summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2019-10-29Allow use of system TAs to be disabled via TLSOptionsTim Costen
Add new boolean flag to TLSOptions which when set to true prevents system Trust Anchors being loaded into new TLS contexts created using OpenSSL. Add new test to Swiften QA with appropriate comment. JIRA: SWIFT-425 Test-information: Checked logic of change under debugger while running the tests in CertificateTest.cpp which create TLS contexts. Change-Id: I2d4a8410ce9cc752e6774e1d1cdb84dcd37b01d7
2019-10-04Correct leaks in OpenSSL interfaceTim Costen
Remove increment of reference count on first certificate added to a new SSL context - the call to SSL_CTX_use_certificate does this internally. When adding extra certificates to the context via calls to SSL_CTX_add_extra_certificate, the explicit increment of the reference count is still required to prevent destruction of the certificates when the SSL context is freed. In OpenSSLContext::setPrivateKey, make sure the EVP_PKEY returned by PEM_read_bio_PrivateKey is tidied up, by wrapping it in a shared_ptr which calls EVP_PKEY_free. Add a new Unit test which creates an SSL context and inserts a multi-element certificate chain and a private key. JIRA: SWIFT-423 Bug: Release-notes: Manual: Change-Id: I82c66139a9dfe7a925eb39f73721200895a689e2 Test-information: Leak testing performed via ASAN-compiled MLink unit tests - now no leaks/errors reported associated with TLS Contexts and Certificates. Swiften unit test runs as expected.
2019-09-19Add support for use of shared certificate chain when setting up TLS contextTim Costen
Actual implementation is in OpenSSL subclass. This allows a permanent vector of shared certificates to be used when creating multiple OpenSSL contexts. This replaces the existing use of a vector of unique pointers to certificates which handed over responsibility for the underlying OpenSSL certs to the OpenSSL context. To enable this to work, a new method is added to the OpenSSLCertificate class which enables the reference count on the the contained OpenSSL certificate to be incremented - this stops the OpenSSL certificate being deleted when the OpenSSL context is freed. Use of conditional compilation was necessary to get the reference counting to build with the different versions of OpenSSL in use. Modify the method in OpenSSLCertificateFactory (and stub in CertificateFactory) which generates a vector of certificates, so that it generates a vector of shared_ptrs rather than unique_ptrs. Add test of CreateCertificateChain to Swiften CertificateTest class, together with sample certificate file in PEM form. JIRA: LINK-1763 Bug: Release-notes: Manual: Test-information: Tested via development version of Mystique - created multiple TLS sessions using single certificate chain. Swift unit tests now build and run again. New Swiften TLS unit test builds and runs. Change-Id: I7fa4888b640c94b68712a6bff1f7aa334a358df2
2018-03-27Add new ReferencePayload element class, parser and serializerPeter Burgess
Added a new element object ReferencePayload, and created the parser and serializer to handle this element. Currently no functionality to send references directly in swift, nor to render their contents. Test-Information: Unit tests written and passed for serializer and parser, testing various types of valid and invalid references, and testing references with embedded payloads. Change-Id: I81fd5d9e020fac1729640f297705806af97f6388
2017-07-07Make std:: make_unique available in gcc with c++11Joanna Hulboj
Test-Information: Unit tests pass OK on Windows 10 and CentOS 7.3. Change-Id: I33c9eb6b3e6409727350a44e6d5c88c5e8907275
2017-01-11Integrate googletest and googlemock libraries to 3rdPartyTobias Markmann
googletest and googlemock from release 1.8.0 have been copied to the 3rdParty folder. With this commit tests for Swift project can also written using googletest and googlemock APIs. The test runners will execute test suites written to either test library. Passing —-xml to a test runner will now create two test report XML files, namely $programName-report.cppunit.xml and $programName-report.gtest.xml. The ByteArrayTest has been converted to use googletest instead of googlemock to serve as an example and test the integration. Test-Information: Build all tests via ‘./scons test=all’ and verified all tests are run. Build all tests via ‘./scons test=all checker_report=1’ and verified that two report XML files are generated per test runner executed. Change-Id: I81a9fb2c7ea5612fc1b34eef70ed7e711bfeea81
2016-09-29Fix uninitialised class membersTobias Markmann
Initialised previously uninitialised class members. Changed some raw pointers to std::unique_ptr for clearer and automatically initialised code. Test-Information: Builds on macOS 10.12 and unit tests pass in ASAN-enabled build. Change-Id: I7900fe6131119c228ca92c79c0ee8125137f2e48
2016-06-22Temporarily disable CertificateErrorTestTobias Markmann
The tests are based on the http://www.tls-o-matic.com/ service, which is currently dysfunctional. Disabling the test so running all system tests does not fail anymore. Test-Information: ./scons test=all passes on OS X 10.11.5. Change-Id: I8df2e15efa6787e01dfebd78b61e07d1d1eed5c0
2016-04-25Convert hard tabs to four spaces in all our SConscript/*.py filesTobias Markmann
Test-Information: Test that it still builds and unit test pass on OS X 10.11.4. Change-Id: I2eb4a0b707991aee553db36a8cd1ae28b813acab
2016-04-04Modernize code to use C++11 shared_ptr instead of Boost'sTobias Markmann
This change was done by applying the following 'gsed' replacement calls to all source files: 's/\#include <boost\/shared_ptr\.hpp>/\#include <memory>/g' 's/\#include <boost\/enable_shared_from_this\.hpp>/\#include <memory>/g' 's/\#include <boost\/smart_ptr\/make_shared\.hpp>/\#include <memory>/g' 's/\#include <boost\/make_shared\.hpp>/\#include <memory>/g' 's/\#include <boost\/weak_ptr\.hpp>/\#include <memory>/g' 's/boost::make_shared/std::make_shared/g' 's/boost::dynamic_pointer_cast/std::dynamic_pointer_cast/g' 's/boost::shared_ptr/std::shared_ptr/g' 's/boost::weak_ptr/std::weak_ptr/g' 's/boost::enable_shared_from_this/std::enable_shared_from_this/g' The remaining issues have been fixed manually. Test-Information: Code builds on OS X 10.11.4 and unit tests pass. Change-Id: Ia7ae34eab869fb9ad6387a1348426b71ae4acd5f
2016-03-31Convert tabs to 4 spaces for all source filesTobias Markmann
Removed trailing spaces and whitespace on empty lines in the process. Changed CheckTabs.py tool to disallow hard tabs in source files. Test-Information: Manually checked 30 random files that the conversion worked as expected. Change-Id: I874f99d617bd3d2bb55f02d58f22f58f9b094480
2016-03-30Apply consistent #include grouping and sorting styleTobias Markmann
Changed "" style includes to <> style. Test-Information: Build with Clang 3.9.0 and ran all tests on OS X 10.11.4. Change-Id: Ic05e53f2e5dba39cc1307b116fc5f17b62ab9eb8
2016-03-04Fix small issues around Swiften/QA/TLSTestTobias Markmann
The jabber_org.crt was falsely modified in commit 0297fa1; reverted the file to its previous version. Fixed a syntax error in CertificateErrorTest. Fixed compilation of TLS stack with external OpenSSL. Test-Information: Tested compilation ./scons test=system Swiften/QA/TLSTest with OpenSSL on OS X 10.11.3. Change-Id: I58caf94dded128d3ee725b1961e54ad2955d70aa
2016-02-08Fix and adjust TLSTest to Windows SChannel backendTobias Markmann
Test-Information: ./scons test=system Swiften/QA/TLSTest passes on Windows 8. Change-Id: I688ec5d0022c02879ff56029d724e6dd30b89a99
2016-02-08Treat cert verify errors as non-fatal in OS X TLS backendTobias Markmann
Our TLS backends need to tread TLS verification errors, e.g. outdated certificate, untrusted CA, non-matching host, etc., as non-fatal, so the application can apply custom key pinning verification or similar. This patch changes the OS X SecureTransport backend to behave accordingly and adjusts the CertificateErrorTest to mirror this behavior. This commit also fixes a double-free in SecureTransportCertificate. Test-Information: Connected to a host with an untrusted CA and non-matching domain in the certificate and was prompted with the Swift certificate trust dialog on OS X 10.11.3. Swiften/QA/TLSTest run successfully on OS X 10.11.3. Change-Id: I4c8ce2178540d79a5f328e2e0558d4deb4295134
2015-11-10Add support for client certificate authentication in BOSHTobias Markmann
This allows to authenticate using SASL EXTERNAL over BOSH using a client TLS certificate for the HTTPS connection of the BOSH channel. The implementation also enforces the HTTPS server certificate of subsequent BOSH connections not to change. This commit also removes TLSConnection and TLSConnectionFactory as no code is using them. Test-Information: Tested against M-Link 16.3v6-0 on Debian 7.9 and Swift on OS X 10.10.5. Verified working client certificate authentication. Verified Swift not falling back to password-based authentication, in case EXTERNAL is not allowed by the server over BOSH or the client certificate is invalid. Change-Id: Ia96bcac27cac9fc9261ed847c82c6328307bfbd1
2015-10-30Add support for OS X Secure Transport TLS backendTobias Markmann
Added integration tests for certificate validation and revocation behavior checking. Test-Information: Tested client login over TLS against Prosody and M-Link. Verified client certificate authentication works against M-Link. Change-Id: I6ad870f17adbf279f3bac913a3076909308a0021
2014-12-15Update Copyright in SwiftenKevin Smith
Change-Id: I94ab4bbb68c603fe872abeb8090575de042f5cb4
2014-02-02Sluift: Add new_certificateRemko Tronçon
Change-Id: If4e4ef98c00f15c0a88557860f0377843a8713c0
2013-05-17Fixed unicode path handling.Remko Tronçon
- Use boost::filesystem::path consistently for referring to files. - Use boost::filesystem streams for I/O, such that paths are always handled correctly. - Use stringToPath and pathToString for conversion between strings and boost::filesystem::path, to ensure we have consistent unicode handling across platforms and environments. The default constructor and string conversion uses platform-dependent encoding, depending on the global locale set in the application, which causes problems. So, unless you are in platform dependent code, the default constructor and string() function should not be used. When constructing paths from other paths (e.g. using operator/), also use stringToPath (instead of string arguments) if the path can contain unicode characters. Change-Id: If286bd9e71c8414afc0b24ba67e26ab7608ef6ea
2012-06-05Added ICU support.Remko Tronçon
2012-04-17Fixing some clang warnings.Tobias Markmann
License: This patch is BSD-licensed, see http://www.opensource.org/licenses/bsd-license.php
2011-05-05Replace ByteArray by typedef.Remko Tronçon
2011-04-30Replace #icnlude "" by #include <> in Swiften.Remko Tronçon
2011-02-14Removed Swift::String.Remko Tronçon
2011-01-27Fixed CLang warnings.Remko Tronçon
2010-11-11Commenting getSubjectName test.Remko Tronçon
2010-11-10Refactored TLS tests.Remko Tronçon
2010-03-28Removing submodules.Remko Tronçon
2010-03-28Moved Swiften to a separate module.Remko Tronçon