summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2016-02-01Disable certificate revocation checking in OS X TLS backendTobias Markmann
Default to disabled certificate revocation checking for SecureTransport TLS backend on OS X. SecureTransport internal revocation checking machine is not very stable and sometimes fails reporting a positive revocation check leading to bad UX. Test-Information: Swift login still works and ./scons test=system pass on OS X 10.11.3. Change-Id: I298ccca4ecab07af5517fe393fdb887d79d70bf1
2015-11-10Fix Cocoa memory management error in Secure Transport backendTobias Markmann
The code was calling CFRelease on a null pointer, which runs into an assert inside CFRelease. Test-Information: The crash happened during client certificate authentication using the Secure Transport backend. With this patch the crash is gone. Change-Id: If389dcb8b8a20fdc5cf77219d6c5afb86c9c3634
2015-11-06Fix potential memory leaks in Cocoa API usageTobias Markmann
These errors were reported by Clang Analyzer. Test-Information: Verified that behavior is still as expected and Clang Analyzer does not report the warnings anymore. Change-Id: I149d75241f7680a6d2f2b6b710dd38d1ed81a209
2015-10-30Add support for OS X Secure Transport TLS backendTobias Markmann
Added integration tests for certificate validation and revocation behavior checking. Test-Information: Tested client login over TLS against Prosody and M-Link. Verified client certificate authentication works against M-Link. Change-Id: I6ad870f17adbf279f3bac913a3076909308a0021
2015-09-22Add explicit includes for classes used in PlatformTLSFactoriesTobias Markmann
Furthermore removed unneeded includes. Test-Information: Still builds and unit tests pass. Change-Id: Ic7272e754c488f427b5ee6834f1d892028ea285d
2015-07-07Add hidden option to prevent disconnect when smartcard removedMili Verma
This patch adds an option 'disconnectOnCardRemoval' to system-settings.xml which when set to false allows the user's session to stay connected if the smartcard is removed. The default value of this option is true if it is not specified. Test-information: Tested on Windows using NIST smartcards. Tested true and false values set for this option in the file and also when option is not specified (true). Unit tests pass. Change-Id: I7e421b4153ff7d3000f41999add20d339076c96e
2015-07-02Reestablish connection with smart cardMili Verma
When the card is reset in shared mode (which is the mode we use), an application trying to access certain commands will be returned the value SCARD_W_RESET_CARD. When this occurs SCardReconnect() must be called. This wasn't done before so this patch fixes it. Also provides more logging for SCard function returns. Test-information: Tested on Windows using NIST smart cards. Before the fix, the Card Removed Error was seen often even after the initial connection was established. After the fix, the reconnect attempt is done so the error is not seen. Also verified that if a card is removed deliberately, then the user is logged out. Change-Id: I94748ab9ff944a79de655646e1e06a8b61776f4b
2015-06-10Add ability to limit SChannel to TLS 1.0Kevin Smith
Some servers have very restrictive TLS stacks that respond badly to a bug in the SChannel TLS implementation, meaning that TLS has to be limited to 1.0. Add ClientOptions.tlsOptions. This is a method of passing options into the TLS stack. It's currently only used for the TLS 1.0 workaround in SChannel, but we might reasonably expose other options in the future, such as limiting cypher suites. Disables use of SSLv3 for SChannel Also updates the coding style in SchannelContext a bit. Test-Information: Compiles on both OS X and Windows(SChannel). OS X doesn't show the new option. Windows shows it, and remembers it between logins. Not tested against a server requiring 1.0 only, but a previous hack with the same approach was tested. Change-Id: I1e7854d43811fd173f21f98d4dc3915fc7a4b322
2015-06-08Add missing SWIFTEN_API annotations to public Swiften APITobias Markmann
Test-Information: Tested build on Windows 8 with VS 2014 and ran unit tests. Change-Id: I3d8096df4801be6901f22564e36eecba0e7310c4
2015-02-17Disable SSLv3Kim Alvefur
Change-Id: I25328f60e211387f5d3fbcd6de155b7b8956c0f9 License: This patch is BSD-licensed, see Documentation/Licenses/BSD-simplified.txt for details.
2014-12-15Update Copyright in SwiftenKevin Smith
Change-Id: I94ab4bbb68c603fe872abeb8090575de042f5cb4
2014-11-13Fix iOS build and add iOS build documentation.Tobias Markmann
Test-Information: Tested on OS X 10.9.5 with XCode 6.1. Change-Id: Ib223977192fce274e5585ef0768fd755b1fa734d
2014-08-10Fix invalid characters being allowed in JID domainsRichard Maudsley
Test-Information: Prepare valid and invalid JIDs and make sure that isValid() is reported correctly. Added unit tests. Change-Id: Ic4d86f8b6ea9defc517ada2f8e3cc54979237cf4
2014-06-22NULL-terminate PKCS12 password bufferRemko Tronçon
This fixes a bug with PCKS12 cert auth that only manifested itself on specific platforms (e.g. ARM) Test-Information: Patch was tested by reporter on a failing platform Change-Id: I4663363aadaf5f00c2092e2f58d45f5ba1b4229a
2014-02-02Sluift: Add new_certificateRemko Tronçon
Change-Id: If4e4ef98c00f15c0a88557860f0377843a8713c0
2014-01-11Allow TLS other than version 1Kevin Smith
Change-Id: I1ffb6d9eabfb36c0101ee19c0cd618736d8a8bb8
2013-09-23Don't crash if server doesn't send cert in TLS handshakeNick Hudson
This patch reflects a change to Stroke, which is described as follows: If a TLS connection results in the server choosing an anonymous cipher suite, then no server certificate will be returned by the server. This ought not to happen, since XMPP clients are expected only to propose non-anonymous cipher suites, but it could be that a client is coded to propose anonymous suites, or that a bug in the server means that it fails to return a server certificate. This change updates the ServerIdentityVerifier to make it resilient against these situations, treating this situation as equivalent to "certificate presented by server does not verify". Test-information: Tested in Stroke. Untested in Swiften Change-Id: Iec815b09b6be675edad1d479d1a0a9d6b0b91bf3
2013-05-17Fixed unicode path handling.Remko Tronçon
- Use boost::filesystem::path consistently for referring to files. - Use boost::filesystem streams for I/O, such that paths are always handled correctly. - Use stringToPath and pathToString for conversion between strings and boost::filesystem::path, to ensure we have consistent unicode handling across platforms and environments. The default constructor and string conversion uses platform-dependent encoding, depending on the global locale set in the application, which causes problems. So, unless you are in platform dependent code, the default constructor and string() function should not be used. When constructing paths from other paths (e.g. using operator/), also use stringToPath (instead of string arguments) if the path can contain unicode characters. Change-Id: If286bd9e71c8414afc0b24ba67e26ab7608ef6ea
2013-04-27Removing third-party hash implementations.Remko Tronçon
Using library/platform implementation instead. Change-Id: I2457c2dad80e6fdda023a7f31c3906ff10fe09ed
2013-04-06Make IDN implementation abstract.Remko Tronçon
Change-Id: I4c64f954ddeca7147d729b8be07237baa15c1795
2013-01-13Fix more warnings.Remko Tronçon
Fix sign conversion warnings. Removing heavy unnecessary includes. Change-Id: I992f43065498823098a875badb020c7c84fc4797
2012-12-30Enable & fix pedantic CLang warnings.Remko Tronçon
Change-Id: I70109624b4bd7aab9ba679a3eaabc225dd64a03a
2012-12-22Silence deprecated warnings.Remko Tronçon
Change-Id: If349586fd131f1661485acdea573f97d1726c731
2012-10-13Added extra comment about OpenSSL on Mac OS X.Remko Tronçon
Change-Id: I339364406d92226203af876f558bc07686d75cbf
2012-10-12Always add system's certificate store to OpenSSL on Mac OS X.Tobias Markmann
It used to be disabled for Mac OS X 10.5 or greater but it turns out system's OpenSSL doesn't add those on Mac OS X 10.8. License: This patch is BSD-licensed, see http://www.opensource.org/licenses/bsd-license.php
2012-09-17Support for building swiften as a DLLRemko Tronçon
Added missing SWIFTEN_API declarations. Changed test infrastructure to extend path before running tests.
2012-07-14Initial DLL support for Swiften.Remko Tronçon
All applications succesfully link against Swiften.dll.
2012-05-12Remove peer certificate from APIs.Remko Tronçon
The peer certificate chain contains the peer certificate, so this was redundant.
2012-05-12Show Certificate dialog from certificate error window.Remko Tronçon
2012-05-11Showing stream encryption status in the roster header. Provide native ↵Tobias Markmann
certificate viewers on click. Native viewers for Windows and Mac OS X are implemented. Added TODOs to OpenSSL based TLS interface related to CRL and OCSP. Resolves: #167 License: This patch is BSD-licensed, see http://www.opensource.org/licenses/bsd-license.php
2012-05-07Only assert when requesting CRL checking on OpenSSL.Remko Tronçon
2012-05-05Windows compilation fixes.Remko Tronçon
2012-05-05Re-enable revocation check.Remko Tronçon
2012-05-05* Added additional cert store to chain validation. * Turned off revocation ↵dreijer
checking. License: This patch is BSD-licensed, see http://www.opensource.org/licenses/bsd-license.php
2012-05-05Revert "* Added additional cert store to chain validation. * Turned off ↵Remko Tronçon
revocation checking." This reverts commit e33b7a309e0424450ab00bc6180df95c6c049195.
2012-05-05Revert "Re-enable revocation check."Remko Tronçon
This reverts commit 856f970d14c5c32b80fc5ea359d4e567b51578a0.
2012-04-25Support channel binding with Schannel.Remko Tronçon
Resolves: #1012
2012-04-24Fixed compilation problems on windows.Remko Tronçon
2012-04-24Re-enable revocation check.Remko Tronçon
Added a method on TLSContextFactory to disable revocation checks if wanted.
2012-04-24* Added additional cert store to chain validation. * Turned off revocation ↵dreijer
checking.
2012-04-24Statically check the log severity level.Remko Tronçon
Resolves: #1099
2012-04-12Tidy up of assorted Schannel/CAPI stuffs.Kevin Smith
Makes Swift disconnect if a smartcard used for auth is removed. Fixes compilation. Changes code style in a few places.
2012-04-11Added support for determining SmartCard Reader associated with a certificate ↵Alexey Melnikov
(if any) This patch implements monitoring for SmartCard ejection. This is done by periodically (currently every second) polling smart card reader for the smart card status. If the smart card status becomes "absent" or "unknown" (an error to query the smartcard), the TLS session is aborted. This usually results in an attempt to reestablish TLS which will pop up "please insert the smart card" dialog. License: This patch is BSD-licensed, see Documentation/Licenses/BSD-simplified.txt for details.
2012-03-23Forgotten file for TLSError patchKevin Smith
2012-03-23Allow TLS errors to bubble further up the stackKevin Smith
2012-03-22Manual certificate verification. Added two additional TLS errors related to ↵dreijer
revocation. License: This patch is BSD-licensed, see http://www.opensource.org/licenses/bsd-license.php
2012-03-08Fixed several bugs in CAPI/Schannel code on WindowsAlexey Melnikov
This patch includes the following fixes: 1) Correctly hex encode SHA1 hashes when generating certstore: URIs 2) Use the newly parsed certificate store reference, not the old value 3) Need to call findCertificateInStore() when finding the selected TLS certificate in Schannel code. Without that "sha1:XXXX" URIs don't work Also minor optimization of string operations. License: This patch is BSD-licensed, see Documentation/Licenses/BSD-simplified.txt for details.
2012-03-06Fix missing includeKevin Smith
Resolves: #903
2012-02-28Changed certstore: URIs to use SHA1 hashes of certificatesAlexey Melnikov
Value of the certificate's subject DN leftmost RDN is not necessarily unique. This change switches to using SHA1 hash of DER certificates, which should guaranty uniqueness. License: This patch is BSD-licensed, see Documentation/Licenses/BSD-simplified.txt for details.
2012-02-23Compile when non-SChannelKevin Smith