From 7b3e0e0cf3eddd3537455a3605b04a48ee663f47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?louiz=E2=80=99?= <louiz@louiz.org>
Date: Sun, 30 Apr 2017 15:04:40 +0200
Subject: =?UTF-8?q?Make=20botan=E2=80=99s=20policy=20configurable=20from?=
 =?UTF-8?q?=20a=20file?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

fix #3244
---
 src/network/tcp_socket_handler.cpp | 14 ++++++-----
 src/network/tcp_socket_handler.hpp | 17 ++------------
 src/network/tls_policy.cpp         | 48 ++++++++++++++++++++++++++++++++++++++
 src/network/tls_policy.hpp         | 28 ++++++++++++++++++++++
 src/utils/dirname.cpp              | 16 +++++++++++++
 src/utils/dirname.hpp              |  6 +++++
 src/utils/xdg.hpp                  |  2 --
 7 files changed, 108 insertions(+), 23 deletions(-)
 create mode 100644 src/network/tls_policy.cpp
 create mode 100644 src/network/tls_policy.hpp
 create mode 100644 src/utils/dirname.cpp
 create mode 100644 src/utils/dirname.hpp

(limited to 'src')

diff --git a/src/network/tcp_socket_handler.cpp b/src/network/tcp_socket_handler.cpp
index 02265ec..1bd5315 100644
--- a/src/network/tcp_socket_handler.cpp
+++ b/src/network/tcp_socket_handler.cpp
@@ -14,6 +14,8 @@
 #ifdef BOTAN_FOUND
 # include <botan/hex.h>
 # include <botan/tls_exceptn.h>
+# include <config/config.hpp>
+# include <utils/dirname.hpp>
 
 namespace
 {
@@ -22,11 +24,6 @@ namespace
       static Botan::AutoSeeded_RNG rng{};
       return rng;
     }
-    BiboumiTLSPolicy& get_policy()
-    {
-      static BiboumiTLSPolicy policy{};
-      return policy;
-    }
     Botan::TLS::Session_Manager_In_Memory& get_session_manager()
     {
       static Botan::TLS::Session_Manager_In_Memory session_manager{get_rng()};
@@ -233,6 +230,11 @@ void TCPSocketHandler::consume_in_buffer(const std::size_t size)
 void TCPSocketHandler::start_tls(const std::string& address, const std::string& port)
 {
   Botan::TLS::Server_Information server_info(address, "irc", std::stoul(port));
+  auto policy_directory = Config::get("policy_directory", utils::dirname(Config::get_filename()));
+  if (!policy_directory.empty() && policy_directory[policy_directory.size()-1] != '/')
+    policy_directory += '/';
+  this->policy.load(policy_directory + "policy.txt");
+  this->policy.load(policy_directory + address + ".policy.txt");
   this->tls = std::make_unique<Botan::TLS::Client>(
 # if BOTAN_VERSION_CODE >= BOTAN_VERSION_CODE_FOR(1,11,32)
       *this,
@@ -242,7 +244,7 @@ void TCPSocketHandler::start_tls(const std::string& address, const std::string&
       [this](Botan::TLS::Alert alert, const Botan::byte*, size_t) { this->tls_alert(alert); },
       [this](const Botan::TLS::Session& session) { return this->tls_session_established(session); },
 # endif
-      get_session_manager(), this->credential_manager, get_policy(),
+      get_session_manager(), this->credential_manager, this->policy,
       get_rng(), server_info, Botan::TLS::Protocol_Version::latest_tls_version());
 }
 
diff --git a/src/network/tcp_socket_handler.hpp b/src/network/tcp_socket_handler.hpp
index ba23861..f68698e 100644
--- a/src/network/tcp_socket_handler.hpp
+++ b/src/network/tcp_socket_handler.hpp
@@ -23,21 +23,7 @@
 # include <botan/types.h>
 # include <botan/botan.h>
 # include <botan/tls_session_manager.h>
-
-class BiboumiTLSPolicy: public Botan::TLS::Policy
-{
-public:
-# if BOTAN_VERSION_CODE >= BOTAN_VERSION_CODE_FOR(1,11,33)
-  bool use_ecc_point_compression() const override
-  {
-    return true;
-  }
-  bool require_cert_revocation_info() const override
-  {
-    return false;
-  }
-# endif
-};
+# include <network/tls_policy.hpp>
 
 # if BOTAN_VERSION_CODE >= BOTAN_VERSION_CODE_FOR(1,11,32)
 #  define BOTAN_TLS_CALLBACKS_OVERRIDE override final
@@ -230,6 +216,7 @@ protected:
 protected:
   BasicCredentialsManager credential_manager;
 private:
+  BiboumiTLSPolicy policy;
   /**
    * We use a unique_ptr because we may not want to create the object at
    * all. The Botan::TLS::Client object generates a handshake message and
diff --git a/src/network/tls_policy.cpp b/src/network/tls_policy.cpp
new file mode 100644
index 0000000..5439397
--- /dev/null
+++ b/src/network/tls_policy.cpp
@@ -0,0 +1,48 @@
+#include "biboumi.h"
+
+#ifdef BOTAN_FOUND
+
+#include <fstream>
+
+#include <utils/tolower.hpp>
+
+#include <network/tls_policy.hpp>
+#include <logger/logger.hpp>
+
+bool BiboumiTLSPolicy::load(const std::string& filename)
+{
+  std::ifstream is(filename.data());
+  if (is)
+    {
+      try {
+          this->load(is);
+          log_info("Successfully loaded policy file: ", filename);
+          return true;
+        } catch (const Botan::Exception& e) {
+          log_error("Failed to parse policy_file ", filename, ": ", e.what());
+          return false;
+        }
+    }
+  log_info("Could not open policy file: ", filename);
+  return false;
+}
+
+void BiboumiTLSPolicy::load(std::istream& is)
+{
+  const auto dict = Botan::read_cfg(is);
+  for (const auto& pair: dict)
+    {
+      // Workaround for options that are not overridden in Botan::TLS::Text_Policy
+      if (pair.first == "require_cert_revocation_info")
+        this->req_cert_revocation_info = !(pair.second == "0" || utils::tolower(pair.second) == "false");
+      else
+        this->set(pair.first, pair.second);
+    }
+}
+
+bool BiboumiTLSPolicy::require_cert_revocation_info() const
+{
+  return this->req_cert_revocation_info;
+}
+
+#endif
diff --git a/src/network/tls_policy.hpp b/src/network/tls_policy.hpp
new file mode 100644
index 0000000..29fd2b3
--- /dev/null
+++ b/src/network/tls_policy.hpp
@@ -0,0 +1,28 @@
+#pragma once
+
+#include "biboumi.h"
+
+#ifdef BOTAN_FOUND
+
+#include <botan/tls_policy.h>
+
+class BiboumiTLSPolicy: public Botan::TLS::Text_Policy
+{
+public:
+  BiboumiTLSPolicy():
+      Botan::TLS::Text_Policy({})
+  {}
+  bool load(const std::string& filename);
+  void load(std::istream& iss);
+
+  BiboumiTLSPolicy(const BiboumiTLSPolicy &) = delete;
+  BiboumiTLSPolicy(BiboumiTLSPolicy &&) = delete;
+  BiboumiTLSPolicy &operator=(const BiboumiTLSPolicy &) = delete;
+  BiboumiTLSPolicy &operator=(BiboumiTLSPolicy &&) = delete;
+
+  bool require_cert_revocation_info() const override;
+protected:
+  bool req_cert_revocation_info{true};
+};
+
+#endif
diff --git a/src/utils/dirname.cpp b/src/utils/dirname.cpp
new file mode 100644
index 0000000..71c9c38
--- /dev/null
+++ b/src/utils/dirname.cpp
@@ -0,0 +1,16 @@
+#include <utils/dirname.hpp>
+
+namespace utils
+{
+    std::string dirname(const std::string filename)
+    {
+      if (filename.empty())
+        return "./";
+      if (filename == ".." || filename == ".")
+        return filename;
+      auto pos = filename.rfind('/');
+      if (pos == std::string::npos)
+        return "./";
+      return filename.substr(0, pos + 1);
+    }
+}
diff --git a/src/utils/dirname.hpp b/src/utils/dirname.hpp
new file mode 100644
index 0000000..c1df81b
--- /dev/null
+++ b/src/utils/dirname.hpp
@@ -0,0 +1,6 @@
+#include <string>
+
+namespace utils
+{
+std::string dirname(const std::string filename);
+}
diff --git a/src/utils/xdg.hpp b/src/utils/xdg.hpp
index 56e11da..7be6922 100644
--- a/src/utils/xdg.hpp
+++ b/src/utils/xdg.hpp
@@ -10,5 +10,3 @@
  */
 std::string xdg_config_path(const std::string& filename);
 std::string xdg_data_path(const std::string& filename);
-
-
-- 
cgit v1.2.3