Age | Commit message (Collapse) | Author |
|
Default to disabled certificate revocation checking for
SecureTransport TLS backend on OS X. SecureTransport internal
revocation checking machine is not very stable and sometimes
fails reporting a positive revocation check leading to bad
UX.
Test-Information:
Swift login still works and ./scons test=system pass on OS X
10.11.3.
Change-Id: I298ccca4ecab07af5517fe393fdb887d79d70bf1
|
|
The code was calling CFRelease on a null pointer, which runs
into an assert inside CFRelease.
Test-Information:
The crash happened during client certificate authentication
using the Secure Transport backend. With this patch the crash
is gone.
Change-Id: If389dcb8b8a20fdc5cf77219d6c5afb86c9c3634
|
|
These errors were reported by Clang Analyzer.
Test-Information:
Verified that behavior is still as expected and Clang
Analyzer does not report the warnings anymore.
Change-Id: I149d75241f7680a6d2f2b6b710dd38d1ed81a209
|
|
Added integration tests for certificate validation and
revocation behavior checking.
Test-Information:
Tested client login over TLS against Prosody and M-Link.
Verified client certificate authentication works against
M-Link.
Change-Id: I6ad870f17adbf279f3bac913a3076909308a0021
|
|
Furthermore removed unneeded includes.
Test-Information:
Still builds and unit tests pass.
Change-Id: Ic7272e754c488f427b5ee6834f1d892028ea285d
|
|
This patch adds an option 'disconnectOnCardRemoval' to system-settings.xml which
when set to false allows the user's session to stay connected if the smartcard
is removed. The default value of this option is true if it is not specified.
Test-information:
Tested on Windows using NIST smartcards.
Tested true and false values set for this option in the file and also when
option is not specified (true).
Unit tests pass.
Change-Id: I7e421b4153ff7d3000f41999add20d339076c96e
|
|
When the card is reset in shared mode (which is the mode we use), an application
trying to access certain commands will be returned the value SCARD_W_RESET_CARD.
When this occurs SCardReconnect() must be called. This wasn't done before so
this patch fixes it.
Also provides more logging for SCard function returns.
Test-information:
Tested on Windows using NIST smart cards.
Before the fix, the Card Removed Error was seen often even after the initial
connection was established. After the fix, the reconnect attempt is done so the
error is not seen.
Also verified that if a card is removed deliberately, then the user is logged
out.
Change-Id: I94748ab9ff944a79de655646e1e06a8b61776f4b
|
|
Some servers have very restrictive TLS stacks that respond badly
to a bug in the SChannel TLS implementation, meaning that TLS
has to be limited to 1.0.
Add ClientOptions.tlsOptions. This is a method of passing options into
the TLS stack. It's currently
only used for the TLS 1.0 workaround in SChannel, but we might reasonably
expose other options in the future, such as limiting cypher suites.
Disables use of SSLv3 for SChannel
Also updates the coding style in SchannelContext a bit.
Test-Information:
Compiles on both OS X and Windows(SChannel). OS X doesn't show the new
option. Windows shows it, and remembers it between logins. Not tested
against a server requiring 1.0 only, but a previous hack with the
same approach was tested.
Change-Id: I1e7854d43811fd173f21f98d4dc3915fc7a4b322
|
|
Test-Information:
Tested build on Windows 8 with VS 2014 and ran unit tests.
Change-Id: I3d8096df4801be6901f22564e36eecba0e7310c4
|
|
Change-Id: I25328f60e211387f5d3fbcd6de155b7b8956c0f9
License: This patch is BSD-licensed, see Documentation/Licenses/BSD-simplified.txt for details.
|
|
Change-Id: I94ab4bbb68c603fe872abeb8090575de042f5cb4
|
|
Test-Information:
Tested on OS X 10.9.5 with XCode 6.1.
Change-Id: Ib223977192fce274e5585ef0768fd755b1fa734d
|
|
Test-Information:
Prepare valid and invalid JIDs and make sure that isValid() is reported correctly. Added unit tests.
Change-Id: Ic4d86f8b6ea9defc517ada2f8e3cc54979237cf4
|
|
This fixes a bug with PCKS12 cert auth that only manifested itself on
specific platforms (e.g. ARM)
Test-Information:
Patch was tested by reporter on a failing platform
Change-Id: I4663363aadaf5f00c2092e2f58d45f5ba1b4229a
|
|
Change-Id: If4e4ef98c00f15c0a88557860f0377843a8713c0
|
|
Change-Id: I1ffb6d9eabfb36c0101ee19c0cd618736d8a8bb8
|
|
This patch reflects a change to Stroke, which is described as follows:
If a TLS connection results in the server choosing an anonymous cipher
suite, then no server certificate will be returned by the server.
This ought not to happen, since XMPP clients are expected only to
propose non-anonymous cipher suites, but it could be that a client is
coded to propose anonymous suites, or that a bug in the server means
that it fails to return a server certificate.
This change updates the ServerIdentityVerifier to make it resilient
against these situations, treating this situation as equivalent to
"certificate presented by server does not verify".
Test-information:
Tested in Stroke. Untested in Swiften
Change-Id: Iec815b09b6be675edad1d479d1a0a9d6b0b91bf3
|
|
- Use boost::filesystem::path consistently for referring to files.
- Use boost::filesystem streams for I/O, such that paths are always handled
correctly.
- Use stringToPath and pathToString for conversion between strings and
boost::filesystem::path, to ensure we have consistent unicode handling
across platforms and environments. The default constructor and string
conversion uses platform-dependent encoding, depending on the global
locale set in the application, which causes problems. So, unless you are
in platform dependent code, the default constructor and string() function
should not be used. When constructing paths from other paths (e.g. using
operator/), also use stringToPath (instead of string arguments) if the path
can contain unicode characters.
Change-Id: If286bd9e71c8414afc0b24ba67e26ab7608ef6ea
|
|
Using library/platform implementation instead.
Change-Id: I2457c2dad80e6fdda023a7f31c3906ff10fe09ed
|
|
Change-Id: I4c64f954ddeca7147d729b8be07237baa15c1795
|
|
Fix sign conversion warnings.
Removing heavy unnecessary includes.
Change-Id: I992f43065498823098a875badb020c7c84fc4797
|
|
Change-Id: I70109624b4bd7aab9ba679a3eaabc225dd64a03a
|
|
Change-Id: If349586fd131f1661485acdea573f97d1726c731
|
|
Change-Id: I339364406d92226203af876f558bc07686d75cbf
|
|
It used to be disabled for Mac OS X 10.5 or greater but it turns out system's OpenSSL doesn't add those on Mac OS X 10.8.
License: This patch is BSD-licensed, see http://www.opensource.org/licenses/bsd-license.php
|
|
Added missing SWIFTEN_API declarations.
Changed test infrastructure to extend path before running
tests.
|
|
All applications succesfully link against Swiften.dll.
|
|
The peer certificate chain contains the peer certificate, so this was
redundant.
|
|
|
|
certificate viewers on click.
Native viewers for Windows and Mac OS X are implemented.
Added TODOs to OpenSSL based TLS interface related to CRL and OCSP.
Resolves: #167
License: This patch is BSD-licensed, see http://www.opensource.org/licenses/bsd-license.php
|
|
|
|
|
|
|
|
checking.
License: This patch is BSD-licensed, see http://www.opensource.org/licenses/bsd-license.php
|
|
revocation checking."
This reverts commit e33b7a309e0424450ab00bc6180df95c6c049195.
|
|
This reverts commit 856f970d14c5c32b80fc5ea359d4e567b51578a0.
|
|
Resolves: #1012
|
|
|
|
Added a method on TLSContextFactory to disable revocation checks if
wanted.
|
|
checking.
|
|
Resolves: #1099
|
|
Makes Swift disconnect if a smartcard used for auth is removed.
Fixes compilation.
Changes code style in a few places.
|
|
(if any)
This patch implements monitoring for SmartCard ejection. This is done by
periodically (currently every second) polling smart card reader for
the smart card status. If the smart card status becomes "absent" or "unknown"
(an error to query the smartcard), the TLS session is aborted.
This usually results in an attempt to reestablish TLS which will pop up
"please insert the smart card" dialog.
License: This patch is BSD-licensed, see Documentation/Licenses/BSD-simplified.txt for details.
|
|
|
|
|
|
revocation.
License: This patch is BSD-licensed, see http://www.opensource.org/licenses/bsd-license.php
|
|
This patch includes the following fixes:
1) Correctly hex encode SHA1 hashes when generating certstore: URIs
2) Use the newly parsed certificate store reference, not the old value
3) Need to call findCertificateInStore() when finding the selected TLS
certificate in Schannel code. Without that "sha1:XXXX" URIs don't
work
Also minor optimization of string operations.
License: This patch is BSD-licensed, see Documentation/Licenses/BSD-simplified.txt for details.
|
|
Resolves: #903
|
|
Value of the certificate's subject DN leftmost RDN is not necessarily unique.
This change switches to using SHA1 hash of DER certificates,
which should guaranty uniqueness.
License: This patch is BSD-licensed, see Documentation/Licenses/BSD-simplified.txt for details.
|
|
|