From ad66cc53f7e7ce860aee5b71b871a0ae9f8d357d Mon Sep 17 00:00:00 2001 From: Tobias Markmann Date: Sun, 19 Mar 2017 17:27:06 +0100 Subject: Verify certificates for HTTPS BOSH connections Test-Information: Tested against a BOSH server with a valid HTTPS certificate and against a BOSH server with an expired HTTPS certificate. Tested on macOS 10.12.3 with Qt 5.5.1. Change-Id: I9989389b271961fc4d66db56198b32715af52ae7 diff --git a/Swiften/Client/ClientSession.cpp b/Swiften/Client/ClientSession.cpp index bcfb004..661a832 100644 --- a/Swiften/Client/ClientSession.cpp +++ b/Swiften/Client/ClientSession.cpp @@ -45,6 +45,8 @@ #include #include #include +#include +#include #include #include #include @@ -430,7 +432,9 @@ void ClientSession::sendCredentials(const SafeByteArray& password) { } void ClientSession::handleTLSEncrypted() { - CHECK_STATE_OR_RETURN(State::Encrypting); + if (!std::dynamic_pointer_cast(stream)) { + CHECK_STATE_OR_RETURN(State::Encrypting); + } std::vector certificateChain = stream->getPeerCertificateChain(); std::shared_ptr verificationError = stream->getPeerCertificateVerificationError(); @@ -450,7 +454,9 @@ void ClientSession::handleTLSEncrypted() { void ClientSession::checkTrustOrFinish(const std::vector& certificateChain, std::shared_ptr error) { if (certificateTrustChecker && certificateTrustChecker->isCertificateTrusted(certificateChain)) { - continueAfterTLSEncrypted(); + if (!std::dynamic_pointer_cast(stream)) { + continueAfterTLSEncrypted(); + } } else { finishSession(error); @@ -476,9 +482,11 @@ void ClientSession::initiateShutdown(bool sendFooter) { } void ClientSession::continueAfterTLSEncrypted() { - state = State::WaitingForStreamStart; - stream->resetXMPPParser(); - sendStreamHeader(); + if (!std::dynamic_pointer_cast(stream)) { + state = State::WaitingForStreamStart; + stream->resetXMPPParser(); + sendStreamHeader(); + } } void ClientSession::handleStreamClosed(std::shared_ptr streamError) { @@ -536,7 +544,7 @@ void ClientSession::finishSession(std::shared_ptr error) { error_ = error; } else { - SWIFT_LOG(warning) << "Session finished twice"; + SWIFT_LOG(warning) << "Session finished twice" << std::endl; } assert(stream->isOpen()); if (stanzaAckResponder_) { diff --git a/Swiften/Network/BOSHConnectionPool.cpp b/Swiften/Network/BOSHConnectionPool.cpp index e4ca471..8a75e81 100644 --- a/Swiften/Network/BOSHConnectionPool.cpp +++ b/Swiften/Network/BOSHConnectionPool.cpp @@ -142,6 +142,7 @@ void BOSHConnectionPool::handleConnectFinished(bool error, BOSHConnection::ref c } if (!pinnedCertificateChain_.empty()) { lastVerificationError_ = connection->getPeerCertificateVerificationError(); + onTLSConnectionEstablished(); } if (sid.empty()) { diff --git a/Swiften/Network/BOSHConnectionPool.h b/Swiften/Network/BOSHConnectionPool.h index 1a805de..c4d827c 100644 --- a/Swiften/Network/BOSHConnectionPool.h +++ b/Swiften/Network/BOSHConnectionPool.h @@ -41,6 +41,7 @@ namespace Swift { std::vector getPeerCertificateChain() const; std::shared_ptr getPeerCertificateVerificationError() const; + boost::signals2::signal onTLSConnectionEstablished; boost::signals2::signal onSessionTerminated; boost::signals2::signal onSessionStarted; boost::signals2::signal onXMPPDataRead; diff --git a/Swiften/Session/BOSHSessionStream.cpp b/Swiften/Session/BOSHSessionStream.cpp index 4c7bdee..a335b93 100644 --- a/Swiften/Session/BOSHSessionStream.cpp +++ b/Swiften/Session/BOSHSessionStream.cpp @@ -55,7 +55,7 @@ BOSHSessionStream::BOSHSessionStream(const URL& boshURL, connectionPool->onXMPPDataRead.connect(boost::bind(&BOSHSessionStream::handlePoolXMPPDataRead, this, _1)); connectionPool->onBOSHDataRead.connect(boost::bind(&BOSHSessionStream::handlePoolBOSHDataRead, this, _1)); connectionPool->onBOSHDataWritten.connect(boost::bind(&BOSHSessionStream::handlePoolBOSHDataWritten, this, _1)); - + connectionPool->onTLSConnectionEstablished.connect(boost::bind(&BOSHSessionStream::handlePoolTLSEstablished, this)); xmppLayer = new XMPPLayer(payloadParserFactories, payloadSerializers, xmlParserFactory, ClientStreamType, true); xmppLayer->onStreamStart.connect(boost::bind(&BOSHSessionStream::handleStreamStartReceived, this, _1)); xmppLayer->onElement.connect(boost::bind(&BOSHSessionStream::handleElementReceived, this, _1)); @@ -72,6 +72,7 @@ BOSHSessionStream::~BOSHSessionStream() { connectionPool->onXMPPDataRead.disconnect(boost::bind(&BOSHSessionStream::handlePoolXMPPDataRead, this, _1)); connectionPool->onBOSHDataRead.disconnect(boost::bind(&BOSHSessionStream::handlePoolBOSHDataRead, this, _1)); connectionPool->onBOSHDataWritten.disconnect(boost::bind(&BOSHSessionStream::handlePoolBOSHDataWritten, this, _1)); + connectionPool->onTLSConnectionEstablished.disconnect(boost::bind(&BOSHSessionStream::handlePoolTLSEstablished, this)); delete connectionPool; connectionPool = nullptr; xmppLayer->onStreamStart.disconnect(boost::bind(&BOSHSessionStream::handleStreamStartReceived, this, _1)); @@ -178,6 +179,10 @@ void BOSHSessionStream::handlePoolSessionTerminated(BOSHError::ref error) { eventLoop->postEvent(boost::bind(&BOSHSessionStream::fakeStreamFooterReceipt, this, error), shared_from_this()); } +void BOSHSessionStream::handlePoolTLSEstablished() { + onTLSEncrypted(); +} + void BOSHSessionStream::writeHeader(const ProtocolHeader& header) { streamHeader = header; /*First time we're told to do this, don't (the sending of the initial header is handled on connect) diff --git a/Swiften/Session/BOSHSessionStream.h b/Swiften/Session/BOSHSessionStream.h index 0c26848..719f1f0 100644 --- a/Swiften/Session/BOSHSessionStream.h +++ b/Swiften/Session/BOSHSessionStream.h @@ -85,6 +85,7 @@ namespace Swift { void handlePoolBOSHDataRead(const SafeByteArray& data); void handlePoolBOSHDataWritten(const SafeByteArray& data); void handlePoolSessionTerminated(BOSHError::ref condition); + void handlePoolTLSEstablished(); private: void fakeStreamHeaderReceipt(); -- cgit v0.10.2-6-g49f6