,

+ // to preserve previous behaviour

+ if (!options.ignoreSystemTrustAnchors) {

+ // Load system certs

+ X509_STORE* store = SSL_CTX_get_cert_store(context_.get());

+ HCERTSTORE systemStore = CertOpenSystemStore(0, "ROOT");

+ if (systemStore) {

+ PCCERT_CONTEXT certContext = nullptr;

+ while (true) {

+ certContext = CertFindCertificateInStore(systemStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, nullptr, certContext);

+ if (!certContext) {

+ break;

+ }

+ OpenSSLCertificate cert(createByteArray(certContext->pbCertEncoded, certContext->cbCertEncoded));

+ if (store && cert.getInternalX509()) {

+ X509_STORE_add_cert(store, cert.getInternalX509().get());

+ }

+ }

+ }

+ SSL_CTX_set_default_verify_paths(context_.get());

+#elif defined(SWIFTEN_PLATFORM_MACOSX) && !defined(SWIFTEN_PLATFORM_IPHONE)

+ // On Mac OS X 10.5 (OpenSSL < 0.9.8), OpenSSL does not automatically look in the system store.

+ // On Mac OS X 10.6 (OpenSSL >= 0.9.8), OpenSSL *does* look in the system store to determine trust.

+ // However, if there is a certificate error, it will always emit the "Invalid CA" error if we didn't add

+ // the certificates first. See

+ // http://opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/x509_vfy_apple.c

+ // to understand why. We therefore add all certs from the system store ourselves.

+ X509_STORE* store = SSL_CTX_get_cert_store(context_.get());

+ CFArrayRef anchorCertificates;

+ if (SecTrustCopyAnchorCertificates(&anchorCertificates) == 0) {

+ for (int i = 0; i < CFArrayGetCount(anchorCertificates); ++i) {

+ SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(const_cast<void*>(CFArrayGetValueAtIndex(anchorCertificates, i)));

+ CSSM_DATA certCSSMData;

+ if (SecCertificateGetData(cert, &certCSSMData) != 0 || certCSSMData.Length == 0) {

+ continue;

+ }

+ std::vector<unsigned char> certData;

+ certData.resize(certCSSMData.Length);

+ memcpy(&certData[0], certCSSMData.Data, certCSSMData.Length);

+ OpenSSLCertificate certificate(certData);

+ if (store && certificate.getInternalX509()) {

+ X509_STORE_add_cert(store, certificate.getInternalX509().get());

+ }

+ }

+ CFRelease(anchorCertificates);

+ }

+ }

+ configure(options);

+ static OpenSSLInitializerFinalizer openSSLInit;

+}

+

+void OpenSSLContext::initAndSetBIOs() {

+ // Ownership of BIOs is transferred

+ readBIO_ = BIO_new(BIO_s_mem());

+ writeBIO_ = BIO_new(BIO_s_mem());

+ SSL_set_bio(handle_.get(), readBIO_, writeBIO_);

+}

+

+// This callback is called by OpenSSL when a client certificate needs to be verified.

+// In turn, this calls the verification callback which the user

+// of this OpenSSLContext has configured (if any).

+static int certVerifyCallback(X509_STORE_CTX* store_ctx, void* arg)

+{

+ OpenSSLContext* context = static_cast<OpenSSLContext *>(arg);

+

+ // Need to stash store_ctx pointer for use within verification

+ context->setX509StoreContext(store_ctx);

+

+ int ret;

+

+ // This callback shouldn't have been set up if the context doesn't

+ // have a verifyCertCallback set, but it doesn't hurt to double check

+ std::function<int (const TLSContext *)> cb = context->getVerifyCertCallback();

+ if (cb != nullptr) {

+ ret = cb(static_cast<const OpenSSLContext*>(context));

+ } else {

+ SWIFT_LOG(debug) << "certVerifyCallback called but context.verifyCertCallback is unset";

+ ret = 0;

+ }

+

+ context->setX509StoreContext(nullptr);

+ return ret;

+}

+

+// Convenience function to generate a text representation

+// of an X509 Name. This information is only used for logging.

+static std::string X509_NAME_to_text(X509_NAME* name)

+{

+ std::string nameString;

+

+ if (!name) {

+ return nameString;

+ }

+

+ std::unique_ptr<BIO, decltype(&BIO_free)> io(BIO_new(BIO_s_mem()), &BIO_free);

+ int r = X509_NAME_print_ex(io.get(), name, 0, XN_FLAG_RFC2253);

+ BIO_write(io.get(), "\0", 1);

+

+ if (r > 0) {

+ BUF_MEM* ptr = nullptr;

+ BIO_get_mem_ptr(io.get(), &ptr);

+ nameString = ptr->data;

+ }

+

+ return nameString;

+}

+

+// Check depth of certificate chain

+static int verifyCallback(int preverifyOk, X509_STORE_CTX* ctx)

+{

+ // Retrieve the pointer to the SSL of the connection currently treated

+ // and the application specific data stored into the SSL object.

+

+ int err = X509_STORE_CTX_get_error(ctx);

+ int depth = X509_STORE_CTX_get_error_depth(ctx);

+

+ SSL* ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));

+ SSL_CTX* sslctx = ssl ? SSL_get_SSL_CTX(ssl) : nullptr;

+ if (!sslctx) {

+ SWIFT_LOG(debug) << "verifyCallback: internal error";

+ return preverifyOk;

+ }

+

+ if (SSL_CTX_get_verify_mode(sslctx) == SSL_VERIFY_NONE) {

+ SWIFT_LOG(debug) << "verifyCallback: no verification required";

+ // No verification requested

+ return 1;

+ }

+

+ X509* errCert = X509_STORE_CTX_get_current_cert(ctx);

+ std::string subjectString;

+ if (errCert) {

+ X509_NAME* subjectName = X509_get_subject_name(errCert);

+ subjectString = X509_NAME_to_text(subjectName);

+ }

+

+ // Catch a too long certificate chain. The depth limit set using

+ // SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so

+ // that whenever the "depth>verify_depth" condition is met, we

+ // have violated the limit and want to log this error condition.

+ // We must do it here, because the CHAIN_TOO_LONG error would not

+ // be found explicitly; only errors introduced by cutting off the

+ // additional certificates would be logged.

+ if (depth >= SSL_CTX_get_verify_depth(sslctx)) {

+ preverifyOk = 0;

+ err = X509_V_ERR_CERT_CHAIN_TOO_LONG;

+ X509_STORE_CTX_set_error(ctx, err);

+ }

+

+ if (!preverifyOk) {

+ std::string issuerString;

+ if (errCert) {

+ X509_NAME* issuerName = X509_get_issuer_name(errCert);

+ issuerString = X509_NAME_to_text(issuerName);

+ }

+ SWIFT_LOG(debug) << "verifyCallback: verification error " <<

+ X509_verify_cert_error_string(err) << " depth: " <<

+ depth << " issuer: " << ((issuerString.length() > 0) ? issuerString : "<unknown>");

+ } else {

+ SWIFT_LOG(debug) << "verifyCallback: SSL depth: " << depth << " Subject: " <<

+ ((subjectString.length() > 0) ? subjectString : "<>");

+ }

+ // Always return "OK", as check on verification status

+ // will be performed once TLS handshake has completed,

+ // by calling OpenSSLContext::getVerificationErrorTypeForResult() to

+ // get the value set via X509_STORE_CTX_set_error() above.

+ return 1;

+}

+

+bool OpenSSLContext::configure(const TLSOptions &options)

+{

+ if (options.cipherSuites) {

+ std::string cipherSuites = *(options.cipherSuites);

+ if (SSL_CTX_set_cipher_list(context_.get(), cipherSuites.c_str()) != 1 ) {

+ SWIFT_LOG(debug) << "Failed to set cipher-suites";

+ return false;

+ }

+ }

+

+ if (options.context) {

+ const auto& contextId = *options.context;

+

+ if (SSL_CTX_set_session_id_context(context_.get(),

+ reinterpret_cast<const unsigned char *>(contextId.c_str()),

+ contextId.length()) != 1) {

+ SWIFT_LOG(debug) << "Failed to set context-id";

+ return false;

+ }

+ }

+

+ if (options.sessionCacheTimeout) {

+ int scto = *options.sessionCacheTimeout;

+ if (scto <= 0) {

+ SWIFT_LOG(debug) << "Invalid value for session-cache-timeout";

+ return false;

+ }

+ (void)SSL_CTX_set_timeout(context_.get(), scto);

+ if (SSL_CTX_get_timeout(context_.get()) != scto) {

+ SWIFT_LOG(debug) << "Failed to set session-cache-timeout";

+ return false;

+ }

+ }

+

+ if (options.verifyCertificateCallback) {

+ verifyCertCallback = *options.verifyCertificateCallback;

+ } else {

+ verifyCertCallback = nullptr;

+ }

+

+ if (options.verifyMode) {

+ TLSOptions::VerifyMode verify_mode = *options.verifyMode;

+ int mode;

+ switch (verify_mode) {

+ case TLSOptions::VerifyMode::None:

+ mode = SSL_VERIFY_NONE;

+ break;

+ case TLSOptions::VerifyMode::Required:

+ mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE;

+ break;

+ case TLSOptions::VerifyMode::Optional:

+ mode = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;

+ break;

+ }

+

+ // Set up default certificate chain verification depth - may be overridden below

+ SSL_CTX_set_verify_depth(context_.get(), SSL_DEFAULT_VERIFY_DEPTH + 1);

+

+ // Set callbacks up

+ SSL_CTX_set_verify(context_.get(), mode, verifyCallback);

+

+ // Only set up certificate verification callback if a user callback has

+ // been configured via the TLSOptions

+ if (verifyCertCallback != nullptr) {

+ SSL_CTX_set_cert_verify_callback(context_.get(), certVerifyCallback, this);

+ }

+ }

+

+ if (options.verifyDepth) {

+ int depth = *options.verifyDepth;

+ if (depth <= 0) {

+ SWIFT_LOG(debug) << "Invalid value for verify-depth";

+ return false;

+ }

+

+ // Increase depth limit by one, so that verifyCallback() will log it

+ SSL_CTX_set_verify_depth(context_.get(), depth + 1);

+ }

+

+ auto updateOptionIfPresent = [this](boost::optional<bool> option, int flag) {

+ if (option) {

+ if (*option) {

+ SSL_CTX_set_options(context_.get(), flag);

+ }

+ else {

+ SSL_CTX_clear_options(context_.get(), flag);

+ }

+ }

+ };

+ updateOptionIfPresent(options.workaroundMicrosoftSessID, SSL_OP_MICROSOFT_SESS_ID_BUG);

+ updateOptionIfPresent(options.workaroundNetscapeChallenge, SSL_OP_NETSCAPE_CHALLENGE_BUG);

+ updateOptionIfPresent(options.workaroundNetscapeReuseCipherChange, SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG);

+ updateOptionIfPresent(options.workaroundSSLRef2ReuseCertType, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);

+ updateOptionIfPresent(options.workaroundMicrosoftBigSSLv3Buffer, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);

+ updateOptionIfPresent(options.workaroundSSLeay080ClientDH, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);

+ updateOptionIfPresent(options.workaroundTLSD5, SSL_OP_TLS_D5_BUG);

+ updateOptionIfPresent(options.workaroundTLSBlockPadding, SSL_OP_TLS_BLOCK_PADDING_BUG);

+ updateOptionIfPresent(options.workaroundDontInsertEmptyFragments, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);

+ updateOptionIfPresent(options.workaroundAll, SSL_OP_ALL);

+ updateOptionIfPresent(options.suppressSSLv2, SSL_OP_NO_SSLv2);

+ updateOptionIfPresent(options.suppressSSLv3, SSL_OP_NO_SSLv3);

+ updateOptionIfPresent(options.suppressTLSv1, SSL_OP_NO_TLSv1);

+ updateOptionIfPresent(options.disableTLSRollBackBug, SSL_OP_TLS_ROLLBACK_BUG);

+ updateOptionIfPresent(options.singleDHUse, SSL_OP_SINGLE_DH_USE);

+

+ if (options.trustAnchors) {

+ // Add any additional Trust Anchors which are present in the TLSOptions

+ X509_STORE* store = SSL_CTX_get_cert_store(context_.get());

+

+ if (store) {

+ for (auto& certificate : *options.trustAnchors) {

+ auto openSSLCert = dynamic_cast<OpenSSLCertificate*>(certificate.get());

+ if (openSSLCert && openSSLCert->getInternalX509()) {

+ X509_STORE_add_cert(store, openSSLCert->getInternalX509().get());

+ // Don't need to increment reference count as X509_STORE_add_cert does thiS

+ }

+ }

+ }

+ }

+

+ return true;

+}

+

+

+void OpenSSLContext::accept() {

+ assert(mode_ == Mode::Server);

+ handle_ = std::unique_ptr<SSL>(SSL_new(context_.get()));

+ if (!handle_) {

+ state_ = State::Error;

+ onError(std::make_shared<TLSError>(TLSError::AcceptFailed, openSSLInternalErrorToString()));

+ return;

+ }

+

+ initAndSetBIOs();

+

+ state_ = State::Accepting;

+ doAccept();

+ connect(std::string());

+}

+

+void OpenSSLContext::connect(const std::string& requestedServerName) {

+ assert(mode_ == Mode::Client);

+ handle_ = std::unique_ptr<SSL>(SSL_new(context_.get()));

+ if (!handle_) {

+ state_ = State::Error;

+ onError(std::make_shared<TLSError>(TLSError::ConnectFailed, openSSLInternalErrorToString()));

+ return;

+ }

+

+ if (!requestedServerName.empty()) {

+ if (SSL_set_tlsext_host_name(handle_.get(), const_cast<char*>(requestedServerName.c_str())) != 1) {

+ onError(std::make_shared<TLSError>(TLSError::ConnectFailed, "Failed to set Server Name Indication: " + openSSLInternalErrorToString()));\

+ return;

+ }

+ }

+

+ // Ownership of BIOs is transferred to the SSL_CTX instance in handle_.

+ initAndSetBIOs();

+

+ state_ = State::Connecting;

+ doConnect();

+}

+

+void OpenSSLContext::doAccept() {

+ auto acceptResult = SSL_accept(handle_.get());

+ auto error = SSL_get_error(handle_.get(), acceptResult);

+ switch (error) {

+ case SSL_ERROR_NONE: {

+ state_ = State::Connected;

+ //std::cout << x->name << std::endl;

+ //const char* comp = SSL_get_current_compression(handle_.get());

+ //std::cout << "Compression: " << SSL_COMP_get_name(comp) << std::endl;

+ onConnected();

+ // The following call is important so the client knowns the handshake is finished.

+ sendPendingDataToNetwork();

+ sendPendingDataToApplication();

+ break;

+ }

+ case SSL_ERROR_WANT_READ:

+ sendPendingDataToNetwork();

+ break;

+ case SSL_ERROR_WANT_WRITE:

+ sendPendingDataToNetwork();

+ break;

+ default:

+ state_ = State::Error;

+ onError(std::make_shared<TLSError>(TLSError::AcceptFailed, openSSLInternalErrorToString()));

+ sendPendingDataToNetwork();

+ }

+ int connectResult = SSL_connect(handle_.get());

+ int error = SSL_get_error(handle_.get(), connectResult);

+ switch (error) {

+ case SSL_ERROR_NONE: {

+ state_ = State::Connected;

+ //std::cout << x->name << std::endl;

+ //const char* comp = SSL_get_current_compression(handle_.get());

+ //std::cout << "Compression: " << SSL_COMP_get_name(comp) << std::endl;

+ onConnected();

+ // The following is needed since OpenSSL 1.1.1 for the server to be able to calculate the

+ // TLS finish message.

+ sendPendingDataToNetwork();

+ break;

+ }

+ case SSL_ERROR_WANT_READ:

+ sendPendingDataToNetwork();

+ break;

+ default:

+ state_ = State::Error;

+ onError(std::make_shared<TLSError>());

+ onError(std::make_shared<TLSError>(TLSError::ConnectFailed, openSSLInternalErrorToString()));

+ }

+}

+

+int OpenSSLContext::handleServerNameCallback(SSL* ssl, int*, void* arg) {

+ if (ssl == nullptr)

+ return SSL_TLSEXT_ERR_NOACK;

+

+ const char* servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);

+ if (servername) {

+ auto serverNameString = std::string(servername);

+ auto context = reinterpret_cast<OpenSSLContext*>(arg);

+ context->onServerNameRequested(serverNameString);

+

+ if (context->abortTLSHandshake_) {

+ context->abortTLSHandshake_ = false;

+ return SSL_TLSEXT_ERR_ALERT_FATAL;

+ }

+ }

+ return SSL_TLSEXT_ERR_OK;

+ int size = BIO_pending(writeBIO_);

+ if (size > 0) {

+ SafeByteArray data;

+ data.resize(size);

+ BIO_read(writeBIO_, vecptr(data), size);

+ onDataForNetwork(data);

+ }

+ BIO_write(readBIO_, vecptr(data), data.size());

+ switch (state_) {

+ case State::Accepting:

+ doAccept();

+ break;

+ case State::Connecting:

+ doConnect();

+ break;

+ case State::Connected:

+ sendPendingDataToApplication();

+ break;

+ case State::Start: assert(false); break;

+ case State::Error: /*assert(false);*/ break;

+ }

+ auto ret = SSL_write(handle_.get(), vecptr(data), data.size());

+ if (ret > 0 || SSL_get_error(handle_.get(), ret) == SSL_ERROR_WANT_READ) {

+ sendPendingDataToNetwork();

+ }

+ else {

+ state_ = State::Error;

+ onError(std::make_shared<TLSError>(TLSError::UnknownError, openSSLInternalErrorToString()));

+ }

+ SafeByteArray data;

+ data.resize(SSL_READ_BUFFERSIZE);

+ int ret = SSL_read(handle_.get(), vecptr(data), data.size());

+ while (ret > 0) {

+ data.resize(ret);

+ onDataForApplication(data);

+ data.resize(SSL_READ_BUFFERSIZE);

+ ret = SSL_read(handle_.get(), vecptr(data), data.size());

+ }

+ if (ret < 0 && SSL_get_error(handle_.get(), ret) != SSL_ERROR_WANT_READ) {

+ state_ = State::Error;

+ onError(std::make_shared<TLSError>(TLSError::UnknownError, openSSLInternalErrorToString()));

+ }

+}

+

+bool OpenSSLContext::setCertificateChain(const std::vector<std::shared_ptr<Certificate>>& certificateChain) {

+ if (certificateChain.size() == 0) {

+ SWIFT_LOG(debug) << "Trying to load empty certificate chain.";

+ return false;

+ }

+

+ // load endpoint certificate

+ auto openSSLCert = dynamic_cast<OpenSSLCertificate*>(certificateChain[0].get());

+ if (!openSSLCert) {

+ return false;

+ }

+

+ // This increments the reference count on the X509 certificate automatically

+ if (SSL_CTX_use_certificate(context_.get(), openSSLCert->getInternalX509().get()) != 1) {

+ return false;

+ }

+

+ if (certificateChain.size() > 1) {

+ for (auto certificate = certificateChain.begin() + 1; certificate != certificateChain.end(); ++certificate) {

+ auto openSSLCert = dynamic_cast<OpenSSLCertificate*>(certificate->get());

+ if (!openSSLCert) {

+ return false;

+ }

+

+ if (SSL_CTX_add_extra_chain_cert(context_.get(), openSSLCert->getInternalX509().get()) != 1) {

+ SWIFT_LOG(debug) << "Trying to load empty certificate chain.";

+ return false;

+ }

+ // Have to manually increment reference count as SSL_CTX_add_extra_chain_cert does not do so

+ openSSLCert->incrementReferenceCount();

+ }

+ }

+

+ if (handle_) {

+ // This workaround is needed as OpenSSL has a shortcut to not do anything

+ // if you set the SSL_CTX to the existing SSL_CTX and not reloading the

+ // certificates from the SSL_CTX.

+ auto dummyContext = createSSL_CTX(mode_);

+ SSL_set_SSL_CTX(handle_.get(), dummyContext.get());

+ SSL_set_SSL_CTX(handle_.get(), context_.get());

+ }

+

+ return true;

+}

+

+int empty_or_preset_password_cb(char* buf, int max_len, int flag, void* password);

+

+int empty_or_preset_password_cb(char* buf, int max_len, int /* flag */, void* password) {

+ char* charPassword = (char*)password;

+ if (charPassword == nullptr) {

+ return 0;

+ }

+ int len = strlen(charPassword);

+ if(len > max_len) {

+ return 0;

+ }

+ memcpy(buf, charPassword, len);

+ return len;

+}

+

+bool OpenSSLContext::setPrivateKey(const PrivateKey::ref& privateKey) {

+ if (privateKey->getData().size() > std::numeric_limits<int>::max()) {

+ return false;

+ }

+

+ auto bio = std::shared_ptr<BIO>(BIO_new(BIO_s_mem()), BIO_free);

+ BIO_write(bio.get(), vecptr(privateKey->getData()), int(privateKey->getData().size()));

+

+ SafeByteArray safePassword;

+ void* password = nullptr;

+ if (privateKey->getPassword()) {

+ safePassword = privateKey->getPassword().get();

+ safePassword.push_back(0);

+ password = safePassword.data();

+ }

+ // Make sure resultKey is tidied up by wrapping it in a shared_ptr

+ auto resultKey = std::shared_ptr<EVP_PKEY>(PEM_read_bio_PrivateKey(bio.get(), nullptr, empty_or_preset_password_cb, password), EVP_PKEY_free);

+ if (resultKey) {

+ if (handle_) {

+ auto result = SSL_use_PrivateKey(handle_.get(), resultKey.get());

+ if (result != 1) {

+ return false;

+ }

+ }

+ else {

+ auto result = SSL_CTX_use_PrivateKey(context_.get(), resultKey.get());

+ if (result != 1) {

+ return false;

+ }

+ }

+ }

+ else {

+ return false;

+ }

+ return true;

+}

+

+void OpenSSLContext::setAbortTLSHandshake(bool abort) {

+ abortTLSHandshake_ = abort;

+ std::shared_ptr<PKCS12Certificate> pkcs12Certificate = std::dynamic_pointer_cast<PKCS12Certificate>(certificate);

+ if (!pkcs12Certificate || pkcs12Certificate->isNull()) {

+ return false;

+ }

+

+ // Create a PKCS12 structure

+ BIO* bio = BIO_new(BIO_s_mem());

+ BIO_write(bio, vecptr(pkcs12Certificate->getData()), pkcs12Certificate->getData().size());

+ std::shared_ptr<PKCS12> pkcs12(d2i_PKCS12_bio(bio, nullptr), PKCS12_free);

+ BIO_free(bio);

+ if (!pkcs12) {

+ return false;

+ }

+

+ // Parse PKCS12

+ X509 *certPtr = nullptr;

+ EVP_PKEY* privateKeyPtr = nullptr;

+ STACK_OF(X509)* caCertsPtr = nullptr;

+ SafeByteArray password(pkcs12Certificate->getPassword());

+ password.push_back(0);

+ int result = PKCS12_parse(pkcs12.get(), reinterpret_cast<const char*>(vecptr(password)), &privateKeyPtr, &certPtr, &caCertsPtr);

+ if (result != 1) {

+ return false;

+ }

+ std::shared_ptr<X509> cert(certPtr, X509_free);

+ std::shared_ptr<EVP_PKEY> privateKey(privateKeyPtr, EVP_PKEY_free);

+ std::shared_ptr<STACK_OF(X509)> caCerts(caCertsPtr, freeX509Stack);

+

+ // Use the key & certificates

+ if (SSL_CTX_use_certificate(context_.get(), cert.get()) != 1) {

+ return false;

+ }

+ if (SSL_CTX_use_PrivateKey(context_.get(), privateKey.get()) != 1) {

+ return false;

+ }

+ for (int i = 0; i < sk_X509_num(caCerts.get()); ++i) {

+ SSL_CTX_add_extra_chain_cert(context_.get(), sk_X509_value(caCerts.get(), i));

+ }

+ return true;

+}

+

+bool OpenSSLContext::setDiffieHellmanParameters(const ByteArray& parametersInOpenSslDer) {

+ auto bio = std::unique_ptr<BIO, decltype(&BIO_free)>(BIO_new(BIO_s_mem()), BIO_free);

+ if (bio) {

+ BIO_write(bio.get(), vecptr(parametersInOpenSslDer), parametersInOpenSslDer.size());

+ auto result = 0L;

+ if (auto dhparams = d2i_DHparams_bio(bio.get(), nullptr)) {

+ if (handle_) {

+ result = SSL_set_tmp_dh(handle_.get(), dhparams);

+ }

+ else {

+ result = SSL_CTX_set_tmp_dh(context_.get(), dhparams);

+ }

+ DH_free(dhparams);

+ }

+ return result == 1;

+ }

+ return false;

+ std::vector<Certificate::ref> result;

+

+ // When this context is a server, the peer (client) certificate

+ // is obtained via SSL_get_peer_certificate, and any other

+ // certificates set by the peer are available via SSL_get_peer_cert_chain.

+ // When this context is a client, all of the server's certificates are

+ // obtained using SSL_get_peer_cert_chain

+ if (mode_ == Mode::Server) {

+ auto cert = SSL_get_peer_certificate(handle_.get());

+ if (cert) {

+ // Do not need to copy the returned cert as SSL_get_peer_certificate

+ // increments the reference count on the certificate

+ std::shared_ptr<X509> x509Cert(cert, X509_free);

+ Certificate::ref cert = std::make_shared<OpenSSLCertificate>(x509Cert);

+ result.push_back(cert);

+ }

+ }

+

+ STACK_OF(X509)* chain = SSL_get_peer_cert_chain(handle_.get());

+ for (int i = 0; i < sk_X509_num(chain); ++i) {

+ // Here we do need to copy the returned cert, since SSL_get_peer_cert_chain

+ // does not increment the reference count on each certificate

+ std::shared_ptr<X509> x509Cert(X509_dup(sk_X509_value(chain, i)), X509_free);

+

+ Certificate::ref cert = std::make_shared<OpenSSLCertificate>(x509Cert);

+ result.push_back(cert);

+ }

+

+ return result;

+std::shared_ptr<CertificateVerificationError> OpenSSLContext::getPeerCertificateVerificationError() const {

+ int verifyResult = SSL_get_verify_result(handle_.get());

+ if (verifyResult != X509_V_OK) {

+ return std::make_shared<CertificateVerificationError>(getVerificationErrorTypeForResult(verifyResult));

+ }

+ else {

+ return std::shared_ptr<CertificateVerificationError>();

+ }

+ ByteArray data;

+ data.resize(MAX_FINISHED_SIZE);

+ auto size = SSL_get_finished(handle_.get(), vecptr(data), data.size());

+ data.resize(size);

+ return data;

+ByteArray OpenSSLContext::getPeerFinishMessage() const {

+ ByteArray data;

+ data.resize(MAX_FINISHED_SIZE);

+ auto size = SSL_get_peer_finished(handle_.get(), vecptr(data), data.size());

+ data.resize(size);

+ return data;

+ }

+

+ assert(result != 0);

+ switch (result) {

+ case X509_V_ERR_CERT_NOT_YET_VALID:

+ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:

+ return CertificateVerificationError::NotYetValid;

+

+ case X509_V_ERR_CERT_HAS_EXPIRED:

+ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:

+ return CertificateVerificationError::Expired;

+

+ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:

+ case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:

+ return CertificateVerificationError::SelfSigned;

+

+ case X509_V_ERR_CERT_UNTRUSTED:

+ return CertificateVerificationError::Untrusted;

+

+ case X509_V_ERR_CERT_REJECTED:

+ return CertificateVerificationError::Rejected;

+

+ case X509_V_ERR_INVALID_PURPOSE:

+ return CertificateVerificationError::InvalidPurpose;

+

+ case X509_V_ERR_PATH_LENGTH_EXCEEDED:

+ return CertificateVerificationError::PathLengthExceeded;

+

+ case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:

+ case X509_V_ERR_CERT_SIGNATURE_FAILURE:

+ case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:

+ return CertificateVerificationError::InvalidSignature;

+

+ case X509_V_ERR_INVALID_CA:

+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:

+ case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:

+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:

+ return CertificateVerificationError::InvalidCA;

+

+ case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:

+ case X509_V_ERR_AKID_SKID_MISMATCH:

+ case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:

+ case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:

+ return CertificateVerificationError::UnknownError;

+

+ // Unused / should not happen

+ case X509_V_ERR_CERT_REVOKED:

+ case X509_V_ERR_OUT_OF_MEM:

+ case X509_V_ERR_UNABLE_TO_GET_CRL:

+ case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:

+ case X509_V_ERR_CRL_SIGNATURE_FAILURE:

+ case X509_V_ERR_CRL_NOT_YET_VALID:

+ case X509_V_ERR_CRL_HAS_EXPIRED:

+ case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:

+ case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:

+ case X509_V_ERR_CERT_CHAIN_TOO_LONG:

+ case X509_V_ERR_APPLICATION_VERIFICATION:

+ default:

+ return CertificateVerificationError::UnknownError;

+ }

+ * Copyright (c) 2010-2018 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <memory>

+

+#include <boost/signals2.hpp>

+

+#include <openssl/ssl.h>

+#include <Swiften/TLS/TLSContext.h>

+#include <Swiften/TLS/TLSOptions.h>

+

+namespace std {

+ template<>

+ class default_delete<SSL_CTX> {

+ public:

+ void operator()(SSL_CTX *ptr) {

+ SSL_CTX_free(ptr);

+ }

+ };

+

+ template<>

+ class default_delete<SSL> {

+ public:

+ void operator()(SSL *ptr) {

+ SSL_free(ptr);

+ }

+ };

+}

+ class OpenSSLContext : public TLSContext, boost::noncopyable {

+ public:

+ OpenSSLContext(const TLSOptions& options, Mode mode);

+ virtual ~OpenSSLContext() override final;

+ void accept() override final;

+ void connect() override final;

+ void connect(const std::string& requestHostname) override final;

+ bool setCertificateChain(const std::vector<std::shared_ptr<Certificate>>& certificateChain) override final;

+ bool setPrivateKey(const PrivateKey::ref& privateKey) override final;

+ bool setClientCertificate(CertificateWithKey::ref cert) override final;

+ void setAbortTLSHandshake(bool abort) override final;

+ bool setDiffieHellmanParameters(const ByteArray& parametersInOpenSslDer) override final;

+ void handleDataFromNetwork(const SafeByteArray&) override final;

+ void handleDataFromApplication(const SafeByteArray&) override final;

+ std::vector<Certificate::ref> getPeerCertificateChain() const override final;

+ std::shared_ptr<CertificateVerificationError> getPeerCertificateVerificationError() const override final;

+ virtual ByteArray getFinishMessage() const override final;

+ virtual ByteArray getPeerFinishMessage() const override final;

+ void setX509StoreContext(X509_STORE_CTX *ptr) { x509_store_ctx = ptr; }

+ std::function<int (const TLSContext *)> getVerifyCertCallback() { return verifyCertCallback; }

+ private:

+ bool configure(const TLSOptions& options);

+ static void ensureLibraryInitialized();

+ static int handleServerNameCallback(SSL *ssl, int *ad, void *arg);

+ static CertificateVerificationError::Type getVerificationErrorTypeForResult(int);

+ void initAndSetBIOs();

+ void doAccept();

+ void doConnect();

+ void sendPendingDataToNetwork();

+ void sendPendingDataToApplication();

+ private:

+ enum class State { Start, Accepting, Connecting, Connected, Error };

+ const Mode mode_;

+ State state_;

+ std::unique_ptr<SSL_CTX> context_;

+ std::unique_ptr<SSL> handle_;

+ BIO* readBIO_ = nullptr;

+ BIO* writeBIO_ = nullptr;

+ bool abortTLSHandshake_ = false;

+ X509_STORE_CTX *x509_store_ctx = nullptr;

+ std::function<int (const TLSContext *)> verifyCertCallback = nullptr;

+ };

+ * Copyright (c) 2010-2019 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+

+#include <openssl/bio.h>

+#include <openssl/dh.h>

+#include <openssl/pem.h>

+

+#include <Swiften/TLS/OpenSSL/OpenSSLContext.h>

+

+#pragma clang diagnostic ignored "-Wshorten-64-to-32"

+ return true;

+std::unique_ptr<TLSContext> OpenSSLContextFactory::createTLSContext(const TLSOptions& options, TLSContext::Mode mode) {

+ return std::make_unique<OpenSSLContext>(options, mode);

+}

+

+ByteArray OpenSSLContextFactory::convertDHParametersFromPEMToDER(const std::string& dhParametersInPEM) {

+ ByteArray dhParametersInDER;

+

+ auto bio = std::unique_ptr<BIO, decltype(&BIO_free)>(BIO_new(BIO_s_mem()), BIO_free);

+ if (bio) {

+ BIO_write(bio.get(), dhParametersInPEM.data(), dhParametersInPEM.size());

+ if (auto params = PEM_read_bio_DHparams(bio.get(), nullptr, nullptr, nullptr)) {

+ unsigned char* buffer = nullptr;

+ auto len = i2d_DHparams(params, &buffer);

+ if (len > 0) {

+ dhParametersInDER = createByteArray(buffer, static_cast<size_t>(len));

+ free(buffer);

+ }

+ DH_free(params);

+

+ }

+ }

+ return dhParametersInDER;

+ if (check) {

+ SWIFT_LOG(warning) << "CRL Checking not supported for OpenSSL";

+ assert(false);

+ }

+}

+

+void OpenSSLContextFactory::setDisconnectOnCardRemoval(bool check) {

+ if (check) {

+ SWIFT_LOG(warning) << "Smart cards not supported for OpenSSL";

+ }

+ * Copyright (c) 2010-2019 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <memory>

+#include <Swiften/TLS/TLSContextFactory.h>

+ class OpenSSLContextFactory : public TLSContextFactory {

+ public:

+ bool canCreate() const override final;

+ virtual std::unique_ptr<TLSContext> createTLSContext(const TLSOptions& tlsOptions, TLSContext::Mode mode) override final;

+

+ virtual ByteArray convertDHParametersFromPEMToDER(const std::string& dhParametersInPEM) override final;

+ // Not supported

+ virtual void setCheckCertificateRevocation(bool b) override final;

+ virtual void setDisconnectOnCardRemoval(bool b) override final;

+ };

+ * Copyright (c) 2010-2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <boost/filesystem/path.hpp>

+

+#include <Swiften/Base/API.h>

+ class SWIFTEN_API PKCS12Certificate : public Swift::CertificateWithKey {

+ public:

+ PKCS12Certificate() {}

+ PKCS12Certificate(const boost::filesystem::path& filename, const SafeByteArray& password) : password_(password) {

+ readByteArrayFromFile(data_, filename);

+ }

+ virtual ~PKCS12Certificate() {}

+ virtual bool isNull() const {

+ return data_.empty();

+ }

+ virtual bool isPrivateKeyExportable() const {

+ return true;

+ }

+

+ virtual const std::string& getCertStoreName() const {

+///// assert(0);

+ throw std::exception();

+ }

+

+ virtual const std::string& getCertName() const {

+ /* We can return the original filename instead, if we care */

+///// assert(0);

+ throw std::exception();

+ }

+

+ virtual const ByteArray& getData() const {

+ return data_;

+ }

+

+ void setData(const ByteArray& data) {

+ data_ = data;

+ }

+

+ virtual const SafeByteArray& getPassword() const {

+ return password_;

+ }

+

+ private:

+ ByteArray data_;

+ SafeByteArray password_;

+ };

+ * Copyright (c) 2010-2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <Swiften/Base/Platform.h>

+#include <Swiften/TLS/CertificateFactory.h>

+#include <Swiften/TLS/TLSContextFactory.h>

+ #include <Swiften/TLS/OpenSSL/OpenSSLContextFactory.h>

+ #include <Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.h>

+ #include <Swiften/TLS/Schannel/SchannelContextFactory.h>

+ #include <Swiften/TLS/Schannel/SchannelCertificateFactory.h>

+#endif

+#ifdef HAVE_SECURETRANSPORT

+ #include <Swiften/TLS/SecureTransport/SecureTransportContextFactory.h>

+ #include <Swiften/TLS/SecureTransport/SecureTransportCertificateFactory.h>

+PlatformTLSFactories::PlatformTLSFactories() : contextFactory(nullptr), certificateFactory(nullptr) {

+ contextFactory = new OpenSSLContextFactory();

+ certificateFactory = new OpenSSLCertificateFactory();

+ contextFactory = new SchannelContextFactory();

+ certificateFactory = new SchannelCertificateFactory();

+#endif

+#ifdef HAVE_SECURETRANSPORT

+ contextFactory = new SecureTransportContextFactory();

+ certificateFactory = new SecureTransportCertificateFactory();

+ delete contextFactory;

+ delete certificateFactory;

+ return contextFactory;

+ return certificateFactory;

+ * Copyright (c) 2010 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ class TLSContextFactory;

+ class CertificateFactory;

+ class SWIFTEN_API PlatformTLSFactories {

+ public:

+ PlatformTLSFactories();

+ ~PlatformTLSFactories();

+ TLSContextFactory* getTLSContextFactory() const;

+ CertificateFactory* getCertificateFactory() const;

+ private:

+ TLSContextFactory* contextFactory;

+ CertificateFactory* certificateFactory;

+ };

+/*

+ * Copyright (c) 2018 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#include <Swiften/TLS/PrivateKey.h>

+

+namespace Swift {

+

+PrivateKey::PrivateKey(const SafeByteArray& data, boost::optional<SafeByteArray> password) : data_(data), password_(password) {

+}

+

+const SafeByteArray& PrivateKey::getData() const {

+ return data_;

+}

+

+const boost::optional<SafeByteArray>& PrivateKey::getPassword() const {

+ return password_;

+}

+

+}

+/*

+ * Copyright (c) 2018 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#pragma once

+

+#include <memory>

+

+#include <boost/optional.hpp>

+

+#include <Swiften/Base/SafeByteArray.h>

+#include <Swiften/TLS/PrivateKey.h>

+

+namespace Swift {

+

+class PrivateKey {

+public:

+ using ref = std::shared_ptr<PrivateKey>;

+

+public:

+ PrivateKey(const SafeByteArray& data, boost::optional<SafeByteArray> password = boost::optional<SafeByteArray>());

+

+ const SafeByteArray& getData() const;

+ const boost::optional<SafeByteArray>& getPassword() const;

+

+private:

+ SafeByteArray data_;

+ boost::optional<SafeByteArray> password_;

+};

+

+}

+ "Certificate.cpp",

+ "CertificateFactory.cpp",

+ "CertificateTrustChecker.cpp",

+ "PrivateKey.cpp",

+ "ServerIdentityVerifier.cpp",

+ "TLSContext.cpp",

+ "TLSContextFactory.cpp",

+ ])

+

+ myenv.MergeFlags(myenv["OPENSSL_FLAGS"])

+ objects += myenv.SwiftenObject([

+ "OpenSSL/OpenSSLContext.cpp",

+ "OpenSSL/OpenSSLCertificate.cpp",

+ "OpenSSL/OpenSSLContextFactory.cpp",

+ "OpenSSL/OpenSSLCertificateFactory.cpp",

+ ])

+ myenv.Append(CPPDEFINES = "HAVE_OPENSSL")

+ if myenv["PLATFORM"] == "win32" :

+ myenv.Append(CPPDEFINES = "NOMINMAX")

+ swiften_env.Append(LIBS = ["Winscard"])

+ objects += myenv.SwiftenObject([

+ "CAPICertificate.cpp",

+ "Schannel/SchannelContext.cpp",

+ "Schannel/SchannelCertificate.cpp",

+ "Schannel/SchannelContextFactory.cpp",

+ ])

+ myenv.Append(CPPDEFINES = "HAVE_SCHANNEL")

+elif myenv.get("HAVE_SECURETRANSPORT", 0) :

+ #swiften_env.Append(LIBS = ["Winscard"])

+ objects += myenv.SwiftenObject([

+ "SecureTransport/SecureTransportContext.mm",

+ "SecureTransport/SecureTransportCertificate.mm",

+ "SecureTransport/SecureTransportContextFactory.cpp",

+ ])

+ myenv.Append(CPPDEFINES = "HAVE_SECURETRANSPORT")

+/*

+ * Copyright (c) 2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+SchannelCertificate::SchannelCertificate(const ScopedCertContext& certCtxt)

+: m_cert(certCtxt)

+ parse();

+ if (!der.empty())

+ {

+ // Convert the DER encoded certificate to a PCERT_CONTEXT

+ CERT_BLOB certBlob = {0};

+ certBlob.cbData = der.size();

+ certBlob.pbData = (BYTE*)&der[0];

+

+ if (!CryptQueryObject(

+ CERT_QUERY_OBJECT_BLOB,

+ &certBlob,

+ CERT_QUERY_CONTENT_FLAG_CERT,

+ CERT_QUERY_FORMAT_FLAG_ALL,

+ 0,

+ NULL,

+ NULL,

+ NULL,

+ NULL,

+ NULL,

+ (const void**)m_cert.Reset()))

+ {

+ // TODO: Because Swiften isn't exception safe, we have no way to indicate failure

+ }

+ }

+ByteArray SchannelCertificate::toDER() const

+ ByteArray result;

+

+ // Serialize the certificate. The CERT_CONTEXT is already DER encoded.

+ result.resize(m_cert->cbCertEncoded);

+ memcpy(&result[0], m_cert->pbCertEncoded, result.size());

+ return result;

+ if (wstr.empty())

+ return "";

+ // First request the size of the required UTF-8 buffer

+ int numRequiredBytes = WideCharToMultiByte(CP_UTF8, 0, wstr.c_str(), wstr.size(), NULL, 0, NULL, NULL);

+ if (!numRequiredBytes)

+ return "";

+ // Allocate memory for the UTF-8 string

+ std::vector<char> utf8Str(numRequiredBytes);

+ int numConverted = WideCharToMultiByte(CP_UTF8, 0, wstr.c_str(), wstr.size(), &utf8Str[0], numRequiredBytes, NULL, NULL);

+ if (!numConverted)

+ return "";

+ std::string str(&utf8Str[0], numConverted);

+ return str;

+void SchannelCertificate::parse()

+ //

+ // Subject name

+ //

+ DWORD requiredSize = CertNameToStr(X509_ASN_ENCODING, &m_cert->pCertInfo->Subject, CERT_OID_NAME_STR, NULL, 0);

+ if (requiredSize > 1)

+ {

+ vector<char> rawSubjectName(requiredSize);

+ CertNameToStr(X509_ASN_ENCODING, &m_cert->pCertInfo->Subject, CERT_OID_NAME_STR, &rawSubjectName[0], rawSubjectName.size());

+ m_subjectName = std::string(&rawSubjectName[0]);

+ }

+

+ //

+ // Common name

+ //

+ // Note: We only pull out one common name from the cert.

+ requiredSize = CertGetNameString(m_cert, CERT_NAME_ATTR_TYPE, 0, szOID_COMMON_NAME, NULL, 0);

+ if (requiredSize > 1)

+ {

+ vector<char> rawCommonName(requiredSize);

+ requiredSize = CertGetNameString(m_cert, CERT_NAME_ATTR_TYPE, 0, szOID_COMMON_NAME, &rawCommonName[0], rawCommonName.size());

+ m_commonNames.push_back( std::string(&rawCommonName[0]) );

+ }

+

+ //

+ // Subject alternative names

+ //

+ PCERT_EXTENSION pExtensions = CertFindExtension(szOID_SUBJECT_ALT_NAME2, m_cert->pCertInfo->cExtension, m_cert->pCertInfo->rgExtension);

+ if (pExtensions)

+ {

+ CRYPT_DECODE_PARA decodePara = {0};

+ decodePara.cbSize = sizeof(decodePara);

+

+ CERT_ALT_NAME_INFO* pAltNameInfo = NULL;

+ DWORD altNameInfoSize = 0;

+

+ BOOL status = CryptDecodeObjectEx(

+ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,

+ szOID_SUBJECT_ALT_NAME2,

+ pExtensions->Value.pbData,

+ pExtensions->Value.cbData,

+ CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,

+ &decodePara,

+ &pAltNameInfo,

+ &altNameInfoSize);

+

+ if (status && pAltNameInfo)

+ {

+ for (int i = 0; i < pAltNameInfo->cAltEntry; i++)

+ {

+ if (pAltNameInfo->rgAltEntry[i].dwAltNameChoice == CERT_ALT_NAME_DNS_NAME)

+ addDNSName( wstrToStr( pAltNameInfo->rgAltEntry[i].pwszDNSName ) );

+ }

+ }

+ }

+

+ // if (pExtensions)

+ // {

+ // vector<wchar_t> subjectAlt

+ // CryptDecodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, szOID_SUBJECT_ALT_NAME, pExtensions->Value->pbData, pExtensions->Value->cbData, )

+ // }

+ //

+ // // subjectAltNames

+ // int subjectAltNameLoc = X509_get_ext_by_NID(cert.get(), NID_subject_alt_name, -1);

+ // if(subjectAltNameLoc != -1) {

+ // X509_EXTENSION* extension = X509_get_ext(cert.get(), subjectAltNameLoc);

+ // std::shared_ptr<GENERAL_NAMES> generalNames(reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(extension)), GENERAL_NAMES_free);

+ // std::shared_ptr<ASN1_OBJECT> xmppAddrObject(OBJ_txt2obj(ID_ON_XMPPADDR_OID, 1), ASN1_OBJECT_free);

+ // std::shared_ptr<ASN1_OBJECT> dnsSRVObject(OBJ_txt2obj(ID_ON_DNSSRV_OID, 1), ASN1_OBJECT_free);

+ // for (int i = 0; i < sk_GENERAL_NAME_num(generalNames.get()); ++i) {

+ // GENERAL_NAME* generalName = sk_GENERAL_NAME_value(generalNames.get(), i);

+ // if (generalName->type == GEN_OTHERNAME) {

+ // OTHERNAME* otherName = generalName->d.otherName;

+ // if (OBJ_cmp(otherName->type_id, xmppAddrObject.get()) == 0) {

+ // // XmppAddr

+ // if (otherName->value->type != V_ASN1_UTF8STRING) {

+ // continue;

+ // }

+ // ASN1_UTF8STRING* xmppAddrValue = otherName->value->value.utf8string;

+ // addXMPPAddress(ByteArray(ASN1_STRING_data(xmppAddrValue), ASN1_STRING_length(xmppAddrValue)).toString());

+ // }

+ // else if (OBJ_cmp(otherName->type_id, dnsSRVObject.get()) == 0) {

+ // // SRVName

+ // if (otherName->value->type != V_ASN1_IA5STRING) {

+ // continue;

+ // }

+ // ASN1_IA5STRING* srvNameValue = otherName->value->value.ia5string;

+ // addSRVName(ByteArray(ASN1_STRING_data(srvNameValue), ASN1_STRING_length(srvNameValue)).toString());

+ // }

+ // }

+ // else if (generalName->type == GEN_DNS) {

+ // // DNSName

+ // addDNSName(ByteArray(ASN1_STRING_data(generalName->d.dNSName), ASN1_STRING_length(generalName->d.dNSName)).toString());

+ // }

+ // }

+ // }

+/*

+ * Copyright (c) 2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#include <memory>

+#include <Swiften/Base/String.h>

+#include <Swiften/TLS/Certificate.h>

+#include <Swiften/TLS/Schannel/SchannelUtil.h>

+namespace Swift

+ class SchannelCertificate : public Certificate

+ {

+ public:

+ typedef std::shared_ptr<SchannelCertificate> ref;

+

+ public:

+ SchannelCertificate(const ScopedCertContext& certCtxt);

+ SchannelCertificate(const ByteArray& der);

+

+ std::string getSubjectName() const

+ {

+ return m_subjectName;

+ }

+

+ std::vector<std::string> getCommonNames() const

+ {

+ return m_commonNames;

+ }

+

+ std::vector<std::string> getSRVNames() const

+ {

+ return m_srvNames;

+ }

+

+ std::vector<std::string> getDNSNames() const

+ {

+ return m_dnsNames;

+ }

+

+ std::vector<std::string> getXMPPAddresses() const

+ {

+ return m_xmppAddresses;

+ }

+

+ ScopedCertContext getCertContext() const

+ {

+ return m_cert;

+ }

+

+ ByteArray toDER() const;

+

+ private:

+ void parse();

+ std::string wstrToStr(const std::wstring& wstr);

+

+ void addSRVName(const std::string& name)

+ {

+ m_srvNames.push_back(name);

+ }

+

+ void addDNSName(const std::string& name)

+ {

+ m_dnsNames.push_back(name);

+ }

+

+ void addXMPPAddress(const std::string& addr)

+ {

+ m_xmppAddresses.push_back(addr);

+ }

+

+ private:

+ ScopedCertContext m_cert;

+

+ std::string m_subjectName;

+ std::vector<std::string> m_commonNames;

+ std::vector<std::string> m_dnsNames;

+ std::vector<std::string> m_xmppAddresses;

+ std::vector<std::string> m_srvNames;

+ };

+ class SchannelCertificateFactory : public CertificateFactory {

+ public:

+ virtual Certificate* createCertificateFromDER(const ByteArray& der) {

+ return new SchannelCertificate(der);

+ }

+ };

+ * Copyright (c) 2012-2019 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <Swiften/TLS/Schannel/SchannelContext.h>

+

+#include <Swiften/Base/Log.h>

+#include <Swiften/TLS/CAPICertificate.h>

+#include <Swiften/TLS/Schannel/SchannelCertificate.h>

+

+SchannelContext::SchannelContext(bool tls1_0Workaround) : state_(Start), secContext_(0), myCertStore_(NULL), certStoreName_("MY"), certName_(), smartCardReader_(), checkCertificateRevocation_(true), tls1_0Workaround_(tls1_0Workaround), disconnectOnCardRemoval_(true) {

+ contextFlags_ = ISC_REQ_ALLOCATE_MEMORY |

+ ISC_REQ_CONFIDENTIALITY |

+ ISC_REQ_EXTENDED_ERROR |

+ ISC_REQ_INTEGRITY |

+ ISC_REQ_REPLAY_DETECT |

+ ISC_REQ_SEQUENCE_DETECT |

+ ISC_REQ_USE_SUPPLIED_CREDS |

+ ISC_REQ_STREAM;

+

+ ZeroMemory(&streamSizes_, sizeof(streamSizes_));

+ SWIFT_LOG(debug) << "Destroying SchannelContext";

+ if (myCertStore_) {

+ if (CertCloseStore(myCertStore_, 0) == FALSE) {

+ SWIFT_LOG(debug) << "Failed to close the certificate store";

+ }

+ }

+ if (QueryContextAttributes(contextHandle_, SECPKG_ATTR_STREAM_SIZES, &streamSizes_) != SEC_E_OK) {

+ SWIFT_LOG(debug) << "QueryContextAttributes failed to determinate the stream size";

+ }

+ ScopedCertContext pCertContext;

+

+ state_ = Connecting;

+

+ // If a user name is specified, then attempt to find a client

+ // certificate. Otherwise, just create a NULL credential.

+ if (!certName_.empty()) {

+ if (myCertStore_ == NULL) {

+ myCertStore_ = CertOpenSystemStore(0, certStoreName_.c_str());

+ if (!myCertStore_) {

+ indicateError(std::make_shared<TLSError>(TLSError::UnknownError));

+ return;

+ }

+ }

+

+ pCertContext = findCertificateInStore( myCertStore_, certName_ );

+ if (pCertContext == NULL) {

+ indicateError(std::make_shared<TLSError>(TLSError::UnknownError));

+ return;

+ }

+ }

+

+ // We use an empty list for client certificates

+ PCCERT_CONTEXT clientCerts[1] = {0};

+

+ SCHANNEL_CRED sc = {0};

+ sc.dwVersion = SCHANNEL_CRED_VERSION;

+

+ if (tls1_0Workaround_) {

+ sc.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;

+ }

+ else {

+ sc.grbitEnabledProtocols = /*SP_PROT_SSL3_CLIENT | */SP_PROT_TLS1_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_2_CLIENT;

+ }

+

+ sc.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION;

+

+ if (pCertContext) {

+ sc.cCreds = 1;

+ sc.paCred = pCertContext.GetPointer();

+ sc.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS;

+ }

+ else {

+ sc.cCreds = 0;

+ sc.paCred = clientCerts;

+ sc.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS;

+ }

+

+ // Swiften performs the server name check for us

+ sc.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK;

+

+ SECURITY_STATUS status = AcquireCredentialsHandle(

+ NULL,

+ UNISP_NAME,

+ SECPKG_CRED_OUTBOUND,

+ NULL,

+ &sc,

+ NULL,

+ NULL,

+ credHandle_.Reset(),

+ NULL);

+

+ if (status != SEC_E_OK) {

+ // We failed to obtain the credentials handle

+ indicateError(std::make_shared<TLSError>(TLSError::UnknownError));

+ return;

+ }

+

+ SecBuffer outBuffers[2];

+

+ // We let Schannel allocate the output buffer for us

+ outBuffers[0].pvBuffer = NULL;

+ outBuffers[0].cbBuffer = 0;

+ outBuffers[0].BufferType = SECBUFFER_TOKEN;

+

+ // Contains alert data if an alert is generated

+ outBuffers[1].pvBuffer = NULL;

+ outBuffers[1].cbBuffer = 0;

+ outBuffers[1].BufferType = SECBUFFER_ALERT;

+

+ // Make sure the output buffers are freed

+ ScopedSecBuffer scopedOutputData(&outBuffers[0]);

+ ScopedSecBuffer scopedOutputAlertData(&outBuffers[1]);

+

+ SecBufferDesc outBufferDesc = {0};

+ outBufferDesc.cBuffers = 2;

+ outBufferDesc.pBuffers = outBuffers;

+ outBufferDesc.ulVersion = SECBUFFER_VERSION;

+

+ // Create the initial security context

+ status = InitializeSecurityContext(

+ credHandle_,

+ NULL,

+ NULL,

+ contextFlags_,

+ 0,

+ 0,

+ NULL,

+ 0,

+ contextHandle_.Reset(),

+ &outBufferDesc,

+ &secContext_,

+ NULL);

+

+ if (status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED) {

+ // We failed to initialize the security context

+ handleCertError(status);

+ indicateError(std::make_shared<TLSError>(TLSError::UnknownError));

+ return;

+ }

+

+ // Start the handshake

+ sendDataOnNetwork(outBuffers[0].pvBuffer, outBuffers[0].cbBuffer);

+

+ if (status == SEC_E_OK) {

+ status = validateServerCertificate();

+ if (status != SEC_E_OK) {

+ handleCertError(status);

+ }

+

+ state_ = Connected;

+ determineStreamSizes();

+

+ onConnected();

+ }

+ SchannelCertificate::ref pServerCert = std::dynamic_pointer_cast<SchannelCertificate>( getPeerCertificate() );

+ if (!pServerCert) {

+ return SEC_E_WRONG_PRINCIPAL;

+ }

+

+ const LPSTR usage[] =

+ {

+ szOID_PKIX_KP_SERVER_AUTH,

+ szOID_SERVER_GATED_CRYPTO,

+ szOID_SGC_NETSCAPE

+ };

+

+ CERT_CHAIN_PARA chainParams = {0};

+ chainParams.cbSize = sizeof(chainParams);

+ chainParams.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;

+ chainParams.RequestedUsage.Usage.cUsageIdentifier = ARRAYSIZE(usage);

+ chainParams.RequestedUsage.Usage.rgpszUsageIdentifier = const_cast<LPSTR*>(usage);

+

+ DWORD chainFlags = CERT_CHAIN_CACHE_END_CERT;

+ if (checkCertificateRevocation_) {

+ chainFlags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;

+ }

+

+ ScopedCertChainContext pChainContext;

+

+ BOOL success = CertGetCertificateChain(

+ NULL, // Use the chain engine for the current user (assumes a user is logged in)

+ pServerCert->getCertContext(),

+ NULL,

+ pServerCert->getCertContext()->hCertStore,

+ &chainParams,

+ chainFlags,

+ NULL,

+ pChainContext.Reset());

+

+ if (!success) {

+ return GetLastError();

+ }

+

+ SSL_EXTRA_CERT_CHAIN_POLICY_PARA sslChainPolicy = {0};

+ sslChainPolicy.cbSize = sizeof(sslChainPolicy);

+ sslChainPolicy.dwAuthType = AUTHTYPE_SERVER;

+ sslChainPolicy.fdwChecks = SECURITY_FLAG_IGNORE_CERT_CN_INVALID; // Swiften checks the server name for us. Is this the correct way to disable server name checking?

+ sslChainPolicy.pwszServerName = NULL;

+

+ CERT_CHAIN_POLICY_PARA certChainPolicy = {0};

+ certChainPolicy.cbSize = sizeof(certChainPolicy);

+ certChainPolicy.dwFlags = CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG; // Swiften checks the server name for us. Is this the correct way to disable server name checking?

+ certChainPolicy.pvExtraPolicyPara = &sslChainPolicy;

+

+ CERT_CHAIN_POLICY_STATUS certChainPolicyStatus = {0};

+ certChainPolicyStatus.cbSize = sizeof(certChainPolicyStatus);

+

+ // Verify the chain

+ if (!CertVerifyCertificateChainPolicy(

+ CERT_CHAIN_POLICY_SSL,

+ pChainContext,

+ &certChainPolicy,

+ &certChainPolicyStatus)) {

+ return GetLastError();

+ }

+

+ if (certChainPolicyStatus.dwError != S_OK) {

+ return certChainPolicyStatus.dwError;

+ }

+

+ return S_OK;

+ size_t originalSize = receivedData_.size();

+ receivedData_.resize(originalSize + data.size());

+ memcpy(&receivedData_[0] + originalSize, &data[0], data.size());

+ appendNewData(data);

+

+ while (!receivedData_.empty()) {

+ SecBuffer inBuffers[2];

+

+ // Provide Schannel with the remote host's handshake data

+ inBuffers[0].pvBuffer = static_cast<char*>(&receivedData_[0]);

+ inBuffers[0].cbBuffer = static_cast<unsigned long>(receivedData_.size());

+ inBuffers[0].BufferType = SECBUFFER_TOKEN;

+

+ inBuffers[1].pvBuffer = NULL;

+ inBuffers[1].cbBuffer = 0;

+ inBuffers[1].BufferType = SECBUFFER_EMPTY;

+

+ SecBufferDesc inBufferDesc = {0};

+ inBufferDesc.cBuffers = 2;

+ inBufferDesc.pBuffers = inBuffers;

+ inBufferDesc.ulVersion = SECBUFFER_VERSION;

+

+ SecBuffer outBuffers[2];

+

+ // We let Schannel allocate the output buffer for us

+ outBuffers[0].pvBuffer = NULL;

+ outBuffers[0].cbBuffer = 0;

+ outBuffers[0].BufferType = SECBUFFER_TOKEN;

+

+ // Contains alert data if an alert is generated

+ outBuffers[1].pvBuffer = NULL;

+ outBuffers[1].cbBuffer = 0;

+ outBuffers[1].BufferType = SECBUFFER_ALERT;

+

+ // Make sure the output buffers are freed

+ ScopedSecBuffer scopedOutputData(&outBuffers[0]);

+ ScopedSecBuffer scopedOutputAlertData(&outBuffers[1]);

+

+ SecBufferDesc outBufferDesc = {0};

+ outBufferDesc.cBuffers = 2;

+ outBufferDesc.pBuffers = outBuffers;

+ outBufferDesc.ulVersion = SECBUFFER_VERSION;

+

+ SECURITY_STATUS status = InitializeSecurityContext(

+ credHandle_,

+ contextHandle_,

+ NULL,

+ contextFlags_,

+ 0,

+ 0,

+ &inBufferDesc,

+ 0,

+ NULL,

+ &outBufferDesc,

+ &secContext_,

+ NULL);

+

+ if (status == SEC_E_INCOMPLETE_MESSAGE) {

+ // Wait for more data to arrive

+ break;

+ }

+ else if (status == SEC_I_CONTINUE_NEEDED) {

+ SecBuffer* pDataBuffer = &outBuffers[0];

+ SecBuffer* pExtraBuffer = &inBuffers[1];

+

+ if (pDataBuffer && pDataBuffer->cbBuffer > 0 && pDataBuffer->pvBuffer != NULL) {

+ sendDataOnNetwork(pDataBuffer->pvBuffer, pDataBuffer->cbBuffer);

+ }

+

+ if (pExtraBuffer->BufferType == SECBUFFER_EXTRA) {

+ receivedData_.erase(receivedData_.begin(), receivedData_.end() - pExtraBuffer->cbBuffer);

+ }

+ else {

+ receivedData_.clear();

+ }

+

+ break;

+ }

+ else if (status == SEC_E_OK) {

+ status = validateServerCertificate();

+ if (status != SEC_E_OK) {

+ handleCertError(status);

+ }

+

+ SecBuffer* pExtraBuffer = &inBuffers[1];

+

+ if (pExtraBuffer && pExtraBuffer->cbBuffer > 0) {

+ receivedData_.erase(receivedData_.begin(), receivedData_.end() - pExtraBuffer->cbBuffer);

+ }

+ else {

+ receivedData_.clear();

+ }

+

+ state_ = Connected;

+ determineStreamSizes();

+

+ onConnected();

+ }

+ else {

+ // We failed to initialize the security context

+ handleCertError(status);

+ indicateError(std::make_shared<TLSError>(TLSError::UnknownError));

+ return;

+ }

+ }

+void SchannelContext::handleCertError(SECURITY_STATUS status)

+ if (status == SEC_E_UNTRUSTED_ROOT ||

+ status == CERT_E_UNTRUSTEDROOT ||

+ status == CRYPT_E_ISSUER_SERIALNUMBER ||

+ status == CRYPT_E_SIGNER_NOT_FOUND ||

+ status == CRYPT_E_NO_TRUSTED_SIGNER) {

+ verificationError_ = CertificateVerificationError::Untrusted;

+ }

+ else if (status == SEC_E_CERT_EXPIRED ||

+ status == CERT_E_EXPIRED) {

+ verificationError_ = CertificateVerificationError::Expired;

+ }

+ else if (status == CRYPT_E_SELF_SIGNED) {

+ verificationError_ = CertificateVerificationError::SelfSigned;

+ }

+ else if (status == CRYPT_E_HASH_VALUE ||

+ status == TRUST_E_CERT_SIGNATURE) {

+ verificationError_ = CertificateVerificationError::InvalidSignature;

+ }

+ else if (status == CRYPT_E_REVOKED) {

+ verificationError_ = CertificateVerificationError::Revoked;

+ }

+ else if (status == CRYPT_E_NO_REVOCATION_CHECK ||

+ status == CRYPT_E_REVOCATION_OFFLINE) {

+ verificationError_ = CertificateVerificationError::RevocationCheckFailed;

+ }

+ else if (status == CERT_E_WRONG_USAGE) {

+ verificationError_ = CertificateVerificationError::InvalidPurpose;

+ }

+ else {

+ verificationError_ = CertificateVerificationError::UnknownError;

+ }

+ if (dataSize > 0 && pData) {

+ SafeByteArray byteArray(dataSize);

+ memcpy(&byteArray[0], pData, dataSize);

+ onDataForNetwork(byteArray);

+ }

+ SafeByteArray byteArray(dataSize);

+ memcpy(&byteArray[0], pData, dataSize);

+ onDataForApplication(byteArray);

+ // Don't attempt to send data until we're fully connected

+ if (state_ == Connecting) {

+ return;

+ }

+ // Encrypt the data

+ encryptAndSendData(data);

+ switch (state_) {

+ case Connecting:

+ {

+ // We're still establishing the connection, so continue the handshake

+ continueHandshake(data);

+ }

+ break;

+

+ case Connected:

+ {

+ // Decrypt the data

+ decryptAndProcessData(data);

+ }

+ break;

+

+ default:

+ return;

+ }

+void SchannelContext::indicateError(std::shared_ptr<TLSError> error) {

+ state_ = Error;

+ receivedData_.clear();

+ onError(error);

+ SecBuffer inBuffers[4] = {0};

+

+ appendNewData(data);

+

+ while (!receivedData_.empty()) {

+ //

+ // MSDN:

+ // When using the Schannel SSP with contexts that are not connection oriented, on input,

+ // the structure must contain four SecBuffer structures. Exactly one buffer must be of type

+ // SECBUFFER_DATA and contain an encrypted message, which is decrypted in place. The remaining

+ // buffers are used for output and must be of type SECBUFFER_EMPTY. For connection-oriented

+ // contexts, a SECBUFFER_DATA type buffer must be supplied, as noted for nonconnection-oriented

+ // contexts. Additionally, a second SECBUFFER_TOKEN type buffer that contains a security token

+ // must also be supplied.

+ //

+ inBuffers[0].pvBuffer = static_cast<char*>(&receivedData_[0]);

+ inBuffers[0].cbBuffer = static_cast<unsigned long>(receivedData_.size());

+ inBuffers[0].BufferType = SECBUFFER_DATA;

+

+ inBuffers[1].BufferType = SECBUFFER_EMPTY;

+ inBuffers[2].BufferType = SECBUFFER_EMPTY;

+ inBuffers[3].BufferType = SECBUFFER_EMPTY;

+

+ SecBufferDesc inBufferDesc = {0};

+ inBufferDesc.cBuffers = 4;

+ inBufferDesc.pBuffers = inBuffers;

+ inBufferDesc.ulVersion = SECBUFFER_VERSION;

+

+ size_t inData = receivedData_.size();

+ SECURITY_STATUS status = DecryptMessage(contextHandle_, &inBufferDesc, 0, NULL);

+

+ if (status == SEC_E_INCOMPLETE_MESSAGE) {

+ // Wait for more data to arrive

+ break;

+ }

+ else if (status == SEC_I_RENEGOTIATE) {

+ // TODO: Handle renegotiation scenarios

+ indicateError(std::make_shared<TLSError>(TLSError::UnknownError));

+ break;

+ }

+ else if (status == SEC_I_CONTEXT_EXPIRED) {

+ indicateError(std::make_shared<TLSError>(TLSError::UnknownError));

+ break;

+ }

+ else if (status != SEC_E_OK) {

+ indicateError(std::make_shared<TLSError>(TLSError::UnknownError));

+ break;

+ }

+

+ SecBuffer* pDataBuffer = NULL;

+ SecBuffer* pExtraBuffer = NULL;

+ for (int i = 0; i < 4; ++i) {

+ if (inBuffers[i].BufferType == SECBUFFER_DATA) {

+ pDataBuffer = &inBuffers[i];

+ }

+ else if (inBuffers[i].BufferType == SECBUFFER_EXTRA) {

+ pExtraBuffer = &inBuffers[i];

+ }

+ }

+

+ if (pDataBuffer && pDataBuffer->cbBuffer > 0 && pDataBuffer->pvBuffer != NULL) {

+ forwardDataToApplication(pDataBuffer->pvBuffer, pDataBuffer->cbBuffer);

+ }

+

+ // If there is extra data left over from the decryption operation, we call DecryptMessage() again

+ if (pExtraBuffer) {

+ receivedData_.erase(receivedData_.begin(), receivedData_.end() - pExtraBuffer->cbBuffer);

+ }

+ else {

+ // We're done

+ receivedData_.erase(receivedData_.begin(), receivedData_.begin() + inData);

+ }

+ }

+ if (streamSizes_.cbMaximumMessage == 0) {

+ return;

+ }

+

+ SecBuffer outBuffers[4] = {0};

+

+ // Calculate the largest required size of the send buffer

+ size_t messageBufferSize = (data.size() > streamSizes_.cbMaximumMessage)

+ ? streamSizes_.cbMaximumMessage

+ : data.size();

+

+ // Allocate a packet for the encrypted data

+ SafeByteArray sendBuffer;

+ sendBuffer.resize(streamSizes_.cbHeader + messageBufferSize + streamSizes_.cbTrailer);

+

+ size_t bytesSent = 0;

+ do {

+ size_t bytesLeftToSend = data.size() - bytesSent;

+

+ // Calculate how much of the send buffer we'll be using for this chunk

+ size_t bytesToSend = (bytesLeftToSend > streamSizes_.cbMaximumMessage)

+ ? streamSizes_.cbMaximumMessage

+ : bytesLeftToSend;

+

+ // Copy the plain text data into the send buffer

+ memcpy(&sendBuffer[0] + streamSizes_.cbHeader, &data[0] + bytesSent, bytesToSend);

+

+ outBuffers[0].pvBuffer = &sendBuffer[0];

+ outBuffers[0].cbBuffer = streamSizes_.cbHeader;

+ outBuffers[0].BufferType = SECBUFFER_STREAM_HEADER;

+

+ outBuffers[1].pvBuffer = &sendBuffer[0] + streamSizes_.cbHeader;

+ outBuffers[1].cbBuffer = static_cast<unsigned long>(bytesToSend);

+ outBuffers[1].BufferType = SECBUFFER_DATA;

+

+ outBuffers[2].pvBuffer = &sendBuffer[0] + streamSizes_.cbHeader + bytesToSend;

+ outBuffers[2].cbBuffer = streamSizes_.cbTrailer;

+ outBuffers[2].BufferType = SECBUFFER_STREAM_TRAILER;

+

+ outBuffers[3].pvBuffer = 0;

+ outBuffers[3].cbBuffer = 0;

+ outBuffers[3].BufferType = SECBUFFER_EMPTY;

+

+ SecBufferDesc outBufferDesc = {0};

+ outBufferDesc.cBuffers = 4;

+ outBufferDesc.pBuffers = outBuffers;

+ outBufferDesc.ulVersion = SECBUFFER_VERSION;

+

+ SECURITY_STATUS status = EncryptMessage(contextHandle_, 0, &outBufferDesc, 0);

+ if (status != SEC_E_OK) {

+ indicateError(std::make_shared<TLSError>(TLSError::UnknownError));

+ return;

+ }

+

+ sendDataOnNetwork(&sendBuffer[0], outBuffers[0].cbBuffer + outBuffers[1].cbBuffer + outBuffers[2].cbBuffer);

+ bytesSent += bytesToSend;

+

+ } while (bytesSent < data.size());

+ std::shared_ptr<CAPICertificate> capiCertificate = std::dynamic_pointer_cast<CAPICertificate>(certificate);

+ if (!capiCertificate || capiCertificate->isNull()) {

+ return false;

+ }

+ userCertificate_ = capiCertificate;

+ // We assume that the Certificate Store Name/Certificate Name

+ // are valid at this point

+ certStoreName_ = capiCertificate->getCertStoreName();

+ certName_ = capiCertificate->getCertName();

+ smartCardReader_ = capiCertificate->getSmartCardReaderName();

+ capiCertificate->onCertificateCardRemoved.connect(boost::bind(&SchannelContext::handleCertificateCardRemoved, this));

+ return true;

+ if (disconnectOnCardRemoval_) {

+ indicateError(std::make_shared<TLSError>(TLSError::CertificateCardRemoved));

+ }

+ std::vector<Certificate::ref> certificateChain;

+ ScopedCertContext pServerCert;

+ ScopedCertContext pIssuerCert;

+ ScopedCertContext pCurrentCert;

+ SECURITY_STATUS status = QueryContextAttributes(contextHandle_, SECPKG_ATTR_REMOTE_CERT_CONTEXT, pServerCert.Reset());

+

+ if (status != SEC_E_OK) {

+ SWIFT_LOG(debug) << "Error while Querying the Certificate Chain";

+ return certificateChain;

+ }

+ certificateChain.push_back(std::make_shared<SchannelCertificate>(pServerCert));

+

+ pCurrentCert = pServerCert;

+ while(pCurrentCert.GetPointer()) {

+ DWORD dwVerificationFlags = 0;

+ pIssuerCert = CertGetIssuerCertificateFromStore(pServerCert->hCertStore, pCurrentCert, NULL, &dwVerificationFlags );

+ if (!(*pIssuerCert.GetPointer())) {

+ break;

+ }

+ certificateChain.push_back(std::make_shared<SchannelCertificate>(pIssuerCert));

+

+ pCurrentCert = pIssuerCert;

+ pIssuerCert = NULL;

+ }

+ return certificateChain;

+ return verificationError_ ? std::make_shared<CertificateVerificationError>(*verificationError_) : CertificateVerificationError::ref();

+ SecPkgContext_Bindings bindings;

+ int ret = QueryContextAttributes(contextHandle_, SECPKG_ATTR_UNIQUE_BINDINGS, &bindings);

+ if (ret == SEC_E_OK) {

+ return createByteArray(((unsigned char*) bindings.Bindings) + bindings.Bindings->dwApplicationDataOffset + 11 /* tls-unique:*/, bindings.Bindings->cbApplicationDataLength - 11);

+ }

+ else {

+ SWIFT_LOG(debug) << "Error while retrieving Finish Message";

+ }

+

+ return ByteArray();

+ checkCertificateRevocation_ = b;

+}

+

+void SchannelContext::setDisconnectOnCardRemoval(bool b) {

+ disconnectOnCardRemoval_ = b;

+ * Copyright (c) 2012-2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+#include <boost/signals2.hpp>

+namespace Swift

+{

+ class CAPICertificate;

+ class SchannelContext : public TLSContext, boost::noncopyable

+ {

+ public:

+ typedef std::shared_ptr<SchannelContext> sp_t;

+ public:

+ SchannelContext(bool tls1_0Workaround);

+ virtual ~SchannelContext();

+ //

+ // TLSContext

+ //

+ virtual void connect();

+ virtual bool setClientCertificate(CertificateWithKey::ref cert);

+ virtual void handleDataFromNetwork(const SafeByteArray& data);

+ virtual void handleDataFromApplication(const SafeByteArray& data);

+ virtual std::vector<Certificate::ref> getPeerCertificateChain() const;

+ virtual CertificateVerificationError::ref getPeerCertificateVerificationError() const;

+ virtual ByteArray getFinishMessage() const;

+ virtual void setCheckCertificateRevocation(bool b);

+ virtual void setDisconnectOnCardRemoval(bool b);

+ private:

+ void determineStreamSizes();

+ void continueHandshake(const SafeByteArray& data);

+ void indicateError(std::shared_ptr<TLSError> error);

+ //FIXME: Remove

+ void indicateError() {indicateError(std::make_shared<TLSError>());}

+ void handleCertError(SECURITY_STATUS status) ;

+ void sendDataOnNetwork(const void* pData, size_t dataSize);

+ void forwardDataToApplication(const void* pData, size_t dataSize);

+ void decryptAndProcessData(const SafeByteArray& data);

+ void encryptAndSendData(const SafeByteArray& data);

+ void appendNewData(const SafeByteArray& data);

+ SECURITY_STATUS validateServerCertificate();

+ void handleCertificateCardRemoved();

+ private:

+ enum SchannelState

+ {

+ Start,

+ Connecting,

+ Connected,

+ Error

+ };

+ SchannelState state_;

+ boost::optional<CertificateVerificationError> verificationError_;

+ ULONG secContext_;

+ ScopedCredHandle credHandle_;

+ ScopedCtxtHandle contextHandle_;

+ DWORD contextFlags_;

+ SecPkgContext_StreamSizes streamSizes_;

+ std::vector<char> receivedData_;

+

+ HCERTSTORE myCertStore_;

+ std::string certStoreName_;

+ std::string certName_;

+ std::string smartCardReader_; //Can be empty string for non SmartCard certificates

+ std::shared_ptr<CAPICertificate> userCertificate_;

+ bool checkCertificateRevocation_;

+ bool tls1_0Workaround_;

+ bool disconnectOnCardRemoval_;

+ };

+/*

+ * Copyright (c) 2015-2018 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#include <Swiften/TLS/Schannel/SchannelContextFactory.h>

+

+#include <Swiften/TLS/Schannel/SchannelContext.h>

+SchannelContextFactory::SchannelContextFactory() : checkCertificateRevocation(true), disconnectOnCardRemoval(true) {

+ return true;

+std::unique_ptr<TLSContext> SchannelContextFactory::createTLSContext(const TLSOptions& tlsOptions, TLSContext::Mode mode) {

+ // TLS server mode is not supported for the SecureTransport backend yet.

+ assert(mode == TLSContext::Mode::Client);

+ SchannelContext* context = new SchannelContext(tlsOptions.schannelTLS1_0Workaround);

+ context->setCheckCertificateRevocation(checkCertificateRevocation);

+ context->setDisconnectOnCardRemoval(disconnectOnCardRemoval);

+ return std::unique_ptr<TLSContext>(context);

+ checkCertificateRevocation = b;

+void SchannelContextFactory::setDisconnectOnCardRemoval(bool b) {

+ disconnectOnCardRemoval = b;

+}

+/*

+ * Copyright (c) 2015-2018 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#include <memory>

+

+#include <Swiften/TLS/TLSContextFactory.h>

+ class SchannelContextFactory : public TLSContextFactory {

+ public:

+ SchannelContextFactory();

+ bool canCreate() const;

+ virtual std::unique_ptr<TLSContext> createTLSContext(const TLSOptions& tlsOptions, TLSContext::Mode mode = TLSContext::Mode::Client);

+ virtual void setCheckCertificateRevocation(bool b);

+ virtual void setDisconnectOnCardRemoval(bool b);

+ public:

+ bool checkCertificateRevocation;

+ bool disconnectOnCardRemoval;

+ };

+/*

+ * Copyright (c) 2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+namespace Swift

+ //

+ // Convenience wrapper around the Schannel CredHandle struct.

+ //

+ class ScopedCredHandle

+ {

+ private:

+ struct HandleContext

+ {

+ HandleContext()

+ {

+ ZeroMemory(&m_h, sizeof(m_h));

+ }

+

+ HandleContext(const CredHandle& h)

+ {

+ memcpy(&m_h, &h, sizeof(m_h));

+ }

+

+ ~HandleContext()

+ {

+ ::FreeCredentialsHandle(&m_h);

+ }

+

+ CredHandle m_h;

+ };

+

+ public:

+ ScopedCredHandle()

+ : m_pHandle( new HandleContext )

+ {

+ }

+

+ explicit ScopedCredHandle(const CredHandle& h)

+ : m_pHandle( new HandleContext(h) )

+ {

+ }

+

+ // Copy constructor

+ explicit ScopedCredHandle(const ScopedCredHandle& rhs)

+ {

+ m_pHandle = rhs.m_pHandle;

+ }

+

+ ~ScopedCredHandle()

+ {

+ m_pHandle.reset();

+ }

+

+ PCredHandle Reset()

+ {

+ CloseHandle();

+ return &m_pHandle->m_h;

+ }

+

+ operator PCredHandle() const

+ {

+ return &m_pHandle->m_h;

+ }

+

+ ScopedCredHandle& operator=(const ScopedCredHandle& sh)

+ {

+ // Only update the internal handle if it's different

+ if (&m_pHandle->m_h != &sh.m_pHandle->m_h)

+ {

+ m_pHandle = sh.m_pHandle;

+ }

+

+ return *this;

+ }

+

+ void CloseHandle()

+ {

+ m_pHandle.reset( new HandleContext );

+ }

+

+ private:

+ std::shared_ptr<HandleContext> m_pHandle;

+ };

+

+ //------------------------------------------------------------------------

+

+ //

+ // Convenience wrapper around the Schannel CtxtHandle struct.

+ //

+ class ScopedCtxtHandle

+ {

+ private:

+ struct HandleContext

+ {

+ HandleContext()

+ {

+ ZeroMemory(&m_h, sizeof(m_h));

+ }

+

+ ~HandleContext()

+ {

+ ::DeleteSecurityContext(&m_h);

+ }

+

+ CtxtHandle m_h;

+ };

+

+ public:

+ ScopedCtxtHandle()

+ : m_pHandle( new HandleContext )

+ {

+ }

+

+ explicit ScopedCtxtHandle(CredHandle h)

+ : m_pHandle( new HandleContext )

+ {

+ }

+

+ // Copy constructor

+ explicit ScopedCtxtHandle(const ScopedCtxtHandle& rhs)

+ {

+ m_pHandle = rhs.m_pHandle;

+ }

+

+ ~ScopedCtxtHandle()

+ {

+ m_pHandle.reset();

+ }

+

+ PCredHandle Reset()

+ {

+ CloseHandle();

+ return &m_pHandle->m_h;

+ }

+

+ operator PCredHandle() const

+ {

+ return &m_pHandle->m_h;

+ }

+

+ ScopedCtxtHandle& operator=(const ScopedCtxtHandle& sh)

+ {

+ // Only update the internal handle if it's different

+ if (&m_pHandle->m_h != &sh.m_pHandle->m_h)

+ {

+ m_pHandle = sh.m_pHandle;

+ }

+

+ return *this;

+ }

+

+ void CloseHandle()

+ {

+ m_pHandle.reset( new HandleContext );

+ }

+

+ private:

+ std::shared_ptr<HandleContext> m_pHandle;

+ };

+

+ //------------------------------------------------------------------------

+

+ //

+ // Convenience wrapper around the Schannel ScopedSecBuffer struct.

+ //

+ class ScopedSecBuffer : boost::noncopyable

+ {

+ public:

+ ScopedSecBuffer(PSecBuffer pSecBuffer)

+ : m_pSecBuffer(pSecBuffer)

+ {

+ }

+

+ ~ScopedSecBuffer()

+ {

+ // Loop through all the output buffers and make sure we free them

+ if (m_pSecBuffer->pvBuffer)

+ FreeContextBuffer(m_pSecBuffer->pvBuffer);

+ }

+

+ PSecBuffer AsPtr()

+ {

+ return m_pSecBuffer;

+ }

+

+ PSecBuffer operator->()

+ {

+ return m_pSecBuffer;

+ }

+

+ private:

+ PSecBuffer m_pSecBuffer;

+ };

+

+ //------------------------------------------------------------------------

+

+ //

+ // Convenience wrapper around the Schannel PCCERT_CONTEXT.

+ //

+ class ScopedCertContext

+ {

+ private:

+ struct HandleContext

+ {

+ HandleContext()

+ : m_pCertCtxt(NULL)

+ {

+ }

+

+ HandleContext(PCCERT_CONTEXT pCert)

+ : m_pCertCtxt(pCert)

+ {

+ }

+

+ ~HandleContext()

+ {

+ if (m_pCertCtxt)

+ CertFreeCertificateContext(m_pCertCtxt);

+ }

+

+ PCCERT_CONTEXT m_pCertCtxt;

+ };

+

+ public:

+ ScopedCertContext()

+ : m_pHandle( new HandleContext )

+ {

+ }

+

+ explicit ScopedCertContext(PCCERT_CONTEXT pCert)

+ : m_pHandle( new HandleContext(pCert) )

+ {

+ }

+

+ // Copy constructor

+ ScopedCertContext(const ScopedCertContext& rhs)

+ {

+ m_pHandle = rhs.m_pHandle;

+ }

+

+ ~ScopedCertContext()

+ {

+ m_pHandle.reset();

+ }

+

+ PCCERT_CONTEXT* Reset()

+ {

+ FreeContext();

+ return &m_pHandle->m_pCertCtxt;

+ }

+

+ operator PCCERT_CONTEXT() const

+ {

+ return m_pHandle->m_pCertCtxt;

+ }

+

+ PCCERT_CONTEXT* GetPointer() const

+ {

+ return &m_pHandle->m_pCertCtxt;

+ }

+

+ PCCERT_CONTEXT operator->() const

+ {

+ return m_pHandle->m_pCertCtxt;

+ }

+

+ ScopedCertContext& operator=(const ScopedCertContext& sh)

+ {

+ // Only update the internal handle if it's different

+ if (&m_pHandle->m_pCertCtxt != &sh.m_pHandle->m_pCertCtxt)

+ {

+ m_pHandle = sh.m_pHandle;

+ }

+

+ return *this;

+ }

+

+ ScopedCertContext& operator=(PCCERT_CONTEXT pCertCtxt)

+ {

+ // Only update the internal handle if it's different

+ if (m_pHandle && m_pHandle->m_pCertCtxt != pCertCtxt)

+ m_pHandle.reset( new HandleContext(pCertCtxt) );

+

+ return *this;

+ }

+

+ void FreeContext()

+ {

+ m_pHandle.reset( new HandleContext );

+ }

+

+ private:

+ std::shared_ptr<HandleContext> m_pHandle;

+ };

+

+ //------------------------------------------------------------------------

+

+ //

+ // Convenience wrapper around the Schannel HCERTSTORE.

+ //

+ class ScopedCertStore : boost::noncopyable

+ {

+ public:

+ ScopedCertStore(HCERTSTORE hCertStore)

+ : m_hCertStore(hCertStore)

+ {

+ }

+

+ ~ScopedCertStore()

+ {

+ // Forcefully free all memory related to the store, i.e. we assume all CertContext's that have been opened via this

+ // cert store have been closed at this point.

+ if (m_hCertStore)

+ CertCloseStore(m_hCertStore, CERT_CLOSE_STORE_FORCE_FLAG);

+ }

+

+ operator HCERTSTORE() const

+ {

+ return m_hCertStore;

+ }

+

+ private:

+ HCERTSTORE m_hCertStore;

+ };

+

+ //------------------------------------------------------------------------

+

+ //

+ // Convenience wrapper around the Schannel CERT_CHAIN_CONTEXT.

+ //

+ class ScopedCertChainContext

+ {

+ private:

+ struct HandleContext

+ {

+ HandleContext()

+ : m_pCertChainCtxt(NULL)

+ {

+ }

+

+ HandleContext(PCCERT_CHAIN_CONTEXT pCert)

+ : m_pCertChainCtxt(pCert)

+ {

+ }

+

+ ~HandleContext()

+ {

+ if (m_pCertChainCtxt)

+ CertFreeCertificateChain(m_pCertChainCtxt);

+ }

+

+ PCCERT_CHAIN_CONTEXT m_pCertChainCtxt;

+ };

+

+ public:

+ ScopedCertChainContext()

+ : m_pHandle( new HandleContext )

+ {

+ }

+

+ explicit ScopedCertChainContext(PCCERT_CHAIN_CONTEXT pCert)

+ : m_pHandle( new HandleContext(pCert) )

+ {

+ }

+

+ // Copy constructor

+ ScopedCertChainContext(const ScopedCertChainContext& rhs)

+ {

+ m_pHandle = rhs.m_pHandle;

+ }

+

+ ~ScopedCertChainContext()

+ {

+ m_pHandle.reset();

+ }

+

+ PCCERT_CHAIN_CONTEXT* Reset()

+ {

+ FreeContext();

+ return &m_pHandle->m_pCertChainCtxt;

+ }

+

+ operator PCCERT_CHAIN_CONTEXT() const

+ {

+ return m_pHandle->m_pCertChainCtxt;

+ }

+

+ PCCERT_CHAIN_CONTEXT operator->() const

+ {

+ return m_pHandle->m_pCertChainCtxt;

+ }

+

+ ScopedCertChainContext& operator=(const ScopedCertChainContext& sh)

+ {

+ // Only update the internal handle if it's different

+ if (&m_pHandle->m_pCertChainCtxt != &sh.m_pHandle->m_pCertChainCtxt)

+ {

+ m_pHandle = sh.m_pHandle;

+ }

+

+ return *this;

+ }

+

+ void FreeContext()

+ {

+ m_pHandle.reset( new HandleContext );

+ }

+

+ private:

+ std::shared_ptr<HandleContext> m_pHandle;

+ };

+/*

+ * Copyright (c) 2015-2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#pragma once

+

+#include <memory>

+

+#include <boost/type_traits.hpp>

+

+#include <Security/SecCertificate.h>

+

+#include <Swiften/TLS/Certificate.h>

+

+namespace Swift {

+

+class SecureTransportCertificate : public Certificate {

+public:

+ SecureTransportCertificate(SecCertificateRef certificate);

+ SecureTransportCertificate(const ByteArray& der);

+ virtual ~SecureTransportCertificate();

+

+ virtual std::string getSubjectName() const;

+ virtual std::vector<std::string> getCommonNames() const;

+ virtual std::vector<std::string> getSRVNames() const;

+ virtual std::vector<std::string> getDNSNames() const;

+ virtual std::vector<std::string> getXMPPAddresses() const;

+

+ virtual ByteArray toDER() const;

+

+private:

+ void parse();

+ typedef boost::remove_pointer<SecCertificateRef>::type SecCertificate;

+

+private:

+ std::shared_ptr<SecCertificate> certificateHandle_;

+ std::string subjectName_;

+ std::vector<std::string> commonNames_;

+ std::vector<std::string> srvNames_;

+ std::vector<std::string> dnsNames_;

+ std::vector<std::string> xmppAddresses_;

+};

+

+}

+/*

+ * Copyright (c) 2015-2017 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#include <Swiften/TLS/SecureTransport/SecureTransportCertificate.h>

+

+#include <boost/numeric/conversion/cast.hpp>

+

+#include <Cocoa/Cocoa.h>

+#include <Security/Security.h>

+

+#include <Swiften/Base/Log.h>

+

+namespace {

+

+template <typename T, typename S>

+T bridge_cast(S source) {

+#pragma clang diagnostic push

+#pragma clang diagnostic ignored "-Wold-style-cast"

+ return (__bridge T)(source);

+#pragma clang diagnostic pop

+}

+

+}

+

+namespace {

+

+inline std::string ns2StdString(NSString* _Nullable nsString);

+inline std::string ns2StdString(NSString* _Nullable nsString) {

+ std::string stdString;

+ if (nsString != nil) {

+ stdString = std::string([nsString cStringUsingEncoding:NSUTF8StringEncoding]);

+ }

+ return stdString;

+}

+

+}

+

+namespace Swift {

+

+SecureTransportCertificate::SecureTransportCertificate(SecCertificateRef certificate) {

+ assert(certificate);

+ CFRetain(certificate);

+ certificateHandle_ = std::shared_ptr<SecCertificate>(certificate, CFRelease);

+ parse();

+}

+

+

+SecureTransportCertificate::SecureTransportCertificate(const ByteArray& der) {

+ CFDataRef derData = CFDataCreateWithBytesNoCopy(nullptr, der.data(), static_cast<CFIndex>(der.size()), nullptr);

+ // certificate will take ownership of derData and free it on its release.

+ SecCertificateRef certificate = SecCertificateCreateWithData(nullptr, derData);

+ if (certificate) {

+ certificateHandle_ = std::shared_ptr<SecCertificate>(certificate, CFRelease);

+ parse();

+ }

+}

+

+SecureTransportCertificate::~SecureTransportCertificate() {

+

+}

+

+void SecureTransportCertificate::parse() {

+ assert(certificateHandle_);

+ CFErrorRef error = nullptr;

+

+ // The SecCertificateCopyValues function is not part of the iOS Secure Transport API.

+ CFDictionaryRef valueDict = SecCertificateCopyValues(certificateHandle_.get(), nullptr, &error);

+ if (valueDict) {

+ // Handle subject.

+ CFStringRef subject = SecCertificateCopySubjectSummary(certificateHandle_.get());

+ if (subject) {

+ NSString* subjectStr = bridge_cast<NSString*>(subject);

+ subjectName_ = ns2StdString(subjectStr);

+ CFRelease(subject);

+ }

+

+ // Handle a single Common Name.

+ CFStringRef commonName = nullptr;

+ OSStatus error = SecCertificateCopyCommonName(certificateHandle_.get(), &commonName);

+ if (!error && commonName) {

+ NSString* commonNameStr = bridge_cast<NSString*>(commonName);

+ commonNames_.push_back(ns2StdString(commonNameStr));

+ }

+ if (commonName) {

+ CFRelease(commonName);

+ }

+

+ // Handle Subject Alternative Names

+ NSDictionary* certDict = bridge_cast<NSDictionary*>(valueDict);

+ NSDictionary* subjectAltNamesDict = certDict[@"2.5.29.17"][@"value"];

+

+ for (NSDictionary* entry in subjectAltNamesDict) {

+ NSString* label = entry[@"label"];

+ if ([label isEqualToString:static_cast<NSString * _Nonnull>([NSString stringWithUTF8String:ID_ON_XMPPADDR_OID])]) {

+ xmppAddresses_.push_back(ns2StdString(entry[@"value"]));

+ }

+ else if ([label isEqualToString:static_cast<NSString * _Nonnull>([NSString stringWithUTF8String:ID_ON_DNSSRV_OID])]) {

+ srvNames_.push_back(ns2StdString(entry[@"value"]));

+ }

+ else if ([label isEqualToString:@"DNS Name"]) {

+ dnsNames_.push_back(ns2StdString(entry[@"value"]));

+ }

+ }

+ CFRelease(valueDict);

+ }

+

+ if (error) {

+ CFRelease(error);

+ }

+}

+

+std::string SecureTransportCertificate::getSubjectName() const {

+ return subjectName_;

+}

+

+std::vector<std::string> SecureTransportCertificate::getCommonNames() const {

+ return commonNames_;

+}

+

+std::vector<std::string> SecureTransportCertificate::getSRVNames() const {

+ return srvNames_;

+}

+

+std::vector<std::string> SecureTransportCertificate::getDNSNames() const {

+ return dnsNames_;

+}

+

+std::vector<std::string> SecureTransportCertificate::getXMPPAddresses() const {

+ return xmppAddresses_;

+}

+

+ByteArray SecureTransportCertificate::toDER() const {

+ ByteArray der;

+ if (certificateHandle_) {

+ CFDataRef derData = SecCertificateCopyData(certificateHandle_.get());

+ if (derData) {

+ try {

+ size_t dataSize = boost::numeric_cast<size_t>(CFDataGetLength(derData));

+ der.resize(dataSize);

+ CFDataGetBytes(derData, CFRangeMake(0,CFDataGetLength(derData)), der.data());

+ } catch (...) {

+ }

+ CFRelease(derData);

+ }

+ }

+ return der;

+}

+

+}

+/*

+ * Copyright (c) 2015 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#pragma once

+

+#include <Swiften/TLS/CertificateFactory.h>

+#include <Swiften/TLS/SecureTransport/SecureTransportCertificate.h>

+

+namespace Swift {

+

+class SecureTransportCertificateFactory : public CertificateFactory {

+ public:

+ virtual Certificate* createCertificateFromDER(const ByteArray& der) {

+ return new SecureTransportCertificate(der);

+ }

+ };

+}

+/*

+ * Copyright (c) 2015-2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#pragma once

+

+#include <Security/SecureTransport.h>

+

+#include <Swiften/TLS/TLSContext.h>

+

+namespace Swift {

+

+class SecureTransportContext : public TLSContext {

+ public:

+ SecureTransportContext(bool checkCertificateRevocation);

+ virtual ~SecureTransportContext();

+

+ virtual void connect();

+

+ virtual bool setClientCertificate(CertificateWithKey::ref cert);

+

+ virtual void handleDataFromNetwork(const SafeByteArray&);

+ virtual void handleDataFromApplication(const SafeByteArray&);

+

+ virtual std::vector<Certificate::ref> getPeerCertificateChain() const;

+ virtual CertificateVerificationError::ref getPeerCertificateVerificationError() const;

+

+ virtual ByteArray getFinishMessage() const;

+

+ private:

+ static OSStatus SSLSocketReadCallback(SSLConnectionRef connection, void *data, size_t *dataLength);

+ static OSStatus SSLSocketWriteCallback(SSLConnectionRef connection, const void *data, size_t *dataLength);

+

+ private:

+ enum State { None, Handshake, HandshakeDone, Error};

+ static std::string stateToString(State state);

+ void setState(State newState);

+

+ static std::shared_ptr<TLSError> nativeToTLSError(OSStatus error);

+ std::shared_ptr<CertificateVerificationError> CSSMErrorToVerificationError(OSStatus resultCode);

+

+ void processHandshake();

+ void verifyServerCertificate();

+

+ void fatalError(std::shared_ptr<TLSError> error, std::shared_ptr<CertificateVerificationError> certificateError);

+

+ private:

+ std::shared_ptr<SSLContext> sslContext_;

+ SafeByteArray readingBuffer_;

+ State state_;

+ CertificateVerificationError::ref verificationError_;

+ CertificateWithKey::ref clientCertificate_;

+ bool checkCertificateRevocation_;

+};

+

+}

+/*

+ * Copyright (c) 2015-2019 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#include <Swiften/TLS/SecureTransport/SecureTransportContext.h>

+

+#include <boost/type_traits.hpp>

+#include <boost/numeric/conversion/cast.hpp>

+

+#include <Swiften/Base/Algorithm.h>

+#include <Swiften/Base/Log.h>

+#include <Swiften/TLS/SecureTransport/SecureTransportCertificate.h>

+#include <Swiften/TLS/PKCS12Certificate.h>

+#include <Swiften/TLS/CertificateWithKey.h>

+

+#include <Cocoa/Cocoa.h>

+

+#import <Security/SecCertificate.h>

+#import <Security/SecImportExport.h>

+

+namespace {

+ typedef boost::remove_pointer<CFArrayRef>::type CFArray;

+ typedef boost::remove_pointer<SecTrustRef>::type SecTrust;

+}

+

+template <typename T, typename S>

+T bridge_cast(S source) {

+#pragma clang diagnostic push

+#pragma clang diagnostic ignored "-Wold-style-cast"

+ return (__bridge T)(source);

+#pragma clang diagnostic pop

+}

+

+namespace Swift {

+

+namespace {

+

+

+CFArrayRef CreateClientCertificateChainAsCFArrayRef(CertificateWithKey::ref key) {

+ std::shared_ptr<PKCS12Certificate> pkcs12 = std::dynamic_pointer_cast<PKCS12Certificate>(key);

+ if (!key) {

+ return nullptr;

+ }

+

+ SafeByteArray safePassword = pkcs12->getPassword();

+ CFIndex passwordSize = 0;

+ try {

+ passwordSize = boost::numeric_cast<CFIndex>(safePassword.size());

+ } catch (...) {

+ return nullptr;

+ }

+

+ CFMutableArrayRef certChain = CFArrayCreateMutable(nullptr, 0, nullptr);

+

+ OSStatus securityError = errSecSuccess;

+ CFStringRef password = CFStringCreateWithBytes(kCFAllocatorDefault, safePassword.data(), passwordSize, kCFStringEncodingUTF8, false);

+ const void* keys[] = { kSecImportExportPassphrase };

+ const void* values[] = { password };

+

+ CFDictionaryRef options = CFDictionaryCreate(nullptr, keys, values, 1, nullptr, nullptr);

+

+ CFArrayRef items = nullptr;

+ CFDataRef pkcs12Data = bridge_cast<CFDataRef>([NSData dataWithBytes: static_cast<const void *>(pkcs12->getData().data()) length:pkcs12->getData().size()]);

+ securityError = SecPKCS12Import(pkcs12Data, options, &items);

+ CFRelease(options);

+ NSArray* nsItems = bridge_cast<NSArray*>(items);

+

+ switch(securityError) {

+ case errSecSuccess:

+ break;

+ case errSecAuthFailed:

+ // Password did not work for decoding the certificate.

+ SWIFT_LOG(warning) << "Invalid password.";

+ break;

+ case errSecDecode:

+ // Other decoding error.

+ SWIFT_LOG(warning) << "PKCS12 decoding error.";

+ break;

+ default:

+ SWIFT_LOG(warning) << "Unknown error.";

+ }

+

+ if (securityError != errSecSuccess) {

+ if (items) {

+ CFRelease(items);

+ items = nullptr;

+ }

+ CFRelease(certChain);

+ certChain = nullptr;

+ }

+

+ if (certChain) {

+ CFArrayAppendValue(certChain, nsItems[0][@"identity"]);

+

+ for (CFIndex index = 0; index < CFArrayGetCount(bridge_cast<CFArrayRef>(nsItems[0][@"chain"])); index++) {

+ CFArrayAppendValue(certChain, CFArrayGetValueAtIndex(bridge_cast<CFArrayRef>(nsItems[0][@"chain"]), index));

+ }

+ }

+ return certChain;

+}

+

+}

+

+SecureTransportContext::SecureTransportContext(bool checkCertificateRevocation) : state_(None), checkCertificateRevocation_(checkCertificateRevocation) {

+ sslContext_ = std::shared_ptr<SSLContext>(SSLCreateContext(nullptr, kSSLClientSide, kSSLStreamType), CFRelease);

+

+ OSStatus error = noErr;

+ // set IO callbacks

+ error = SSLSetIOFuncs(sslContext_.get(), &SecureTransportContext::SSLSocketReadCallback, &SecureTransportContext::SSLSocketWriteCallback);

+ if (error != noErr) {

+ SWIFT_LOG(error) << "Unable to set IO functions to SSL context.";

+ sslContext_.reset();

+ }

+

+ error = SSLSetConnection(sslContext_.get(), this);

+ if (error != noErr) {

+ SWIFT_LOG(error) << "Unable to set connection to SSL context.";

+ sslContext_.reset();

+ }

+

+

+ error = SSLSetSessionOption(sslContext_.get(), kSSLSessionOptionBreakOnServerAuth, true);

+ if (error != noErr) {

+ SWIFT_LOG(error) << "Unable to set kSSLSessionOptionBreakOnServerAuth on session.";

+ sslContext_.reset();

+ }

+}

+

+SecureTransportContext::~SecureTransportContext() {

+ if (sslContext_) {

+ SSLClose(sslContext_.get());

+ }

+}

+

+std::string SecureTransportContext::stateToString(State state) {

+ std::string returnValue;

+ switch(state) {

+ case Handshake:

+ returnValue = "Handshake";

+ break;

+ case HandshakeDone:

+ returnValue = "HandshakeDone";

+ break;

+ case None:

+ returnValue = "None";

+ break;

+ case Error:

+ returnValue = "Error";

+ break;

+ }

+ return returnValue;

+}

+

+void SecureTransportContext::setState(State newState) {

+ SWIFT_LOG(debug) << "Switch state from " << stateToString(state_) << " to " << stateToString(newState) << ".";

+ state_ = newState;

+}

+

+void SecureTransportContext::connect() {

+ SWIFT_LOG_ASSERT(state_ == None, error) << "current state '" << stateToString(state_) << " invalid.";

+ if (clientCertificate_) {

+ CFArrayRef certs = CreateClientCertificateChainAsCFArrayRef(clientCertificate_);

+ if (certs) {

+ std::shared_ptr<CFArray> certRefs(certs, CFRelease);

+ OSStatus result = SSLSetCertificate(sslContext_.get(), certRefs.get());

+ if (result != noErr) {

+ SWIFT_LOG(error) << "SSLSetCertificate failed with error " << result << ".";

+ }

+ }

+ }

+ processHandshake();

+}

+

+void SecureTransportContext::processHandshake() {

+ SWIFT_LOG_ASSERT(state_ == None || state_ == Handshake, error) << "current state '" << stateToString(state_) << " invalid.";

+ OSStatus error = SSLHandshake(sslContext_.get());

+ if (error == errSSLWouldBlock) {

+ setState(Handshake);

+ }

+ else if (error == noErr) {

+ SWIFT_LOG(debug) << "TLS handshake successful.";

+ setState(HandshakeDone);

+ onConnected();

+ }

+ else if (error == errSSLPeerAuthCompleted) {

+ SWIFT_LOG(debug) << "Received server certificate. Start verification.";

+ setState(Handshake);

+ verifyServerCertificate();

+ }

+ else {

+ SWIFT_LOG(debug) << "Error returned from SSLHandshake call is " << error << ".";

+ fatalError(nativeToTLSError(error), std::make_shared<CertificateVerificationError>());

+ }

+}

+

+

+#pragma clang diagnostic push

+#pragma clang diagnostic ignored "-Wdeprecated-declarations"

+

+void SecureTransportContext::verifyServerCertificate() {

+ SecTrustRef trust = nullptr;

+ OSStatus error = SSLCopyPeerTrust(sslContext_.get(), &trust);

+ if (error != noErr) {

+ fatalError(std::make_shared<TLSError>(), std::make_shared<CertificateVerificationError>());

+ return;

+ }

+ std::shared_ptr<SecTrust> trustRef = std::shared_ptr<SecTrust>(trust, CFRelease);

+

+ if (checkCertificateRevocation_) {

+ error = SecTrustSetOptions(trust, kSecTrustOptionRequireRevPerCert | kSecTrustOptionFetchIssuerFromNet);

+ if (error != noErr) {

+ fatalError(std::make_shared<TLSError>(), std::make_shared<CertificateVerificationError>());

+ return;

+ }

+ }

+

+ SecTrustResultType trustResult;

+ error = SecTrustEvaluate(trust, &trustResult);

+ if (error != errSecSuccess) {

+ fatalError(std::make_shared<TLSError>(), std::make_shared<CertificateVerificationError>());

+ return;

+ }

+

+ OSStatus cssmResult = 0;

+ switch(trustResult) {

+ case kSecTrustResultUnspecified:

+ SWIFT_LOG(warning) << "Successful implicit validation. Result unspecified.";

+ break;

+ case kSecTrustResultProceed:

+ SWIFT_LOG(warning) << "Validation resulted in explicitly trusted.";

+ break;

+ case kSecTrustResultRecoverableTrustFailure:

+ SWIFT_LOG(warning) << "recoverable trust failure";

+ error = SecTrustGetCssmResultCode(trust, &cssmResult);

+ if (error == errSecSuccess) {

+ verificationError_ = CSSMErrorToVerificationError(cssmResult);

+ if (cssmResult == CSSMERR_TP_VERIFY_ACTION_FAILED || cssmResult == CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK ) {

+ // Find out the reason why the verification failed.

+ CFArrayRef certChain;

+ CSSM_TP_APPLE_EVIDENCE_INFO* statusChain;

+ error = SecTrustGetResult(trustRef.get(), &trustResult, &certChain, &statusChain);

+ if (error == errSecSuccess) {

+ std::shared_ptr<CFArray> certChainRef = std::shared_ptr<CFArray>(certChain, CFRelease);

+ for (CFIndex index = 0; index < CFArrayGetCount(certChainRef.get()); index++) {

+ for (CFIndex n = 0; n < statusChain[index].NumStatusCodes; n++) {

+ // Even though Secure Transport reported CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK on the whole certificate

+ // chain, the actual cause can be that a revocation check for a specific cert returned CSSMERR_TP_CERT_REVOKED.

+ if (!verificationError_ || verificationError_->getType() == CertificateVerificationError::RevocationCheckFailed) {

+ verificationError_ = CSSMErrorToVerificationError(statusChain[index].StatusCodes[n]);

+ }

+ }

+ }

+ }

+ else {

+

+ }

+ }

+ }

+ else {

+ verificationError_ = std::make_shared<CertificateVerificationError>(CertificateVerificationError::UnknownError);

+ }

+ break;

+ case kSecTrustResultInvalid:

+ verificationError_ = std::make_shared<CertificateVerificationError>(CertificateVerificationError::UnknownError);

+ break;

+ case kSecTrustResultConfirm:

+ // TODO: Confirmation from the user is required before proceeding.

+ verificationError_ = std::make_shared<CertificateVerificationError>(CertificateVerificationError::UnknownError);

+ break;

+ case kSecTrustResultDeny:

+ // The user specified that the certificate should not be trusted.

+ verificationError_ = std::make_shared<CertificateVerificationError>(CertificateVerificationError::Untrusted);

+ break;

+ case kSecTrustResultFatalTrustFailure:

+ // Trust denied; no simple fix is available.

+ verificationError_ = std::make_shared<CertificateVerificationError>(CertificateVerificationError::UnknownError);

+ break;

+ case kSecTrustResultOtherError:

+ verificationError_ = std::make_shared<CertificateVerificationError>(CertificateVerificationError::UnknownError);

+ break;

+ }

+

+ // We proceed with the TLS handshake here to give the application an opportunity

+ // to apply custom validation and trust management. The application is responsible

+ // to call \ref getPeerCertificateVerificationError directly after the \ref onConnected

+ // signal is called and before any application data is send to the context.

+ processHandshake();

+}

+

+#pragma clang diagnostic pop

+

+bool SecureTransportContext::setClientCertificate(CertificateWithKey::ref cert) {

+ CFArrayRef nativeClientChain = CreateClientCertificateChainAsCFArrayRef(cert);

+ if (nativeClientChain) {

+ clientCertificate_ = cert;

+ CFRelease(nativeClientChain);

+ return true;

+ }

+ else {

+ return false;

+ }

+}

+

+void SecureTransportContext::handleDataFromNetwork(const SafeByteArray& data) {

+ SWIFT_LOG(debug);

+ SWIFT_LOG_ASSERT(state_ == HandshakeDone || state_ == Handshake, error) << "current state '" << stateToString(state_) << " invalid.";

+

+ append(readingBuffer_, data);

+

+ size_t bytesRead = 0;

+ OSStatus error = noErr;

+ SafeByteArray applicationData;

+

+ switch(state_) {

+ case None:

+ assert(false && "Invalid state 'None'.");

+ break;

+ case Handshake:

+ processHandshake();

+ break;

+ case HandshakeDone:

+ while (error == noErr) {

+ applicationData.resize(readingBuffer_.size());

+ error = SSLRead(sslContext_.get(), applicationData.data(), applicationData.size(), &bytesRead);

+ if (error == noErr) {

+ // Read successful.

+ }

+ else if (error == errSSLWouldBlock) {

+ // Secure Transport does not want more data.

+ break;

+ }

+ else {

+ SWIFT_LOG(error) << "SSLRead failed with error " << error << ", read bytes: " << bytesRead << ".";

+ fatalError(std::make_shared<TLSError>(), std::make_shared<CertificateVerificationError>());

+ return;

+ }

+

+ if (bytesRead > 0) {

+ applicationData.resize(bytesRead);

+ onDataForApplication(applicationData);

+ }

+ else {

+ break;

+ }

+ }

+ break;

+ case Error:

+ SWIFT_LOG(debug) << "Igoring received data in error state.";

+ break;

+ }

+}

+

+

+void SecureTransportContext::handleDataFromApplication(const SafeByteArray& data) {

+ size_t processedBytes = 0;

+ OSStatus error = SSLWrite(sslContext_.get(), data.data(), data.size(), &processedBytes);

+ switch(error) {

+ case errSSLWouldBlock:

+ SWIFT_LOG(warning) << "Unexpected because the write callback does not block.";

+ return;

+ case errSSLClosedGraceful:

+ case noErr:

+ return;

+ default:

+ SWIFT_LOG(warning) << "SSLWrite returned error code: " << error << ", processed bytes: " << processedBytes;

+ fatalError(std::make_shared<TLSError>(), std::shared_ptr<CertificateVerificationError>());

+ }

+}

+

+std::vector<Certificate::ref> SecureTransportContext::getPeerCertificateChain() const {

+ std::vector<Certificate::ref> peerCertificateChain;

+

+ if (sslContext_) {

+ typedef boost::remove_pointer<SecTrustRef>::type SecTrust;

+ std::shared_ptr<SecTrust> securityTrust;

+

+ SecTrustRef secTrust = nullptr;

+ OSStatus error = SSLCopyPeerTrust(sslContext_.get(), &secTrust);

+ if (error == noErr) {

+ securityTrust = std::shared_ptr<SecTrust>(secTrust, CFRelease);

+

+ CFIndex chainSize = SecTrustGetCertificateCount(securityTrust.get());

+ for (CFIndex n = 0; n < chainSize; n++) {

+ SecCertificateRef certificate = SecTrustGetCertificateAtIndex(securityTrust.get(), n);

+ if (certificate) {

+ peerCertificateChain.push_back(std::make_shared<SecureTransportCertificate>(certificate));

+ }

+ }

+ }

+ else {

+ SWIFT_LOG(warning) << "Failed to obtain peer trust structure; error = " << error << ".";

+ }

+ }

+

+ return peerCertificateChain;

+}

+

+CertificateVerificationError::ref SecureTransportContext::getPeerCertificateVerificationError() const {

+ return verificationError_;

+}

+

+ByteArray SecureTransportContext::getFinishMessage() const {

+ SWIFT_LOG(warning) << "Access to TLS handshake finish message is not part of OS X Secure Transport APIs.";

+ return ByteArray();

+}

+

+/**

+ * This I/O callback simulates an asynchronous read to the read buffer of the context. If it is empty, it returns errSSLWouldBlock; else

+ * the data within the buffer is returned.

+ */

+OSStatus SecureTransportContext::SSLSocketReadCallback(SSLConnectionRef connection, void *data, size_t *dataLength) {

+ SecureTransportContext* context = const_cast<SecureTransportContext*>(static_cast<const SecureTransportContext*>(connection));

+ OSStatus retValue = noErr;

+

+ if (context->readingBuffer_.size() < *dataLength) {

+ // Would block because Secure Transport is trying to read more data than there currently is available in the buffer.

+ *dataLength = 0;

+ retValue = errSSLWouldBlock;

+ }

+ else {

+ size_t bufferLen = *dataLength;

+ size_t copyToBuffer = bufferLen < context->readingBuffer_.size() ? bufferLen : context->readingBuffer_.size();

+

+ memcpy(data, context->readingBuffer_.data(), copyToBuffer);

+

+ context->readingBuffer_ = SafeByteArray(context->readingBuffer_.data() + copyToBuffer, context->readingBuffer_.data() + context->readingBuffer_.size());

+ *dataLength = copyToBuffer;

+ }

+ return retValue;

+}

+

+OSStatus SecureTransportContext::SSLSocketWriteCallback(SSLConnectionRef connection, const void *data, size_t *dataLength) {

+ SecureTransportContext* context = const_cast<SecureTransportContext*>(static_cast<const SecureTransportContext*>(connection));

+ OSStatus retValue = noErr;

+

+ SafeByteArray safeData;

+ safeData.resize(*dataLength);

+ memcpy(safeData.data(), data, safeData.size());

+

+ context->onDataForNetwork(safeData);

+ return retValue;

+}

+

+std::shared_ptr<TLSError> SecureTransportContext::nativeToTLSError(OSStatus /* error */) {

+ std::shared_ptr<TLSError> swiftenError;

+ swiftenError = std::make_shared<TLSError>();

+ return swiftenError;

+}

+

+std::shared_ptr<CertificateVerificationError> SecureTransportContext::CSSMErrorToVerificationError(OSStatus resultCode) {

+ std::shared_ptr<CertificateVerificationError> error;

+ switch(resultCode) {

+ case CSSMERR_TP_NOT_TRUSTED:

+ SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_NOT_TRUSTED";

+ error = std::make_shared<CertificateVerificationError>(CertificateVerificationError::Untrusted);

+ break;

+ case CSSMERR_TP_CERT_NOT_VALID_YET:

+ SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_CERT_NOT_VALID_YET";

+ error = std::make_shared<CertificateVerificationError>(CertificateVerificationError::NotYetValid);

+ break;

+ case CSSMERR_TP_CERT_EXPIRED:

+ SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_CERT_EXPIRED";

+ error = std::make_shared<CertificateVerificationError>(CertificateVerificationError::Expired);

+ break;

+ case CSSMERR_TP_CERT_REVOKED:

+ SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_CERT_REVOKED";

+ error = std::make_shared<CertificateVerificationError>(CertificateVerificationError::Revoked);

+ break;

+ case CSSMERR_TP_VERIFY_ACTION_FAILED:

+ SWIFT_LOG(debug) << "CSSM result code: CSSMERR_TP_VERIFY_ACTION_FAILED";

+ break;

+ case CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK:

+ SWIFT_LOG(debug) << "CSSM result code: CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK";

+ if (checkCertificateRevocation_) {

+ error = std::make_shared<CertificateVerificationError>(CertificateVerificationError::RevocationCheckFailed);

+ }

+ break;

+ case CSSMERR_APPLETP_OCSP_UNAVAILABLE:

+ SWIFT_LOG(debug) << "CSSM result code: CSSMERR_APPLETP_OCSP_UNAVAILABLE";

+ if (checkCertificateRevocation_) {

+ error = std::make_shared<CertificateVerificationError>(CertificateVerificationError::RevocationCheckFailed);

+ }

+ break;

+ case CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE:

+ SWIFT_LOG(debug) << "CSSM result code: CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE";

+ error = std::make_shared<CertificateVerificationError>(CertificateVerificationError::InvalidPurpose);

+ break;

+ default:

+ SWIFT_LOG(warning) << "unhandled CSSM error: " << resultCode << ", CSSM_TP_BASE_TP_ERROR: " << CSSM_TP_BASE_TP_ERROR;

+ error = std::make_shared<CertificateVerificationError>(CertificateVerificationError::UnknownError);

+ break;

+ }

+ return error;

+}

+

+void SecureTransportContext::fatalError(std::shared_ptr<TLSError> error, std::shared_ptr<CertificateVerificationError> certificateError) {

+ setState(Error);

+ if (sslContext_) {

+ SSLClose(sslContext_.get());

+ }

+ verificationError_ = certificateError;

+ onError(error);

+}

+

+}

+/*

+ * Copyright (c) 2015-2019 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#include <Swiften/TLS/SecureTransport/SecureTransportContextFactory.h>

+

+#include <Swiften/Base/Log.h>

+#include <Swiften/TLS/SecureTransport/SecureTransportContext.h>

+

+namespace Swift {

+

+// Default to disabled revocation checking as SecureTransport API is missing

+// methods for detailed revocation checking configuration which are needed for

+// good UX.

+SecureTransportContextFactory::SecureTransportContextFactory() : checkCertificateRevocation_(false), disconnectOnCardRemoval_(true) {

+

+}

+

+SecureTransportContextFactory::~SecureTransportContextFactory() {

+

+}

+

+bool SecureTransportContextFactory::canCreate() const {

+ return true;

+}

+

+std::unique_ptr<TLSContext> SecureTransportContextFactory::createTLSContext(const TLSOptions& /* tlsOptions */, TLSContext::Mode mode) {

+ // TLS server mode is not supported for the SecureTransport backend yet.

+ assert(mode == TLSContext::Mode::Client);

+ return std::unique_ptr<TLSContext>(new SecureTransportContext(checkCertificateRevocation_));

+}

+

+void SecureTransportContextFactory::setCheckCertificateRevocation(bool b) {

+ checkCertificateRevocation_ = b;

+}

+

+void SecureTransportContextFactory::setDisconnectOnCardRemoval(bool b) {

+ disconnectOnCardRemoval_ = b;

+ if (disconnectOnCardRemoval_) {

+ SWIFT_LOG(warning) << "Smart cards have not been tested yet";

+ }

+}

+

+}

+/*

+ * Copyright (c) 2015-2018 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ */

+

+#pragma once

+

+#include <memory>

+

+#include <Swiften/TLS/TLSContextFactory.h>

+

+namespace Swift {

+

+class SecureTransportContextFactory : public TLSContextFactory {

+ public:

+ SecureTransportContextFactory();

+ virtual ~SecureTransportContextFactory();

+

+ virtual bool canCreate() const;

+

+ virtual std::unique_ptr<TLSContext> createTLSContext(const TLSOptions& tlsOptions, TLSContext::Mode mode = TLSContext::Mode::Client);

+ virtual void setCheckCertificateRevocation(bool b);

+ virtual void setDisconnectOnCardRemoval(bool b);

+

+ private:

+ bool checkCertificateRevocation_;

+ bool disconnectOnCardRemoval_;

+};

+

+}

+ * Copyright (c) 2010-2016 Isode Limited.

+ * All rights reserved.

+ * See the COPYING file for more information.

+ServerIdentityVerifier::ServerIdentityVerifier(const JID& jid, IDNConverter* idnConverter, bool checkServer) : domainValid(false), checkServer_(checkServer) {

+ domain = jid.getDomain();

+ boost::optional<std::string> domainResult = idnConverter->getIDNAEncoded(domain);

+ if (!!domainResult) {

+ encodedDomain = *domainResult;

+ domainValid = true;

+ }

+ bool hasSAN = false;