AgeCommit message (Collapse)Author
2019-09-17Fix casing of enums to avoid conflict on WindowsTobias Markmann
Test-Information: Tested on Windows with OpenSSL that this fixes the compilation issue. Change-Id: I01887c8eb758a6c1c208244cdae32aa9c0a99565
2019-09-03Add enhanced OpenSSL configurationTim Costen
Adds TLSOptions to the OpenSSLContext, which invokes a new private 'configure' method which allows various OpenSSL options to be set. Also add standard verification callbacks and external (via a std::function field in TLSOptions) to allow the user to specify their own method which will perform client certificate checking when a new TLS connection is accepted. Only set up the internal verifyCertCallback if the user-supplied hook is set. All callback hooks are set up in the 'configure' method, and only then if TLSOptions.verifyMode is present (i.e. not defaulted to boost::none), to preserve compatibility for users of this class (e.g. Swift) which want to use OpenSSL's own internal validation functions rather than setting the callbacks. Test-information: Used new code under development in M-Link when setting up a TLSContext, setting verify-mode=require, and set up verifyCertCallback with a local method. Making a client TLS connection which includes a client certificate results in the local verify callback being invoked. Change-Id: Idbb7279e1711fca8123f430bfca0dcfb65bc8da6
2019-01-21Fix OpenSSLContext to work correctly with OpenSSL 1.1.1Tobias Markmann
The previous code only worked with 1.1.0j or older. Now the code works with 1.1.0j and OpenSSL 1.1.1. Adjusted ClientServerTest to be more graceful in case of errors, i.e. failing tests instead of crashing. Test-Information: Tested that without the changes, the tests pass with OpenSSL 1.1.0j and test fail or crash with OpenSSL 1.1.1 and OpenSSL 1.1.1a. Tested that with the changes, the tests pass with OpenSSL 1.1.0j, OpenSSL 1.1.1, and OpenSSL 1.1.1a. Tested on macOS 10.14.2 with system clang. Change-Id: Ic63774049727f6d949153166f63a8545e9a24892
2019-01-18Allow ownership transfer of certificatesEdwin Mons
OpenSSL TLS contexts assume ownership of any additional certificate passed into it. The CertificateFactory now returns a vector of unique_ptrs, and OpenSSLContext will do the needful with releasing ownership at the right moment. A unit test has been added that uses a chained certificate in client/server context. Before the fix, this test would either fail, or result in a segmentation fault, depending on the mood of OpenSSL. Test-Information: Unit tests pass on Debian 9 Ran manual tests with server test code, tested both chained and single certificates, and no longer observed crashes when accepting a connection. Change-Id: I21814969e45c7d77e9a1af14f2c958c4c0311cd0
2019-01-14Add optional message to TLSErrorEdwin Mons
TLSError now takes an optional error message. OpenSSLContext has been updated to send out one, and calls to SWIFT_LOG have been removed from it for anything but setCertificateChain. OpenSSLContext::handleDataFromApplication misinterpreted the return code of SSL_write, triggering an onError in cases where more network I/O was required. Test-Information: Unit tests pass on Debian 9 Server test code no longer emits undesirable warnings to stderr on macOS 10.14. Change-Id: If0f932693361ef9738ae50d5445bfb4d3ed9b28f
2018-07-30Use std::unique_ptr to have TLS classes own the TLSContextTobias Markmann
TLSLayer and TLSConnection now own the TLSContext they use. The TLSContextFactory interface is adjusted to use std::unique_ptr. Test-Information: Builds and all tests pass on macOS with clang-7-master. Change-Id: I14e33c98b48445094f404b73ea41af0a51d2dde6
2018-03-14Fix building with OpenSSL on WindowsTobias Markmann
Define NOMINMAX when building OpenSSL backend on Windows and otherwise you cannot use std::numeric_limits<T>::max. Test-Information: Swiften builds on Windows 10 with VS2015 with the OpenSSL TLS backend. Change-Id: I9621c14426a0af2280cef7ee973abcff2fd0a48d
2018-03-12Ability to set Diffie-Hellman parameters for OpenSSLContextTobias Markmann
Test-Information: Unit tests pass on macOS 10.13.3 with ASAN and Clang 7.0. Change-Id: Ifc2bf2c1b63fca7f3ee43ef61c79a96b8e5ced5f
2018-03-12Add getPeerFinishMessage() method and OpenSSL TLS backendTobias Markmann
This method allows to calculate the TLS finish message of the peer of a TLS connection. It can be used to provide SASL channel binding for TLS servers. Test-Information: Added unit test that verifies the finish messages of a server TLS context with the finish messages of a client TLS context. Tests pass on macOS 10.13.3 with OpenSSL. Change-Id: Ia5ba539e1fb6d1bef6b4436bb59c7384b57a69b0
2018-02-21Add support for Server Name Indication to OpenSSLContextTobias Markmann
Test-Information: Builds and unit tests pass on macOS 10.13.3 with OpenSSL TLS backend. Change-Id: Ie8f4578c867a2e4bf84484cde4a7cff048566ca4
2018-02-02Add basic TLS server support in OpenTLSContextTobias Markmann
This also extends the TLSContext interface with methods required for server mode. Test-Information: Added unit tests that test new functionality in TLSContex. This includes test certificates in the source file that are not for public use. This new ClientServerTest is only enabled for OpenSSL, as other TLS backends do not support the new functionality yet. Tested on macOS 10.13.3 with clang-trunk. Change-Id: I8e43476057608067eb3b9852328aa21cd22974a0
2018-02-02Add support for extracting certificate chain from PEM stringTobias Markmann
Add PrivateKey class to simply encapsulate arbitrary private key data and the corresponding password. This enables easy unit testing by loading the certificate and key from within a test case. Test-Information: Added unit tests for certificate and key generated by OpenSSL. Tested on macOS 10.13.2 with OpenSSL. Change-Id: I1c9ffc3c70f61af65c4f1c48670badaf74b672b7
2018-01-30Modernize OpenSSL crypto backendTobias Markmann
* use std::unique_ptr for memory management of dynamic OpenSSL objects * use an initializer class and static instance of it to correctly initialize/finalize OpenSSL on first use * use enum class instead of simple enum for state * use nullptr instead of NULL Test-Information: Builds and tests pass on macOS 10.13.2 with clang-trunk and ASAN. Change-Id: I346f14e21c34871c1900a8e1ac000450770a0bbe
2017-06-19Don't crash when SSL_new failsAlexey Melnikov
NULL pointer dereference was happening in OpenSSL code (inside SSL_set_bio) when SSL_new returned NULL due to lack of Isode HGE license. Change-Id: Iebd78be7eb6c7978de0bff225915dc393a516f08
2016-08-24Use SSL_CTX_set_default_verify_paths to set trusted CAs for OpenSSLTobias Markmann
This fixes setup of trusted CAs on Fedora. Test-Information: Tested successful login to two different hosts with different CAs. Previously the there was no certificate warning on Debian 8 and a certificate warning on Fedora 24. With this patch there is no certificate warning anymore on Debian 8 and Fedora 24. Change-Id: I70e71eb9734f2012bcd5c4b784bab47917b44234
2016-04-05Migrate to Boost.Signals2 from Boost.SignalsTobias Markmann
Boost.Signals was deprecated and is not improved further. This patch removes Boost.Signals from 3rdParty and adds Boost.Signals2 and its dependencies. Also removed the Qt signals compatibility file Swiften/Base/boost_bsignals.h. Test-Information: Build and ran unit tests on OS X 10.11.4. Confirmed successful login using Swift client. Change-Id: Ie6e3b2d15aac2462cda95401582f5287a479fb54
2016-04-04Modernize code to use C++11 shared_ptr instead of Boost'sTobias Markmann
This change was done by applying the following 'gsed' replacement calls to all source files: 's/\#include <boost\/shared_ptr\.hpp>/\#include <memory>/g' 's/\#include <boost\/enable_shared_from_this\.hpp>/\#include <memory>/g' 's/\#include <boost\/smart_ptr\/make_shared\.hpp>/\#include <memory>/g' 's/\#include <boost\/make_shared\.hpp>/\#include <memory>/g' 's/\#include <boost\/weak_ptr\.hpp>/\#include <memory>/g' 's/boost::make_shared/std::make_shared/g' 's/boost::dynamic_pointer_cast/std::dynamic_pointer_cast/g' 's/boost::shared_ptr/std::shared_ptr/g' 's/boost::weak_ptr/std::weak_ptr/g' 's/boost::enable_shared_from_this/std::enable_shared_from_this/g' The remaining issues have been fixed manually. Test-Information: Code builds on OS X 10.11.4 and unit tests pass. Change-Id: Ia7ae34eab869fb9ad6387a1348426b71ae4acd5f
2016-03-31Convert tabs to 4 spaces for all source filesTobias Markmann
Removed trailing spaces and whitespace on empty lines in the process. Changed tool to disallow hard tabs in source files. Test-Information: Manually checked 30 random files that the conversion worked as expected. Change-Id: I874f99d617bd3d2bb55f02d58f22f58f9b094480
2016-03-30Apply consistent #include grouping and sorting styleTobias Markmann
Changed "" style includes to <> style. Test-Information: Build with Clang 3.9.0 and ran all tests on OS X 10.11.4. Change-Id: Ic05e53f2e5dba39cc1307b116fc5f17b62ab9eb8
2015-10-30Add support for OS X Secure Transport TLS backendTobias Markmann
Added integration tests for certificate validation and revocation behavior checking. Test-Information: Tested client login over TLS against Prosody and M-Link. Verified client certificate authentication works against M-Link. Change-Id: I6ad870f17adbf279f3bac913a3076909308a0021
2015-07-07Add hidden option to prevent disconnect when smartcard removedMili Verma
This patch adds an option 'disconnectOnCardRemoval' to system-settings.xml which when set to false allows the user's session to stay connected if the smartcard is removed. The default value of this option is true if it is not specified. Test-information: Tested on Windows using NIST smartcards. Tested true and false values set for this option in the file and also when option is not specified (true). Unit tests pass. Change-Id: I7e421b4153ff7d3000f41999add20d339076c96e
2015-06-10Add ability to limit SChannel to TLS 1.0Kevin Smith
Some servers have very restrictive TLS stacks that respond badly to a bug in the SChannel TLS implementation, meaning that TLS has to be limited to 1.0. Add ClientOptions.tlsOptions. This is a method of passing options into the TLS stack. It's currently only used for the TLS 1.0 workaround in SChannel, but we might reasonably expose other options in the future, such as limiting cypher suites. Disables use of SSLv3 for SChannel Also updates the coding style in SchannelContext a bit. Test-Information: Compiles on both OS X and Windows(SChannel). OS X doesn't show the new option. Windows shows it, and remembers it between logins. Not tested against a server requiring 1.0 only, but a previous hack with the same approach was tested. Change-Id: I1e7854d43811fd173f21f98d4dc3915fc7a4b322
2015-02-17Disable SSLv3Kim Alvefur
Change-Id: I25328f60e211387f5d3fbcd6de155b7b8956c0f9 License: This patch is BSD-licensed, see Documentation/Licenses/BSD-simplified.txt for details.
2014-12-15Update Copyright in SwiftenKevin Smith
Change-Id: I94ab4bbb68c603fe872abeb8090575de042f5cb4
2014-11-13Fix iOS build and add iOS build documentation.Tobias Markmann
Test-Information: Tested on OS X 10.9.5 with XCode 6.1. Change-Id: Ib223977192fce274e5585ef0768fd755b1fa734d
2014-06-22NULL-terminate PKCS12 password bufferRemko Tronçon
This fixes a bug with PCKS12 cert auth that only manifested itself on specific platforms (e.g. ARM) Test-Information: Patch was tested by reporter on a failing platform Change-Id: I4663363aadaf5f00c2092e2f58d45f5ba1b4229a
2014-02-02Sluift: Add new_certificateRemko Tronçon
Change-Id: If4e4ef98c00f15c0a88557860f0377843a8713c0
2014-01-11Allow TLS other than version 1Kevin Smith
Change-Id: I1ffb6d9eabfb36c0101ee19c0cd618736d8a8bb8
2013-01-13Fix more warnings.Remko Tronçon
Fix sign conversion warnings. Removing heavy unnecessary includes. Change-Id: I992f43065498823098a875badb020c7c84fc4797
2012-12-30Enable & fix pedantic CLang warnings.Remko Tronçon
Change-Id: I70109624b4bd7aab9ba679a3eaabc225dd64a03a
2012-12-22Silence deprecated warnings.Remko Tronçon
Change-Id: If349586fd131f1661485acdea573f97d1726c731
2012-10-13Added extra comment about OpenSSL on Mac OS X.Remko Tronçon
Change-Id: I339364406d92226203af876f558bc07686d75cbf
2012-10-12Always add system's certificate store to OpenSSL on Mac OS X.Tobias Markmann
It used to be disabled for Mac OS X 10.5 or greater but it turns out system's OpenSSL doesn't add those on Mac OS X 10.8. License: This patch is BSD-licensed, see
2012-05-12Remove peer certificate from APIs.Remko Tronçon
The peer certificate chain contains the peer certificate, so this was redundant.
2012-05-11Showing stream encryption status in the roster header. Provide native ↵Tobias Markmann
certificate viewers on click. Native viewers for Windows and Mac OS X are implemented. Added TODOs to OpenSSL based TLS interface related to CRL and OCSP. Resolves: #167 License: This patch is BSD-licensed, see
2012-05-07Only assert when requesting CRL checking on OpenSSL.Remko Tronçon
2012-05-05Re-enable revocation check.Remko Tronçon
2012-05-05Revert "Re-enable revocation check."Remko Tronçon
This reverts commit 856f970d14c5c32b80fc5ea359d4e567b51578a0.
2012-04-24Re-enable revocation check.Remko Tronçon
Added a method on TLSContextFactory to disable revocation checks if wanted.
2012-03-23Allow TLS errors to bubble further up the stackKevin Smith
2012-02-23Compile when non-SChannelKevin Smith
2012-02-22Fix up for previous CAPI patchKevin Smith
Now connects successfully with or without TLS(with cert)
2012-02-22Initial implementation of using CAPI certificates with Schannel.Alexey Melnikov
Introduced a new parent class for all certificates with keys (class CertificateWithKey is the new parent for PKCS12Certificate.) Switched to using "CertificateWithKey *" instead of "const CertificateWithKey&" Added calling of a Windows dialog for certificate selection when Schannel TLS implementation is used. This compiles, but is not tested. License: This patch is BSD-licensed, see Documentation/Licenses/BSD-simplified.txt for details.
2011-11-03Quick brush up after previous patch.Kevin Smith
Includes: Initial cleanup of SChannel code; compiling on non-Windows Be willing to compile Swift with SChannel Undo some (presumably accidental) OpenSSL changes Where TLS doesn't support finish messages (SChannel), don't try -PLUS
2011-11-03* Added Schannel support.dreijer
License: This patch is BSD-licensed, see
2011-06-03Limit the use of the SafeString type.Remko Tronçon
2011-05-18Propagate use of SafeByteArray down to the connection.Remko Tronçon
2011-05-13Removed some explicit new's.Remko Tronçon
2011-05-05Replace ByteArray by typedef.Remko Tronçon
2011-04-30Replace #icnlude "" by #include <> in Swiften.Remko Tronçon