Compare commits
5 Commits
unify-erro
...
cafile
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
85da4145aa | ||
|
|
c07ac0a68d | ||
|
|
60ce94c267 | ||
|
|
99f2d4fe54 | ||
|
|
acced31192 |
@@ -6,18 +6,20 @@ stages:
|
|||||||
- style
|
- style
|
||||||
- test
|
- test
|
||||||
before_script:
|
before_script:
|
||||||
- ./bootstrap.sh
|
- ./travis/before_script.sh
|
||||||
env:
|
env:
|
||||||
- CONFIGURE_OPT="--without-libxml2"
|
- CONFIGURE_OPT="--without-libxml2"
|
||||||
- CONFIGURE_OPT="--with-libxml2"
|
- CONFIGURE_OPT="--with-libxml2"
|
||||||
- CONFIGURE_OPT="--disable-tls"
|
- CONFIGURE_OPT="--disable-tls"
|
||||||
- CONFIGURE_OPT="--enable-cares"
|
- CONFIGURE_OPT="--enable-cares"
|
||||||
script: ./configure ${CONFIGURE_OPT} CFLAGS="-Werror" && make && make check
|
- CONFIGURE_OPT="PKG_CONFIG_PATH=${HOME}/libressl/lib/pkgconfig" LIBRESSL=yes LIBRESSL_COMMIT="v3.1.4"
|
||||||
|
- CONFIGURE_OPT="PKG_CONFIG_PATH=${HOME}/libressl/lib/pkgconfig" LIBRESSL=yes LIBRESSL_COMMIT="v2.1.7"
|
||||||
|
script: ./bootstrap.sh && ./configure ${CONFIGURE_OPT} CFLAGS="-Werror" && make && make check
|
||||||
jobs:
|
jobs:
|
||||||
include:
|
include:
|
||||||
- stage: style
|
- stage: style
|
||||||
name: "Check code style"
|
name: "Check code style"
|
||||||
script: ./configure && make format && git diff --exit-code
|
script: ./bootstrap.sh && ./configure && make format && git diff --exit-code
|
||||||
env:
|
env:
|
||||||
- CONFIGURE_OPT=""
|
- CONFIGURE_OPT=""
|
||||||
matrix:
|
matrix:
|
||||||
|
|||||||
@@ -1,3 +1,6 @@
|
|||||||
|
0.10.1
|
||||||
|
- Fixed compilation error when LibreSSL is used
|
||||||
|
|
||||||
0.10.0
|
0.10.0
|
||||||
- Coding style has been unified
|
- Coding style has been unified
|
||||||
- SCRAM-SHA-256 and SCRAM-SHA-512 support
|
- SCRAM-SHA-256 and SCRAM-SHA-512 support
|
||||||
|
|||||||
@@ -49,6 +49,7 @@ int main(int argc, char **argv)
|
|||||||
xmpp_conn_t *conn;
|
xmpp_conn_t *conn;
|
||||||
xmpp_log_t *log;
|
xmpp_log_t *log;
|
||||||
char *jid, *pass, *host = NULL;
|
char *jid, *pass, *host = NULL;
|
||||||
|
const char *cafile = NULL;
|
||||||
long flags = 0;
|
long flags = 0;
|
||||||
int tcp_keepalive = 0;
|
int tcp_keepalive = 0;
|
||||||
int i;
|
int i;
|
||||||
@@ -67,12 +68,15 @@ int main(int argc, char **argv)
|
|||||||
flags |= XMPP_CONN_FLAG_LEGACY_AUTH;
|
flags |= XMPP_CONN_FLAG_LEGACY_AUTH;
|
||||||
else if (strcmp(argv[i], "--tcp-keepalive") == 0)
|
else if (strcmp(argv[i], "--tcp-keepalive") == 0)
|
||||||
tcp_keepalive = 1;
|
tcp_keepalive = 1;
|
||||||
|
else if (strncmp(argv[i], "--cafile=", strlen("--cafile=")) == 0)
|
||||||
|
cafile = argv[i] + strlen("--cafile=");
|
||||||
else
|
else
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if ((argc - i) < 2 || (argc - i) > 3) {
|
if ((argc - i) < 2 || (argc - i) > 3) {
|
||||||
fprintf(stderr, "Usage: basic [options] <jid> <pass> [<host>]\n\n"
|
fprintf(stderr, "Usage: basic [options] <jid> <pass> [<host>]\n\n"
|
||||||
"Options:\n"
|
"Options:\n"
|
||||||
|
" --cafile=<PATH> CAfile for cert verification.\n"
|
||||||
" --disable-tls Disable TLS.\n"
|
" --disable-tls Disable TLS.\n"
|
||||||
" --mandatory-tls Deny plaintext connection.\n"
|
" --mandatory-tls Deny plaintext connection.\n"
|
||||||
" --trust-tls Trust TLS certificate.\n"
|
" --trust-tls Trust TLS certificate.\n"
|
||||||
@@ -111,6 +115,10 @@ int main(int argc, char **argv)
|
|||||||
if (tcp_keepalive)
|
if (tcp_keepalive)
|
||||||
xmpp_conn_set_keepalive(conn, KA_TIMEOUT, KA_INTERVAL);
|
xmpp_conn_set_keepalive(conn, KA_TIMEOUT, KA_INTERVAL);
|
||||||
|
|
||||||
|
/* add external CAfile if needed */
|
||||||
|
if (cafile)
|
||||||
|
xmpp_conn_tls_cafile(conn, cafile);
|
||||||
|
|
||||||
/* setup authentication information */
|
/* setup authentication information */
|
||||||
xmpp_conn_set_jid(conn, jid);
|
xmpp_conn_set_jid(conn, jid);
|
||||||
xmpp_conn_set_pass(conn, pass);
|
xmpp_conn_set_pass(conn, pass);
|
||||||
|
|||||||
@@ -346,8 +346,7 @@ static int _handle_sasl_result(xmpp_conn_t *const conn,
|
|||||||
} else {
|
} else {
|
||||||
/* got unexpected reply */
|
/* got unexpected reply */
|
||||||
xmpp_error(conn->ctx, "xmpp",
|
xmpp_error(conn->ctx, "xmpp",
|
||||||
"Got unexpected reply to SASL %s"
|
"Got unexpected reply to SASL %s authentication.",
|
||||||
"authentication.",
|
|
||||||
(char *)userdata);
|
(char *)userdata);
|
||||||
xmpp_disconnect(conn);
|
xmpp_disconnect(conn);
|
||||||
}
|
}
|
||||||
@@ -668,6 +667,10 @@ static void _auth(xmpp_conn_t *const conn)
|
|||||||
xmpp_error(conn->ctx, "auth",
|
xmpp_error(conn->ctx, "auth",
|
||||||
"No node in JID, and SASL ANONYMOUS unsupported.");
|
"No node in JID, and SASL ANONYMOUS unsupported.");
|
||||||
xmpp_disconnect(conn);
|
xmpp_disconnect(conn);
|
||||||
|
} else if (conn->pass == NULL) {
|
||||||
|
xmpp_error(conn->ctx, "auth",
|
||||||
|
"Password hasn't been set, and SASL ANONYMOUS unsupported.");
|
||||||
|
xmpp_disconnect(conn);
|
||||||
} else if (conn->sasl_support & SASL_MASK_SCRAM) {
|
} else if (conn->sasl_support & SASL_MASK_SCRAM) {
|
||||||
scram_ctx = xmpp_alloc(conn->ctx, sizeof(*scram_ctx));
|
scram_ctx = xmpp_alloc(conn->ctx, sizeof(*scram_ctx));
|
||||||
if (conn->sasl_support & SASL_MASK_SCRAMSHA512)
|
if (conn->sasl_support & SASL_MASK_SCRAMSHA512)
|
||||||
|
|||||||
@@ -171,6 +171,7 @@ struct _xmpp_conn_t {
|
|||||||
int ka_interval; /* TCP keepalive interval */
|
int ka_interval; /* TCP keepalive interval */
|
||||||
|
|
||||||
tls_t *tls;
|
tls_t *tls;
|
||||||
|
char *tls_cafile;
|
||||||
int tls_support;
|
int tls_support;
|
||||||
int tls_disabled;
|
int tls_disabled;
|
||||||
int tls_mandatory;
|
int tls_mandatory;
|
||||||
|
|||||||
31
src/conn.c
31
src/conn.c
@@ -137,6 +137,7 @@ xmpp_conn_t *xmpp_conn_new(xmpp_ctx_t *const ctx)
|
|||||||
conn->bound_jid = NULL;
|
conn->bound_jid = NULL;
|
||||||
|
|
||||||
conn->is_raw = 0;
|
conn->is_raw = 0;
|
||||||
|
conn->tls_cafile = NULL;
|
||||||
conn->tls_support = 0;
|
conn->tls_support = 0;
|
||||||
conn->tls_disabled = 0;
|
conn->tls_disabled = 0;
|
||||||
conn->tls_mandatory = 0;
|
conn->tls_mandatory = 0;
|
||||||
@@ -338,6 +339,8 @@ int xmpp_conn_release(xmpp_conn_t *const conn)
|
|||||||
xmpp_free(ctx, conn->pass);
|
xmpp_free(ctx, conn->pass);
|
||||||
if (conn->lang)
|
if (conn->lang)
|
||||||
xmpp_free(ctx, conn->lang);
|
xmpp_free(ctx, conn->lang);
|
||||||
|
if (conn->tls_cafile)
|
||||||
|
xmpp_free(ctx, conn->tls_cafile);
|
||||||
xmpp_free(ctx, conn);
|
xmpp_free(ctx, conn);
|
||||||
released = 1;
|
released = 1;
|
||||||
}
|
}
|
||||||
@@ -420,7 +423,7 @@ void xmpp_conn_set_pass(xmpp_conn_t *const conn, const char *const pass)
|
|||||||
{
|
{
|
||||||
if (conn->pass)
|
if (conn->pass)
|
||||||
xmpp_free(conn->ctx, conn->pass);
|
xmpp_free(conn->ctx, conn->pass);
|
||||||
conn->pass = xmpp_strdup(conn->ctx, pass);
|
conn->pass = pass ? xmpp_strdup(conn->ctx, pass) : NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Get the strophe context that the connection is associated with.
|
/** Get the strophe context that the connection is associated with.
|
||||||
@@ -686,6 +689,28 @@ int xmpp_conn_tls_start(xmpp_conn_t *const conn)
|
|||||||
return conn_tls_start(conn);
|
return conn_tls_start(conn);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Set external CAfile which will be used for TLS cert verification.
|
||||||
|
*
|
||||||
|
* @return XMPP_EOK (0) on success a number less than 0 on failure
|
||||||
|
*
|
||||||
|
* @ingroup Connections
|
||||||
|
*/
|
||||||
|
int xmpp_conn_tls_cafile(xmpp_conn_t *const conn, const char *cafile)
|
||||||
|
{
|
||||||
|
FILE *f;
|
||||||
|
|
||||||
|
f = fopen(cafile, "r");
|
||||||
|
if (f == NULL) {
|
||||||
|
xmpp_debug(conn->ctx, "conn", "CAfile '%s' is not readable. errno=%d",
|
||||||
|
cafile, errno);
|
||||||
|
return XMPP_EINVOP;
|
||||||
|
}
|
||||||
|
fclose(f);
|
||||||
|
conn->tls_cafile = xmpp_strdup(conn->ctx, cafile);
|
||||||
|
|
||||||
|
return conn->tls_cafile == NULL ? XMPP_EMEM : XMPP_EOK;
|
||||||
|
}
|
||||||
|
|
||||||
/** Cleanly disconnect the connection.
|
/** Cleanly disconnect the connection.
|
||||||
* This function is only called by the stream parser when </stream:stream>
|
* This function is only called by the stream parser when </stream:stream>
|
||||||
* is received, and it not intended to be called by code outside of Strophe.
|
* is received, and it not intended to be called by code outside of Strophe.
|
||||||
@@ -915,6 +940,10 @@ int conn_tls_start(xmpp_conn_t *const conn)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (conn->tls != NULL) {
|
if (conn->tls != NULL) {
|
||||||
|
if (conn->tls_cafile != NULL) {
|
||||||
|
(void)tls_set_credentials(conn->tls, conn->tls_cafile);
|
||||||
|
}
|
||||||
|
|
||||||
if (tls_start(conn->tls)) {
|
if (tls_start(conn->tls)) {
|
||||||
conn->secured = 1;
|
conn->secured = 1;
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
@@ -81,6 +81,7 @@ const char *tls_errors[] = {
|
|||||||
TLS_ERROR_FIELD(SSL_ERROR_ZERO_RETURN),
|
TLS_ERROR_FIELD(SSL_ERROR_ZERO_RETURN),
|
||||||
TLS_ERROR_FIELD(SSL_ERROR_WANT_CONNECT),
|
TLS_ERROR_FIELD(SSL_ERROR_WANT_CONNECT),
|
||||||
TLS_ERROR_FIELD(SSL_ERROR_WANT_ACCEPT),
|
TLS_ERROR_FIELD(SSL_ERROR_WANT_ACCEPT),
|
||||||
|
#ifndef LIBRESSL_VERSION_NUMBER
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||||
TLS_ERROR_FIELD(SSL_ERROR_WANT_ASYNC),
|
TLS_ERROR_FIELD(SSL_ERROR_WANT_ASYNC),
|
||||||
TLS_ERROR_FIELD(SSL_ERROR_WANT_ASYNC_JOB),
|
TLS_ERROR_FIELD(SSL_ERROR_WANT_ASYNC_JOB),
|
||||||
@@ -88,6 +89,7 @@ const char *tls_errors[] = {
|
|||||||
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
||||||
TLS_ERROR_FIELD(SSL_ERROR_WANT_CLIENT_HELLO_CB),
|
TLS_ERROR_FIELD(SSL_ERROR_WANT_CLIENT_HELLO_CB),
|
||||||
#endif
|
#endif
|
||||||
|
#endif /* !LIBRESSL_VERSION_NUMBER */
|
||||||
};
|
};
|
||||||
const char *cert_errors[] = {
|
const char *cert_errors[] = {
|
||||||
TLS_ERROR_FIELD(X509_V_OK),
|
TLS_ERROR_FIELD(X509_V_OK),
|
||||||
@@ -148,30 +150,34 @@ const char *cert_errors[] = {
|
|||||||
TLS_ERROR_FIELD(X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX),
|
TLS_ERROR_FIELD(X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_UNSUPPORTED_NAME_SYNTAX),
|
TLS_ERROR_FIELD(X509_V_ERR_UNSUPPORTED_NAME_SYNTAX),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_CRL_PATH_VALIDATION_ERROR),
|
TLS_ERROR_FIELD(X509_V_ERR_CRL_PATH_VALIDATION_ERROR),
|
||||||
|
#ifndef LIBRESSL_VERSION_NUMBER
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_SUITE_B_INVALID_VERSION),
|
TLS_ERROR_FIELD(X509_V_ERR_SUITE_B_INVALID_VERSION),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_SUITE_B_INVALID_ALGORITHM),
|
TLS_ERROR_FIELD(X509_V_ERR_SUITE_B_INVALID_ALGORITHM),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_SUITE_B_INVALID_CURVE),
|
TLS_ERROR_FIELD(X509_V_ERR_SUITE_B_INVALID_CURVE),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM),
|
TLS_ERROR_FIELD(X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED),
|
TLS_ERROR_FIELD(X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256),
|
TLS_ERROR_FIELD(X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256),
|
||||||
|
#endif /* !LIBRESSL_VERSION_NUMBER */
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_HOSTNAME_MISMATCH),
|
TLS_ERROR_FIELD(X509_V_ERR_HOSTNAME_MISMATCH),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_EMAIL_MISMATCH),
|
TLS_ERROR_FIELD(X509_V_ERR_EMAIL_MISMATCH),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_IP_ADDRESS_MISMATCH),
|
TLS_ERROR_FIELD(X509_V_ERR_IP_ADDRESS_MISMATCH),
|
||||||
#endif
|
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||||
|
TLS_ERROR_FIELD(X509_V_ERR_INVALID_CALL),
|
||||||
|
TLS_ERROR_FIELD(X509_V_ERR_STORE_LOOKUP),
|
||||||
|
#ifndef LIBRESSL_VERSION_NUMBER
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_PATH_LOOP),
|
TLS_ERROR_FIELD(X509_V_ERR_PATH_LOOP),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_DANE_NO_MATCH),
|
TLS_ERROR_FIELD(X509_V_ERR_DANE_NO_MATCH),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_EE_KEY_TOO_SMALL),
|
TLS_ERROR_FIELD(X509_V_ERR_EE_KEY_TOO_SMALL),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_CA_KEY_TOO_SMALL),
|
TLS_ERROR_FIELD(X509_V_ERR_CA_KEY_TOO_SMALL),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_CA_MD_TOO_WEAK),
|
TLS_ERROR_FIELD(X509_V_ERR_CA_MD_TOO_WEAK),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_INVALID_CALL),
|
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_STORE_LOOKUP),
|
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_NO_VALID_SCTS),
|
TLS_ERROR_FIELD(X509_V_ERR_NO_VALID_SCTS),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION),
|
TLS_ERROR_FIELD(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_OCSP_VERIFY_NEEDED),
|
TLS_ERROR_FIELD(X509_V_ERR_OCSP_VERIFY_NEEDED),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_OCSP_VERIFY_FAILED),
|
TLS_ERROR_FIELD(X509_V_ERR_OCSP_VERIFY_FAILED),
|
||||||
TLS_ERROR_FIELD(X509_V_ERR_OCSP_CERT_UNKNOWN),
|
TLS_ERROR_FIELD(X509_V_ERR_OCSP_CERT_UNKNOWN),
|
||||||
#endif
|
#endif /* !LIBRESSL_VERSION_NUMBER */
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
|
||||||
};
|
};
|
||||||
#undef TLS_ERROR_FIELD
|
#undef TLS_ERROR_FIELD
|
||||||
|
|
||||||
@@ -312,9 +318,14 @@ void tls_free(tls_t *tls)
|
|||||||
|
|
||||||
int tls_set_credentials(tls_t *tls, const char *cafilename)
|
int tls_set_credentials(tls_t *tls, const char *cafilename)
|
||||||
{
|
{
|
||||||
UNUSED(tls);
|
int ret;
|
||||||
UNUSED(cafilename);
|
|
||||||
return -1;
|
ret = SSL_CTX_load_verify_locations(tls->ssl_ctx, cafilename, NULL);
|
||||||
|
if (ret != 1) {
|
||||||
|
xmpp_error(tls->ctx, "tls", "Failed to process CAfile: %s", cafilename);
|
||||||
|
_tls_log_error(tls->ctx);
|
||||||
|
}
|
||||||
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
int tls_start(tls_t *tls)
|
int tls_start(tls_t *tls)
|
||||||
|
|||||||
@@ -271,6 +271,7 @@ int xmpp_conn_open_stream(xmpp_conn_t *const conn,
|
|||||||
char **attributes,
|
char **attributes,
|
||||||
size_t attributes_len);
|
size_t attributes_len);
|
||||||
int xmpp_conn_tls_start(xmpp_conn_t *const conn);
|
int xmpp_conn_tls_start(xmpp_conn_t *const conn);
|
||||||
|
int xmpp_conn_tls_cafile(xmpp_conn_t *const conn, const char *cafile);
|
||||||
|
|
||||||
void xmpp_disconnect(xmpp_conn_t *const conn);
|
void xmpp_disconnect(xmpp_conn_t *const conn);
|
||||||
|
|
||||||
|
|||||||
14
travis/before_script.sh
Executable file
14
travis/before_script.sh
Executable file
@@ -0,0 +1,14 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
if [ "x$LIBRESSL" = "xyes" ]; then
|
||||||
|
cd "$HOME"
|
||||||
|
git clone https://github.com/libressl-portable/portable.git libressl-git
|
||||||
|
cd libressl-git
|
||||||
|
if [ -n "$LIBRESSL_COMMIT" ]; then
|
||||||
|
git checkout "$LIBRESSL_COMMIT"
|
||||||
|
fi
|
||||||
|
./autogen.sh
|
||||||
|
./configure --prefix="$HOME/libressl"
|
||||||
|
make -j"$(nproc)"
|
||||||
|
make install
|
||||||
|
fi
|
||||||
Reference in New Issue
Block a user