summaryrefslogtreecommitdiff
path: root/louloulibs/network
diff options
context:
space:
mode:
authorFlorent Le Coz <louiz@louiz.org>2015-12-30 21:34:11 +0100
committerFlorent Le Coz <louiz@louiz.org>2016-01-04 13:47:27 +0100
commit1f8333f23f060750673d0b7c573f2e2d12142adf (patch)
treec6c92608402af2c5d89f39547bbeb4b9f76acd16 /louloulibs/network
parenta38b17692e0297cbd5d719f059bd0a1b6ef39fe4 (diff)
downloadbiboumi-1f8333f23f060750673d0b7c573f2e2d12142adf.tar.gz
biboumi-1f8333f23f060750673d0b7c573f2e2d12142adf.tar.bz2
biboumi-1f8333f23f060750673d0b7c573f2e2d12142adf.tar.xz
biboumi-1f8333f23f060750673d0b7c573f2e2d12142adf.zip
Support a trusted SHA1 fingerprint to be configured for each IRC server
Diffstat (limited to 'louloulibs/network')
-rw-r--r--louloulibs/network/credentials_manager.cpp15
-rw-r--r--louloulibs/network/credentials_manager.hpp2
-rw-r--r--louloulibs/network/tcp_socket_handler.hpp2
3 files changed, 18 insertions, 1 deletions
diff --git a/louloulibs/network/credentials_manager.cpp b/louloulibs/network/credentials_manager.cpp
index 57100ee..f92aef8 100644
--- a/louloulibs/network/credentials_manager.cpp
+++ b/louloulibs/network/credentials_manager.cpp
@@ -26,11 +26,17 @@ bool Basic_Credentials_Manager::certs_loaded = false;
Basic_Credentials_Manager::Basic_Credentials_Manager(const TCPSocketHandler* const socket_handler):
Botan::Credentials_Manager(),
- socket_handler(socket_handler)
+ socket_handler(socket_handler),
+ trusted_fingerprint{}
{
this->load_certs();
}
+void Basic_Credentials_Manager::set_trusted_fingerprint(const std::string& fingerprint)
+{
+ this->trusted_fingerprint = fingerprint;
+}
+
void Basic_Credentials_Manager::verify_certificate_chain(const std::string& type,
const std::string& purported_hostname,
const std::vector<Botan::X509_Certificate>& certs)
@@ -44,6 +50,13 @@ void Basic_Credentials_Manager::verify_certificate_chain(const std::string& type
catch (const std::exception& tls_exception)
{
log_warning("TLS certificate check failed: " << tls_exception.what());
+ if (!this->trusted_fingerprint.empty() && !certs.empty() &&
+ this->trusted_fingerprint == certs[0].fingerprint() &&
+ certs[0].matches_dns_name(purported_hostname))
+ // We trust the certificate, based on the trusted fingerprint and
+ // the fact that the hostname matches
+ return;
+
if (this->socket_handler->abort_on_invalid_cert())
throw;
}
diff --git a/louloulibs/network/credentials_manager.hpp b/louloulibs/network/credentials_manager.hpp
index e292321..dbd1d95 100644
--- a/louloulibs/network/credentials_manager.hpp
+++ b/louloulibs/network/credentials_manager.hpp
@@ -19,6 +19,7 @@ public:
const std::vector<Botan::X509_Certificate>&) override final;
std::vector<Botan::Certificate_Store*> trusted_certificate_authorities(const std::string& type,
const std::string& context) override final;
+ void set_trusted_fingerprint(const std::string& fingerprint);
private:
const TCPSocketHandler* const socket_handler;
@@ -26,6 +27,7 @@ private:
static void load_certs();
static Botan::Certificate_Store_In_Memory certificate_store;
static bool certs_loaded;
+ std::string trusted_fingerprint;
};
#endif //BOTAN_FOUND
diff --git a/louloulibs/network/tcp_socket_handler.hpp b/louloulibs/network/tcp_socket_handler.hpp
index 9f5caa3..fb4195d 100644
--- a/louloulibs/network/tcp_socket_handler.hpp
+++ b/louloulibs/network/tcp_socket_handler.hpp
@@ -248,7 +248,9 @@ private:
static Botan::AutoSeeded_RNG rng;
static Botan::TLS::Policy policy;
static Botan::TLS::Session_Manager_In_Memory session_manager;
+protected:
Basic_Credentials_Manager credential_manager;
+private:
/**
* We use a unique_ptr because we may not want to create the object at
* all. The Botan::TLS::Client object generates a handshake message and