diff options
author | Florent Le Coz <louiz@louiz.org> | 2015-11-02 03:26:13 +0100 |
---|---|---|
committer | Florent Le Coz <louiz@louiz.org> | 2015-11-02 03:26:13 +0100 |
commit | f928f7627247ceaafcf3538066ac17609b652aac (patch) | |
tree | 4f5740fb8150876a9eaad16c2339f3a338899ebf /louloulibs | |
parent | 7e07a17420117758ca319b5beab6440ff1d634f7 (diff) | |
download | biboumi-f928f7627247ceaafcf3538066ac17609b652aac.tar.gz biboumi-f928f7627247ceaafcf3538066ac17609b652aac.tar.bz2 biboumi-f928f7627247ceaafcf3538066ac17609b652aac.tar.xz biboumi-f928f7627247ceaafcf3538066ac17609b652aac.zip |
Verify the remote TLS certificates using the system-wide trusted CAs
Diffstat (limited to 'louloulibs')
-rw-r--r-- | louloulibs/network/credentials_manager.cpp | 33 | ||||
-rw-r--r-- | louloulibs/network/credentials_manager.hpp | 22 | ||||
-rw-r--r-- | louloulibs/network/tcp_socket_handler.cpp | 12 | ||||
-rw-r--r-- | louloulibs/network/tcp_socket_handler.hpp | 24 |
4 files changed, 63 insertions, 28 deletions
diff --git a/louloulibs/network/credentials_manager.cpp b/louloulibs/network/credentials_manager.cpp new file mode 100644 index 0000000..77198a4 --- /dev/null +++ b/louloulibs/network/credentials_manager.cpp @@ -0,0 +1,33 @@ +#include <network/credentials_manager.hpp> +#include <logger/logger.hpp> + +Basic_Credentials_Manager::Basic_Credentials_Manager(): + Botan::Credentials_Manager() +{ + this->load_certs(); +} +void Basic_Credentials_Manager::verify_certificate_chain(const std::string& type, + const std::string& purported_hostname, + const std::vector<Botan::X509_Certificate>& certs) +{ + log_debug("Checking remote certificate (" << type << ") for hostname " << purported_hostname); + Botan::Credentials_Manager::verify_certificate_chain(type, "louiz.org", certs); + log_debug("Certificate is valid"); +} +void Basic_Credentials_Manager::load_certs() +{ + const std::vector<std::string> paths = {"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"}; + for (const auto& path: paths) + { + Botan::DataSource_Stream bundle(path); + while (!bundle.end_of_data() && bundle.check_available(27)) + { + const Botan::X509_Certificate cert(bundle); + this->certificate_store.add_certificate(cert); + } + } +} +std::vector<Botan::Certificate_Store*> Basic_Credentials_Manager::trusted_certificate_authorities(const std::string&, const std::string&) +{ + return {&this->certificate_store}; +} diff --git a/louloulibs/network/credentials_manager.hpp b/louloulibs/network/credentials_manager.hpp new file mode 100644 index 0000000..ea89eca --- /dev/null +++ b/louloulibs/network/credentials_manager.hpp @@ -0,0 +1,22 @@ +#ifndef BIBOUMI_CREDENTIALS_MANAGER_HPP +#define BIBOUMI_CREDENTIALS_MANAGER_HPP + +#include <botan/botan.h> +#include <botan/tls_client.h> + +class Basic_Credentials_Manager: public Botan::Credentials_Manager +{ +public: + Basic_Credentials_Manager(); + void verify_certificate_chain(const std::string& type, + const std::string& purported_hostname, + const std::vector<Botan::X509_Certificate>&) override final; + std::vector<Botan::Certificate_Store*> trusted_certificate_authorities(const std::string& type, + const std::string& context) override final; + +private: + void load_certs(); + Botan::Certificate_Store_In_Memory certificate_store; +}; + +#endif //BIBOUMI_CREDENTIALS_MANAGER_HPP diff --git a/louloulibs/network/tcp_socket_handler.cpp b/louloulibs/network/tcp_socket_handler.cpp index f2a2466..81a36ef 100644 --- a/louloulibs/network/tcp_socket_handler.cpp +++ b/louloulibs/network/tcp_socket_handler.cpp @@ -19,7 +19,7 @@ # include <botan/tls_exceptn.h> Botan::AutoSeeded_RNG TCPSocketHandler::rng; -Permissive_Credentials_Manager TCPSocketHandler::credential_manager; +Basic_Credentials_Manager TCPSocketHandler::credential_manager; Botan::TLS::Policy TCPSocketHandler::policy; Botan::TLS::Session_Manager_In_Memory TCPSocketHandler::session_manager(TCPSocketHandler::rng); @@ -451,15 +451,7 @@ bool TCPSocketHandler::tls_handshake_cb(const Botan::TLS::Session& session) void TCPSocketHandler::on_tls_activated() { - this->send_data(""); -} - -void Permissive_Credentials_Manager::verify_certificate_chain(const std::string& type, - const std::string& purported_hostname, - const std::vector<Botan::X509_Certificate>&) -{ // TODO: Offer the admin to disallow connection on untrusted - // certificates - log_debug("Checking remote certificate (" << type << ") for hostname " << purported_hostname); + this->send_data({}); } #endif // BOTAN_FOUND diff --git a/louloulibs/network/tcp_socket_handler.hpp b/louloulibs/network/tcp_socket_handler.hpp index 997d575..d173c1f 100644 --- a/louloulibs/network/tcp_socket_handler.hpp +++ b/louloulibs/network/tcp_socket_handler.hpp @@ -1,9 +1,13 @@ #ifndef SOCKET_HANDLER_INCLUDED # define SOCKET_HANDLER_INCLUDED +#include "louloulibs.h" + #include <network/socket_handler.hpp> #include <network/resolver.hpp> +#include <network/credentials_manager.hpp> + #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> @@ -13,23 +17,6 @@ #include <string> #include <list> -#include "louloulibs.h" - -#ifdef BOTAN_FOUND -# include <botan/botan.h> -# include <botan/tls_client.h> - -/** - * A very simple credential manager that accepts any certificate. - */ -class Permissive_Credentials_Manager: public Botan::Credentials_Manager -{ -public: - void verify_certificate_chain(const std::string& type, - const std::string& purported_hostname, - const std::vector<Botan::X509_Certificate>&); -}; -#endif // BOTAN_FOUND /** * An interface, with a series of callbacks that should be implemented in @@ -243,7 +230,7 @@ private: * Botan stuff to manipulate a TLS session. */ static Botan::AutoSeeded_RNG rng; - static Permissive_Credentials_Manager credential_manager; + static Basic_Credentials_Manager credential_manager; static Botan::TLS::Policy policy; static Botan::TLS::Session_Manager_In_Memory session_manager; /** @@ -267,3 +254,4 @@ private: }; #endif // SOCKET_HANDLER_INCLUDED + |