summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlorent Le Coz <louiz@louiz.org>2015-11-02 03:26:13 +0100
committerFlorent Le Coz <louiz@louiz.org>2015-11-02 03:26:13 +0100
commitf928f7627247ceaafcf3538066ac17609b652aac (patch)
tree4f5740fb8150876a9eaad16c2339f3a338899ebf
parent7e07a17420117758ca319b5beab6440ff1d634f7 (diff)
downloadbiboumi-f928f7627247ceaafcf3538066ac17609b652aac.tar.gz
biboumi-f928f7627247ceaafcf3538066ac17609b652aac.tar.bz2
biboumi-f928f7627247ceaafcf3538066ac17609b652aac.tar.xz
biboumi-f928f7627247ceaafcf3538066ac17609b652aac.zip
Verify the remote TLS certificates using the system-wide trusted CAs
-rw-r--r--louloulibs/network/credentials_manager.cpp33
-rw-r--r--louloulibs/network/credentials_manager.hpp22
-rw-r--r--louloulibs/network/tcp_socket_handler.cpp12
-rw-r--r--louloulibs/network/tcp_socket_handler.hpp24
4 files changed, 63 insertions, 28 deletions
diff --git a/louloulibs/network/credentials_manager.cpp b/louloulibs/network/credentials_manager.cpp
new file mode 100644
index 0000000..77198a4
--- /dev/null
+++ b/louloulibs/network/credentials_manager.cpp
@@ -0,0 +1,33 @@
+#include <network/credentials_manager.hpp>
+#include <logger/logger.hpp>
+
+Basic_Credentials_Manager::Basic_Credentials_Manager():
+ Botan::Credentials_Manager()
+{
+ this->load_certs();
+}
+void Basic_Credentials_Manager::verify_certificate_chain(const std::string& type,
+ const std::string& purported_hostname,
+ const std::vector<Botan::X509_Certificate>& certs)
+{
+ log_debug("Checking remote certificate (" << type << ") for hostname " << purported_hostname);
+ Botan::Credentials_Manager::verify_certificate_chain(type, "louiz.org", certs);
+ log_debug("Certificate is valid");
+}
+void Basic_Credentials_Manager::load_certs()
+{
+ const std::vector<std::string> paths = {"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"};
+ for (const auto& path: paths)
+ {
+ Botan::DataSource_Stream bundle(path);
+ while (!bundle.end_of_data() && bundle.check_available(27))
+ {
+ const Botan::X509_Certificate cert(bundle);
+ this->certificate_store.add_certificate(cert);
+ }
+ }
+}
+std::vector<Botan::Certificate_Store*> Basic_Credentials_Manager::trusted_certificate_authorities(const std::string&, const std::string&)
+{
+ return {&this->certificate_store};
+}
diff --git a/louloulibs/network/credentials_manager.hpp b/louloulibs/network/credentials_manager.hpp
new file mode 100644
index 0000000..ea89eca
--- /dev/null
+++ b/louloulibs/network/credentials_manager.hpp
@@ -0,0 +1,22 @@
+#ifndef BIBOUMI_CREDENTIALS_MANAGER_HPP
+#define BIBOUMI_CREDENTIALS_MANAGER_HPP
+
+#include <botan/botan.h>
+#include <botan/tls_client.h>
+
+class Basic_Credentials_Manager: public Botan::Credentials_Manager
+{
+public:
+ Basic_Credentials_Manager();
+ void verify_certificate_chain(const std::string& type,
+ const std::string& purported_hostname,
+ const std::vector<Botan::X509_Certificate>&) override final;
+ std::vector<Botan::Certificate_Store*> trusted_certificate_authorities(const std::string& type,
+ const std::string& context) override final;
+
+private:
+ void load_certs();
+ Botan::Certificate_Store_In_Memory certificate_store;
+};
+
+#endif //BIBOUMI_CREDENTIALS_MANAGER_HPP
diff --git a/louloulibs/network/tcp_socket_handler.cpp b/louloulibs/network/tcp_socket_handler.cpp
index f2a2466..81a36ef 100644
--- a/louloulibs/network/tcp_socket_handler.cpp
+++ b/louloulibs/network/tcp_socket_handler.cpp
@@ -19,7 +19,7 @@
# include <botan/tls_exceptn.h>
Botan::AutoSeeded_RNG TCPSocketHandler::rng;
-Permissive_Credentials_Manager TCPSocketHandler::credential_manager;
+Basic_Credentials_Manager TCPSocketHandler::credential_manager;
Botan::TLS::Policy TCPSocketHandler::policy;
Botan::TLS::Session_Manager_In_Memory TCPSocketHandler::session_manager(TCPSocketHandler::rng);
@@ -451,15 +451,7 @@ bool TCPSocketHandler::tls_handshake_cb(const Botan::TLS::Session& session)
void TCPSocketHandler::on_tls_activated()
{
- this->send_data("");
-}
-
-void Permissive_Credentials_Manager::verify_certificate_chain(const std::string& type,
- const std::string& purported_hostname,
- const std::vector<Botan::X509_Certificate>&)
-{ // TODO: Offer the admin to disallow connection on untrusted
- // certificates
- log_debug("Checking remote certificate (" << type << ") for hostname " << purported_hostname);
+ this->send_data({});
}
#endif // BOTAN_FOUND
diff --git a/louloulibs/network/tcp_socket_handler.hpp b/louloulibs/network/tcp_socket_handler.hpp
index 997d575..d173c1f 100644
--- a/louloulibs/network/tcp_socket_handler.hpp
+++ b/louloulibs/network/tcp_socket_handler.hpp
@@ -1,9 +1,13 @@
#ifndef SOCKET_HANDLER_INCLUDED
# define SOCKET_HANDLER_INCLUDED
+#include "louloulibs.h"
+
#include <network/socket_handler.hpp>
#include <network/resolver.hpp>
+#include <network/credentials_manager.hpp>
+
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
@@ -13,23 +17,6 @@
#include <string>
#include <list>
-#include "louloulibs.h"
-
-#ifdef BOTAN_FOUND
-# include <botan/botan.h>
-# include <botan/tls_client.h>
-
-/**
- * A very simple credential manager that accepts any certificate.
- */
-class Permissive_Credentials_Manager: public Botan::Credentials_Manager
-{
-public:
- void verify_certificate_chain(const std::string& type,
- const std::string& purported_hostname,
- const std::vector<Botan::X509_Certificate>&);
-};
-#endif // BOTAN_FOUND
/**
* An interface, with a series of callbacks that should be implemented in
@@ -243,7 +230,7 @@ private:
* Botan stuff to manipulate a TLS session.
*/
static Botan::AutoSeeded_RNG rng;
- static Permissive_Credentials_Manager credential_manager;
+ static Basic_Credentials_Manager credential_manager;
static Botan::TLS::Policy policy;
static Botan::TLS::Session_Manager_In_Memory session_manager;
/**
@@ -267,3 +254,4 @@ private:
};
#endif // SOCKET_HANDLER_INCLUDED
+