Merge branch 'telepathy-gabble-0.16'

Conflicts:
	NEWS
	configure.ac
	lib/ext/wocky

5 files changed, 53 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index c998f3200..671774356 100644
--- a/NEWS
+++ b/NEWS
@@ -1,11 +1,26 @@
 telepathy-gabble 0.17.4 (UNRELEASED)
 ====================================
 
+This release fixes the same man-in-the-middle attack as 0.16.6.
+
+If you use an unencrypted connection to a "legacy Jabber" (pre-XMPP)
+server, this version of Gabble will not connect until you make
+one of these configuration changes:
+
+• upgrade the server software to something that supports XMPP 1.0; or
+• use an encrypted "old SSL" connection, typically on port 5223 (old-ssl); or
+• turn off "Encryption required (TLS/SSL)" (require-encryption)
+
 Fixes:
 
 • update Wocky:
   · fd.o #61792: fix linking an example program with ld versions that
     default to --no-copy-dt-needed-entries
+  · fd.o #65036 (CVE-2013-1431): update Wocky to respect the tls-required
+    flag on legacy Jabber servers
+
+• fd.o #63119: improve regression tests' isolation from the session bus
+  (Simon)
 
 telepathy-gabble 0.17.3 (2013-03-01)
 ====================================
diff --git a/lib/ext/wocky b/lib/ext/wocky
-Subproject d739d2e14952a1e75571de7839827d73f9568df
+Subproject d6c995608d4840df2bef38a5baf8e5b0f90915f
diff --git a/tests/twisted/Makefile.am b/tests/twisted/Makefile.am
index 7797d5173..fdc6d612a 100644
--- a/tests/twisted/Makefile.am
+++ b/tests/twisted/Makefile.am
@@ -121,6 +121,7 @@ TWISTED_TESTS = \
 	text/test-text-delayed.py \
 	text/test-text-no-body.py \
 	text/test-text.py \
+	tls/legacy-jabber.py \
 	tls/server-tls-channel.py \
 	version.py \
 	$(NULL)
diff --git a/tests/twisted/gabbletest.py b/tests/twisted/gabbletest.py
index 8cc7d24f3..0985cd422 100644
--- a/tests/twisted/gabbletest.py
+++ b/tests/twisted/gabbletest.py
@@ -161,7 +161,7 @@ class JabberAuthenticator(GabbleAuthenticator):
             self._event_func(Event('auth-second-iq', authenticator=self,
                 iq=iq, id=iq["id"]))
         else:
-            self.respondToSecondIq(self, iq)
+            self.respondToSecondIq(iq)
 
     def respondToSecondIq(self, iq):
         username = xpath.queryForNodes('/iq/query/username', iq)
diff --git a/tests/twisted/tls/legacy-jabber.py b/tests/twisted/tls/legacy-jabber.py
new file mode 100644
index 000000000..e2090bb18
--- /dev/null
+++ b/tests/twisted/tls/legacy-jabber.py
@@ -0,0 +1,36 @@
+"""
+fd.o #65036: connecting to legacy Jabber servers should respect
+    require-encryption
+"""
+
+from servicetest import assertEquals
+from gabbletest import exec_test, JabberXmlStream, JabberAuthenticator
+import constants as cs
+
+JID = 'alice@example.com'
+PASSWORD = 's3kr1t'
+
+def test_require_encryption(q, bus, conn, stream):
+    conn.Connect()
+    q.expect('dbus-signal', signal='StatusChanged',
+        args=[cs.CONN_STATUS_CONNECTING, cs.CSR_REQUESTED])
+
+    # FIXME: arrange to get a better error
+    new = q.expect('dbus-signal', signal='ConnectionError')
+    assertEquals(cs.NETWORK_ERROR, new.args[0])
+
+    q.expect('dbus-signal', signal='StatusChanged',
+        args=[cs.CONN_STATUS_DISCONNECTED, cs.CSR_NETWORK_ERROR])
+
+if __name__ == '__main__':
+    exec_test(test_require_encryption,
+            {
+                'password': PASSWORD,
+                'account': JID,
+                'require-encryption': True,
+                'old-ssl': False,
+                'resource': 'legacy-require-encryption',
+            },
+        protocol=JabberXmlStream,
+        authenticator=JabberAuthenticator(JID.split('@')[0], PASSWORD),
+        do_connect=False)