From f928f7627247ceaafcf3538066ac17609b652aac Mon Sep 17 00:00:00 2001 From: Florent Le Coz Date: Mon, 2 Nov 2015 03:26:13 +0100 Subject: Verify the remote TLS certificates using the system-wide trusted CAs --- louloulibs/network/credentials_manager.cpp | 33 ++++++++++++++++++++++++++++++ louloulibs/network/credentials_manager.hpp | 22 ++++++++++++++++++++ louloulibs/network/tcp_socket_handler.cpp | 12 ++--------- louloulibs/network/tcp_socket_handler.hpp | 24 ++++++---------------- 4 files changed, 63 insertions(+), 28 deletions(-) create mode 100644 louloulibs/network/credentials_manager.cpp create mode 100644 louloulibs/network/credentials_manager.hpp (limited to 'louloulibs/network') diff --git a/louloulibs/network/credentials_manager.cpp b/louloulibs/network/credentials_manager.cpp new file mode 100644 index 0000000..77198a4 --- /dev/null +++ b/louloulibs/network/credentials_manager.cpp @@ -0,0 +1,33 @@ +#include +#include + +Basic_Credentials_Manager::Basic_Credentials_Manager(): + Botan::Credentials_Manager() +{ + this->load_certs(); +} +void Basic_Credentials_Manager::verify_certificate_chain(const std::string& type, + const std::string& purported_hostname, + const std::vector& certs) +{ + log_debug("Checking remote certificate (" << type << ") for hostname " << purported_hostname); + Botan::Credentials_Manager::verify_certificate_chain(type, "louiz.org", certs); + log_debug("Certificate is valid"); +} +void Basic_Credentials_Manager::load_certs() +{ + const std::vector paths = {"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"}; + for (const auto& path: paths) + { + Botan::DataSource_Stream bundle(path); + while (!bundle.end_of_data() && bundle.check_available(27)) + { + const Botan::X509_Certificate cert(bundle); + this->certificate_store.add_certificate(cert); + } + } +} +std::vector Basic_Credentials_Manager::trusted_certificate_authorities(const std::string&, const std::string&) +{ + return {&this->certificate_store}; +} diff --git a/louloulibs/network/credentials_manager.hpp b/louloulibs/network/credentials_manager.hpp new file mode 100644 index 0000000..ea89eca --- /dev/null +++ b/louloulibs/network/credentials_manager.hpp @@ -0,0 +1,22 @@ +#ifndef BIBOUMI_CREDENTIALS_MANAGER_HPP +#define BIBOUMI_CREDENTIALS_MANAGER_HPP + +#include +#include + +class Basic_Credentials_Manager: public Botan::Credentials_Manager +{ +public: + Basic_Credentials_Manager(); + void verify_certificate_chain(const std::string& type, + const std::string& purported_hostname, + const std::vector&) override final; + std::vector trusted_certificate_authorities(const std::string& type, + const std::string& context) override final; + +private: + void load_certs(); + Botan::Certificate_Store_In_Memory certificate_store; +}; + +#endif //BIBOUMI_CREDENTIALS_MANAGER_HPP diff --git a/louloulibs/network/tcp_socket_handler.cpp b/louloulibs/network/tcp_socket_handler.cpp index f2a2466..81a36ef 100644 --- a/louloulibs/network/tcp_socket_handler.cpp +++ b/louloulibs/network/tcp_socket_handler.cpp @@ -19,7 +19,7 @@ # include Botan::AutoSeeded_RNG TCPSocketHandler::rng; -Permissive_Credentials_Manager TCPSocketHandler::credential_manager; +Basic_Credentials_Manager TCPSocketHandler::credential_manager; Botan::TLS::Policy TCPSocketHandler::policy; Botan::TLS::Session_Manager_In_Memory TCPSocketHandler::session_manager(TCPSocketHandler::rng); @@ -451,15 +451,7 @@ bool TCPSocketHandler::tls_handshake_cb(const Botan::TLS::Session& session) void TCPSocketHandler::on_tls_activated() { - this->send_data(""); -} - -void Permissive_Credentials_Manager::verify_certificate_chain(const std::string& type, - const std::string& purported_hostname, - const std::vector&) -{ // TODO: Offer the admin to disallow connection on untrusted - // certificates - log_debug("Checking remote certificate (" << type << ") for hostname " << purported_hostname); + this->send_data({}); } #endif // BOTAN_FOUND diff --git a/louloulibs/network/tcp_socket_handler.hpp b/louloulibs/network/tcp_socket_handler.hpp index 997d575..d173c1f 100644 --- a/louloulibs/network/tcp_socket_handler.hpp +++ b/louloulibs/network/tcp_socket_handler.hpp @@ -1,9 +1,13 @@ #ifndef SOCKET_HANDLER_INCLUDED # define SOCKET_HANDLER_INCLUDED +#include "louloulibs.h" + #include #include +#include + #include #include #include @@ -13,23 +17,6 @@ #include #include -#include "louloulibs.h" - -#ifdef BOTAN_FOUND -# include -# include - -/** - * A very simple credential manager that accepts any certificate. - */ -class Permissive_Credentials_Manager: public Botan::Credentials_Manager -{ -public: - void verify_certificate_chain(const std::string& type, - const std::string& purported_hostname, - const std::vector&); -}; -#endif // BOTAN_FOUND /** * An interface, with a series of callbacks that should be implemented in @@ -243,7 +230,7 @@ private: * Botan stuff to manipulate a TLS session. */ static Botan::AutoSeeded_RNG rng; - static Permissive_Credentials_Manager credential_manager; + static Basic_Credentials_Manager credential_manager; static Botan::TLS::Policy policy; static Botan::TLS::Session_Manager_In_Memory session_manager; /** @@ -267,3 +254,4 @@ private: }; #endif // SOCKET_HANDLER_INCLUDED + -- cgit v1.2.3