|
|
|
@ -221,7 +221,7 @@ defaultState c t h s i = State { stateClientHandlers = h |
|
|
|
-- details on how they operate. |
|
|
|
-- details on how they operate. |
|
|
|
|
|
|
|
|
|
|
|
connect :: MonadIO m => Session s m -> HostName -> PortNumber -> |
|
|
|
connect :: MonadIO m => Session s m -> HostName -> PortNumber -> |
|
|
|
Maybe (Maybe ([X509], Bool), ([X509] -> Bool), Maybe [String]) -> |
|
|
|
Maybe (Maybe [X509], ([X509] -> Bool)) -> |
|
|
|
Maybe (UserName, Password, Maybe Resource) -> |
|
|
|
Maybe (UserName, Password, Maybe Resource) -> |
|
|
|
(ConnectResult -> StateT s m ()) -> StateT s m () |
|
|
|
(ConnectResult -> StateT s m ()) -> StateT s m () |
|
|
|
|
|
|
|
|
|
|
|
@ -229,8 +229,8 @@ connect s h p t a c = openStreams s h p connect' |
|
|
|
where |
|
|
|
where |
|
|
|
connect' r = case r of |
|
|
|
connect' r = case r of |
|
|
|
OpenStreamSuccess _ _ -> case t of -- TODO: Check for TLS support? |
|
|
|
OpenStreamSuccess _ _ -> case t of -- TODO: Check for TLS support? |
|
|
|
Just (certificate, certificateValidator, paths) -> |
|
|
|
Just (certificate, certificateValidator) -> |
|
|
|
tlsSecureStreams s certificate certificateValidator paths connect'' |
|
|
|
tlsSecureStreams s certificate certificateValidator connect'' |
|
|
|
Nothing -> connect'' (SecureWithTLSSuccess 1.0 "") -- TODO |
|
|
|
Nothing -> connect'' (SecureWithTLSSuccess 1.0 "") -- TODO |
|
|
|
OpenStreamFailure -> c ConnectOpenStreamFailure |
|
|
|
OpenStreamFailure -> c ConnectOpenStreamFailure |
|
|
|
connect'' r = case r of |
|
|
|
connect'' r = case r of |
|
|
|
@ -257,25 +257,29 @@ openStreams s h p c = CMS.get >>= |
|
|
|
-- Tries to secure the connection with TLS. |
|
|
|
-- Tries to secure the connection with TLS. |
|
|
|
-- |
|
|
|
-- |
|
|
|
-- If the list of certificates is provided, they will be presented to the |
|
|
|
-- If the list of certificates is provided, they will be presented to the |
|
|
|
-- server; the boolean value controls whether the client will show its |
|
|
|
-- server. |
|
|
|
-- certificates before the server has authed. |
|
|
|
|
|
|
|
-- |
|
|
|
-- |
|
|
|
-- The third parameter is an optional custom validation function for the server |
|
|
|
-- The third parameter is an optional custom validation function for the server |
|
|
|
-- certificates. Note that Pontarius XMPP will perform its own validation |
|
|
|
-- certificates. Note that Pontarius XMPP will perform its own validation |
|
|
|
-- according to the RFC 6120, including comparing the domain name specified in |
|
|
|
-- according to the RFC 6120, including comparing the domain name specified in |
|
|
|
-- the certificate against the connected server, as well as checking the |
|
|
|
-- the certificate against the connected server, as well as checking the |
|
|
|
-- integrity, the certificate authority, and CRL and\/or OCSP repositories of |
|
|
|
-- integrity, and the certificate authorities. |
|
|
|
-- the certificate chain. The fourth parameter is a list of directories that |
|
|
|
-- |
|
|
|
-- contains trusted certificate authorities. |
|
|
|
-- Note: The current implementation of `certificate' looks for trusted |
|
|
|
|
|
|
|
-- certificates in the /etc/ssl/certs directory. |
|
|
|
|
|
|
|
-- |
|
|
|
|
|
|
|
-- Note: The current implementation of `certificate' does not support parsing |
|
|
|
|
|
|
|
-- X509 extensions. Because of this, we will defer checking CRLs and/or OCSP |
|
|
|
|
|
|
|
-- services as well as checking for the basicConstraints cA boolean for the |
|
|
|
|
|
|
|
-- time-being. |
|
|
|
|
|
|
|
|
|
|
|
tlsSecureStreams :: MonadIO m => Session s m -> Maybe ([X509], Bool) -> |
|
|
|
tlsSecureStreams :: MonadIO m => Session s m -> Maybe [X509] -> |
|
|
|
([X509] -> Bool) -> Maybe [String] -> |
|
|
|
([X509] -> Bool) -> (SecureWithTLSResult -> StateT s m ()) -> StateT s m () |
|
|
|
(SecureWithTLSResult -> StateT s m ()) -> StateT s m () |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
tlsSecureStreams s c a p c_ = CMS.get >>= |
|
|
|
tlsSecureStreams s c a c_ = CMS.get >>= |
|
|
|
(\ state -> lift $ liftIO $ |
|
|
|
(\ state -> lift $ liftIO $ |
|
|
|
writeChan (sessionChannel s) |
|
|
|
writeChan (sessionChannel s) |
|
|
|
(IEC (CESecureWithTLS c a p c_))) |
|
|
|
(IEC (CESecureWithTLS c a c_))) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- | |
|
|
|
-- | |
|
|
|
@ -439,7 +443,7 @@ processEvent e = get >>= \ state -> |
|
|
|
put $ state { stateShouldExit = True } |
|
|
|
put $ state { stateShouldExit = True } |
|
|
|
return $ Just e |
|
|
|
return $ Just e |
|
|
|
|
|
|
|
|
|
|
|
IEC (CESecureWithTLS certificate verifyCertificate paths callback) -> do |
|
|
|
IEC (CESecureWithTLS certificate verifyCertificate callback) -> do |
|
|
|
-- CEB.assert (not $ isTLSSecured (stateStreamState state)) (return ()) |
|
|
|
-- CEB.assert (not $ isTLSSecured (stateStreamState state)) (return ()) |
|
|
|
let Connected _ handle = stateConnectionState state |
|
|
|
let Connected _ handle = stateConnectionState state |
|
|
|
lift $ liftIO $ send "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>" (Left handle) |
|
|
|
lift $ liftIO $ send "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>" (Left handle) |
|
|
|
|
Jon Kristensen
15 years ago