| Age | Commit message (Collapse) | Author |
|---|
|
Test-Information:
Tested on Windows with OpenSSL that this fixes the
compilation issue.
Change-Id: I01887c8eb758a6c1c208244cdae32aa9c0a99565
|
|
Adds TLSOptions to the OpenSSLContext, which invokes a new private
'configure' method which allows various OpenSSL options to be set.
Also add standard verification callbacks and external (via a
std::function field in TLSOptions) to allow the user
to specify their own method which will perform client certificate
checking when a new TLS connection is accepted. Only set up
the internal verifyCertCallback if the user-supplied hook is set.
All callback hooks are set up in the 'configure' method, and only
then if TLSOptions.verifyMode is present (i.e. not defaulted
to boost::none), to preserve compatibility for users of
this class (e.g. Swift) which want to use OpenSSL's own
internal validation functions rather than setting the
callbacks.
Test-information:
Used new code under development in M-Link when setting up a TLSContext,
setting verify-mode=require, and set up verifyCertCallback with a local
method. Making a client TLS connection which includes a client
certificate results in the local verify callback being invoked.
Change-Id: Idbb7279e1711fca8123f430bfca0dcfb65bc8da6
|
|
The previous code only worked with 1.1.0j or older.
Now the code works with 1.1.0j and OpenSSL 1.1.1.
Adjusted ClientServerTest to be more graceful in case
of errors, i.e. failing tests instead of crashing.
Test-Information:
Tested that without the changes, the tests pass with
OpenSSL 1.1.0j and test fail or crash with OpenSSL
1.1.1 and OpenSSL 1.1.1a.
Tested that with the changes, the tests pass with OpenSSL
1.1.0j, OpenSSL 1.1.1, and OpenSSL 1.1.1a.
Tested on macOS 10.14.2 with system clang.
Change-Id: Ic63774049727f6d949153166f63a8545e9a24892
|
|
OpenSSL TLS contexts assume ownership of any additional certificate
passed into it. The CertificateFactory now returns a vector of
unique_ptrs, and OpenSSLContext will do the needful with releasing
ownership at the right moment.
A unit test has been added that uses a chained certificate in
client/server context. Before the fix, this test would either fail, or
result in a segmentation fault, depending on the mood of OpenSSL.
Test-Information:
Unit tests pass on Debian 9
Ran manual tests with server test code, tested both chained and single
certificates, and no longer observed crashes when accepting a
connection.
Change-Id: I21814969e45c7d77e9a1af14f2c958c4c0311cd0
|
|
TLSError now takes an optional error message. OpenSSLContext has been
updated to send out one, and calls to SWIFT_LOG have been removed from
it for anything but setCertificateChain.
OpenSSLContext::handleDataFromApplication misinterpreted the return code
of SSL_write, triggering an onError in cases where more network I/O was
required.
Test-Information:
Unit tests pass on Debian 9
Server test code no longer emits undesirable warnings to stderr on macOS
10.14.
Change-Id: If0f932693361ef9738ae50d5445bfb4d3ed9b28f
|
|
Define NOMINMAX when building OpenSSL backend on Windows
and otherwise you cannot use std::numeric_limits<T>::max.
Test-Information:
Swiften builds on Windows 10 with VS2015 with the OpenSSL TLS
backend.
Change-Id: I9621c14426a0af2280cef7ee973abcff2fd0a48d
|
|
Test-Information:
Unit tests pass on macOS 10.13.3 with ASAN and Clang 7.0.
Change-Id: Ifc2bf2c1b63fca7f3ee43ef61c79a96b8e5ced5f
|
|
This method allows to calculate the TLS finish message of the
peer of a TLS connection. It can be used to provide SASL
channel binding for TLS servers.
Test-Information:
Added unit test that verifies the finish messages of a server
TLS context with the finish messages of a client TLS context.
Tests pass on macOS 10.13.3 with OpenSSL.
Change-Id: Ia5ba539e1fb6d1bef6b4436bb59c7384b57a69b0
|
|
Test-Information:
Builds and unit tests pass on macOS 10.13.3 with OpenSSL TLS
backend.
Change-Id: Ie8f4578c867a2e4bf84484cde4a7cff048566ca4
|
|
This also extends the TLSContext interface with methods required
for server mode.
Test-Information:
Added unit tests that test new functionality in TLSContex.
This includes test certificates in the source file that are
not for public use. This new ClientServerTest is only enabled
for OpenSSL, as other TLS backends do not support the new
functionality yet.
Tested on macOS 10.13.3 with clang-trunk.
Change-Id: I8e43476057608067eb3b9852328aa21cd22974a0
|
|
* use std::unique_ptr for memory management of dynamic OpenSSL
objects
* use an initializer class and static instance of it to correctly
initialize/finalize OpenSSL on first use
* use enum class instead of simple enum for state
* use nullptr instead of NULL
Test-Information:
Builds and tests pass on macOS 10.13.2 with clang-trunk and
ASAN.
Change-Id: I346f14e21c34871c1900a8e1ac000450770a0bbe
|
|
NULL pointer dereference was happening in OpenSSL code (inside
SSL_set_bio) when SSL_new returned NULL due to lack of Isode HGE license.
Change-Id: Iebd78be7eb6c7978de0bff225915dc393a516f08
|
|
This fixes setup of trusted CAs on Fedora.
Test-Information:
Tested successful login to two different hosts with different
CAs. Previously the there was no certificate warning on
Debian 8 and a certificate warning on Fedora 24. With this
patch there is no certificate warning anymore on Debian 8
and Fedora 24.
Change-Id: I70e71eb9734f2012bcd5c4b784bab47917b44234
|
|
This change was done by applying the following 'gsed'
replacement calls to all source files:
's/\#include <boost\/shared_ptr\.hpp>/\#include <memory>/g'
's/\#include <boost\/enable_shared_from_this\.hpp>/\#include <memory>/g'
's/\#include <boost\/smart_ptr\/make_shared\.hpp>/\#include <memory>/g'
's/\#include <boost\/make_shared\.hpp>/\#include <memory>/g'
's/\#include <boost\/weak_ptr\.hpp>/\#include <memory>/g'
's/boost::make_shared/std::make_shared/g'
's/boost::dynamic_pointer_cast/std::dynamic_pointer_cast/g'
's/boost::shared_ptr/std::shared_ptr/g'
's/boost::weak_ptr/std::weak_ptr/g'
's/boost::enable_shared_from_this/std::enable_shared_from_this/g'
The remaining issues have been fixed manually.
Test-Information:
Code builds on OS X 10.11.4 and unit tests pass.
Change-Id: Ia7ae34eab869fb9ad6387a1348426b71ae4acd5f
|
|
Removed trailing spaces and whitespace on empty lines
in the process.
Changed CheckTabs.py tool to disallow hard tabs in source
files.
Test-Information:
Manually checked 30 random files that the conversion worked
as expected.
Change-Id: I874f99d617bd3d2bb55f02d58f22f58f9b094480
|
|
Change-Id: I25328f60e211387f5d3fbcd6de155b7b8956c0f9
License: This patch is BSD-licensed, see Documentation/Licenses/BSD-simplified.txt for details.
|
|
Change-Id: I94ab4bbb68c603fe872abeb8090575de042f5cb4
|
|
Test-Information:
Tested on OS X 10.9.5 with XCode 6.1.
Change-Id: Ib223977192fce274e5585ef0768fd755b1fa734d
|
|
This fixes a bug with PCKS12 cert auth that only manifested itself on
specific platforms (e.g. ARM)
Test-Information:
Patch was tested by reporter on a failing platform
Change-Id: I4663363aadaf5f00c2092e2f58d45f5ba1b4229a
|
|
Change-Id: I1ffb6d9eabfb36c0101ee19c0cd618736d8a8bb8
|
|
Fix sign conversion warnings.
Removing heavy unnecessary includes.
Change-Id: I992f43065498823098a875badb020c7c84fc4797
|
|
Change-Id: I70109624b4bd7aab9ba679a3eaabc225dd64a03a
|
|
Change-Id: If349586fd131f1661485acdea573f97d1726c731
|
|
Change-Id: I339364406d92226203af876f558bc07686d75cbf
|
|
It used to be disabled for Mac OS X 10.5 or greater but it turns out system's OpenSSL doesn't add those on Mac OS X 10.8.
License: This patch is BSD-licensed, see http://www.opensource.org/licenses/bsd-license.php
|
|
The peer certificate chain contains the peer certificate, so this was
redundant.
|
|
certificate viewers on click.
Native viewers for Windows and Mac OS X are implemented.
Added TODOs to OpenSSL based TLS interface related to CRL and OCSP.
Resolves: #167
License: This patch is BSD-licensed, see http://www.opensource.org/licenses/bsd-license.php
|
|
|
|
|
|
Now connects successfully with or without TLS(with cert)
|
|
Introduced a new parent class for all certificates with keys
(class CertificateWithKey is the new parent for PKCS12Certificate.)
Switched to using "CertificateWithKey *" instead of "const CertificateWithKey&"
Added calling of a Windows dialog for certificate selection when Schannel
TLS implementation is used.
This compiles, but is not tested.
License: This patch is BSD-licensed, see Documentation/Licenses/BSD-simplified.txt for details.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Release-Notes: Swift now supports SCRAM-SHA-1-PLUS authentication.
|
|
|
|
|
|
|
|
|
|
This includes a fix in OpensSSLContext that stops assert failures when
more data is received on a connection after a write has failed. It's
worth investigating why this happens, stopping it doing so, and re-instate
the assert.
Resolves: #402
|
|
|
|
|
|
|
Swift