AgeCommit message (Collapse)Author
2019-09-19Add support for use of shared certificate chain when setting up TLS contextTim Costen
Actual implementation is in OpenSSL subclass. This allows a permanent vector of shared certificates to be used when creating multiple OpenSSL contexts. This replaces the existing use of a vector of unique pointers to certificates which handed over responsibility for the underlying OpenSSL certs to the OpenSSL context. To enable this to work, a new method is added to the OpenSSLCertificate class which enables the reference count on the the contained OpenSSL certificate to be incremented - this stops the OpenSSL certificate being deleted when the OpenSSL context is freed. Use of conditional compilation was necessary to get the reference counting to build with the different versions of OpenSSL in use. Modify the method in OpenSSLCertificateFactory (and stub in CertificateFactory) which generates a vector of certificates, so that it generates a vector of shared_ptrs rather than unique_ptrs. Add test of CreateCertificateChain to Swiften CertificateTest class, together with sample certificate file in PEM form. JIRA: LINK-1763 Bug: Release-notes: Manual: Test-information: Tested via development version of Mystique - created multiple TLS sessions using single certificate chain. Swift unit tests now build and run again. New Swiften TLS unit test builds and runs. Change-Id: I7fa4888b640c94b68712a6bff1f7aa334a358df2
2019-09-03Add enhanced OpenSSL configurationTim Costen
Adds TLSOptions to the OpenSSLContext, which invokes a new private 'configure' method which allows various OpenSSL options to be set. Also add standard verification callbacks and external (via a std::function field in TLSOptions) to allow the user to specify their own method which will perform client certificate checking when a new TLS connection is accepted. Only set up the internal verifyCertCallback if the user-supplied hook is set. All callback hooks are set up in the 'configure' method, and only then if TLSOptions.verifyMode is present (i.e. not defaulted to boost::none), to preserve compatibility for users of this class (e.g. Swift) which want to use OpenSSL's own internal validation functions rather than setting the callbacks. Test-information: Used new code under development in M-Link when setting up a TLSContext, setting verify-mode=require, and set up verifyCertCallback with a local method. Making a client TLS connection which includes a client certificate results in the local verify callback being invoked. Change-Id: Idbb7279e1711fca8123f430bfca0dcfb65bc8da6
2019-01-18Allow ownership transfer of certificatesEdwin Mons
OpenSSL TLS contexts assume ownership of any additional certificate passed into it. The CertificateFactory now returns a vector of unique_ptrs, and OpenSSLContext will do the needful with releasing ownership at the right moment. A unit test has been added that uses a chained certificate in client/server context. Before the fix, this test would either fail, or result in a segmentation fault, depending on the mood of OpenSSL. Test-Information: Unit tests pass on Debian 9 Ran manual tests with server test code, tested both chained and single certificates, and no longer observed crashes when accepting a connection. Change-Id: I21814969e45c7d77e9a1af14f2c958c4c0311cd0
2019-01-14Add optional message to TLSErrorEdwin Mons
TLSError now takes an optional error message. OpenSSLContext has been updated to send out one, and calls to SWIFT_LOG have been removed from it for anything but setCertificateChain. OpenSSLContext::handleDataFromApplication misinterpreted the return code of SSL_write, triggering an onError in cases where more network I/O was required. Test-Information: Unit tests pass on Debian 9 Server test code no longer emits undesirable warnings to stderr on macOS 10.14. Change-Id: If0f932693361ef9738ae50d5445bfb4d3ed9b28f
2018-03-12Ability to set Diffie-Hellman parameters for OpenSSLContextTobias Markmann
Test-Information: Unit tests pass on macOS 10.13.3 with ASAN and Clang 7.0. Change-Id: Ifc2bf2c1b63fca7f3ee43ef61c79a96b8e5ced5f
2018-03-12Add getPeerFinishMessage() method and OpenSSL TLS backendTobias Markmann
This method allows to calculate the TLS finish message of the peer of a TLS connection. It can be used to provide SASL channel binding for TLS servers. Test-Information: Added unit test that verifies the finish messages of a server TLS context with the finish messages of a client TLS context. Tests pass on macOS 10.13.3 with OpenSSL. Change-Id: Ia5ba539e1fb6d1bef6b4436bb59c7384b57a69b0
2018-02-21Add support for Server Name Indication to OpenSSLContextTobias Markmann
Test-Information: Builds and unit tests pass on macOS 10.13.3 with OpenSSL TLS backend. Change-Id: Ie8f4578c867a2e4bf84484cde4a7cff048566ca4
2018-02-02Add basic TLS server support in OpenTLSContextTobias Markmann
This also extends the TLSContext interface with methods required for server mode. Test-Information: Added unit tests that test new functionality in TLSContex. This includes test certificates in the source file that are not for public use. This new ClientServerTest is only enabled for OpenSSL, as other TLS backends do not support the new functionality yet. Tested on macOS 10.13.3 with clang-trunk. Change-Id: I8e43476057608067eb3b9852328aa21cd22974a0
2016-04-05Migrate to Boost.Signals2 from Boost.SignalsTobias Markmann
Boost.Signals was deprecated and is not improved further. This patch removes Boost.Signals from 3rdParty and adds Boost.Signals2 and its dependencies. Also removed the Qt signals compatibility file Swiften/Base/boost_bsignals.h. Test-Information: Build and ran unit tests on OS X 10.11.4. Confirmed successful login using Swift client. Change-Id: Ie6e3b2d15aac2462cda95401582f5287a479fb54
2016-04-04Modernize code to use C++11 shared_ptr instead of Boost'sTobias Markmann
This change was done by applying the following 'gsed' replacement calls to all source files: 's/\#include <boost\/shared_ptr\.hpp>/\#include <memory>/g' 's/\#include <boost\/enable_shared_from_this\.hpp>/\#include <memory>/g' 's/\#include <boost\/smart_ptr\/make_shared\.hpp>/\#include <memory>/g' 's/\#include <boost\/make_shared\.hpp>/\#include <memory>/g' 's/\#include <boost\/weak_ptr\.hpp>/\#include <memory>/g' 's/boost::make_shared/std::make_shared/g' 's/boost::dynamic_pointer_cast/std::dynamic_pointer_cast/g' 's/boost::shared_ptr/std::shared_ptr/g' 's/boost::weak_ptr/std::weak_ptr/g' 's/boost::enable_shared_from_this/std::enable_shared_from_this/g' The remaining issues have been fixed manually. Test-Information: Code builds on OS X 10.11.4 and unit tests pass. Change-Id: Ia7ae34eab869fb9ad6387a1348426b71ae4acd5f
2016-03-31Convert tabs to 4 spaces for all source filesTobias Markmann
Removed trailing spaces and whitespace on empty lines in the process. Changed tool to disallow hard tabs in source files. Test-Information: Manually checked 30 random files that the conversion worked as expected. Change-Id: I874f99d617bd3d2bb55f02d58f22f58f9b094480
2016-03-30Apply consistent #include grouping and sorting styleTobias Markmann
Changed "" style includes to <> style. Test-Information: Build with Clang 3.9.0 and ran all tests on OS X 10.11.4. Change-Id: Ic05e53f2e5dba39cc1307b116fc5f17b62ab9eb8
2015-06-08Add missing SWIFTEN_API annotations to public Swiften APITobias Markmann
Test-Information: Tested build on Windows 8 with VS 2014 and ran unit tests. Change-Id: I3d8096df4801be6901f22564e36eecba0e7310c4
2014-12-15Update Copyright in SwiftenKevin Smith
Change-Id: I94ab4bbb68c603fe872abeb8090575de042f5cb4
2012-05-12Remove peer certificate from APIs.Remko Tronçon
The peer certificate chain contains the peer certificate, so this was redundant.
2012-05-11Showing stream encryption status in the roster header. Provide native ↵Tobias Markmann
certificate viewers on click. Native viewers for Windows and Mac OS X are implemented. Added TODOs to OpenSSL based TLS interface related to CRL and OCSP. Resolves: #167 License: This patch is BSD-licensed, see
2012-03-23Allow TLS errors to bubble further up the stackKevin Smith
2012-02-22Fix up for previous CAPI patchKevin Smith
Now connects successfully with or without TLS(with cert)
2012-02-22Initial implementation of using CAPI certificates with Schannel.Alexey Melnikov
Introduced a new parent class for all certificates with keys (class CertificateWithKey is the new parent for PKCS12Certificate.) Switched to using "CertificateWithKey *" instead of "const CertificateWithKey&" Added calling of a Windows dialog for certificate selection when Schannel TLS implementation is used. This compiles, but is not tested. License: This patch is BSD-licensed, see Documentation/Licenses/BSD-simplified.txt for details.
2011-05-18Propagate use of SafeByteArray down to the connection.Remko Tronçon
2011-04-30Replace #icnlude "" by #include <> in Swiften.Remko Tronçon
2010-12-11Added SCRAM-SHA-1-PLUS support.Remko Tronçon
Release-Notes: Swift now supports SCRAM-SHA-1-PLUS authentication.
2010-11-11Added CertificateVerificationError::ref.Remko Tronçon
2010-11-07Refactoring certificates & certificate checking.Remko Tronçon
2010-11-07Added certificate verification API to TLS context.Remko Tronçon
2010-11-07Refactored TLS handling.Remko Tronçon
TLSLayer is now independent of TLS implementation. The implementation-specifics are now in TLSContext and TLSContextFactory.
2010-03-28Removing submodules.Remko Tronçon
2010-03-28Moved Swiften to a separate module.Remko Tronçon