~singpolyma/biboumi

f928f7627247ceaafcf3538066ac17609b652aac — Florent Le Coz 9 years ago 7e07a17
Verify the remote TLS certificates using the system-wide trusted CAs
A louloulibs/network/credentials_manager.cpp => louloulibs/network/credentials_manager.cpp +33 -0
@@ 0,0 1,33 @@
#include <network/credentials_manager.hpp>
#include <logger/logger.hpp>

Basic_Credentials_Manager::Basic_Credentials_Manager():
    Botan::Credentials_Manager()
{
  this->load_certs();
}
void Basic_Credentials_Manager::verify_certificate_chain(const std::string& type,
                                                         const std::string& purported_hostname,
                                                         const std::vector<Botan::X509_Certificate>& certs)
{
  log_debug("Checking remote certificate (" << type << ") for hostname " << purported_hostname);
  Botan::Credentials_Manager::verify_certificate_chain(type, "louiz.org", certs);
  log_debug("Certificate is valid");
}
void Basic_Credentials_Manager::load_certs()
{
  const std::vector<std::string> paths = {"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"};
  for (const auto& path: paths)
    {
      Botan::DataSource_Stream bundle(path);
      while (!bundle.end_of_data() && bundle.check_available(27))
        {
          const Botan::X509_Certificate cert(bundle);
          this->certificate_store.add_certificate(cert);
        }
    }
}
std::vector<Botan::Certificate_Store*> Basic_Credentials_Manager::trusted_certificate_authorities(const std::string&, const std::string&)
{
  return {&this->certificate_store};
}

A louloulibs/network/credentials_manager.hpp => louloulibs/network/credentials_manager.hpp +22 -0
@@ 0,0 1,22 @@
#ifndef BIBOUMI_CREDENTIALS_MANAGER_HPP
#define BIBOUMI_CREDENTIALS_MANAGER_HPP

#include <botan/botan.h>
#include <botan/tls_client.h>

class Basic_Credentials_Manager: public Botan::Credentials_Manager
{
public:
  Basic_Credentials_Manager();
  void verify_certificate_chain(const std::string& type,
                                const std::string& purported_hostname,
                                const std::vector<Botan::X509_Certificate>&) override final;
  std::vector<Botan::Certificate_Store*> trusted_certificate_authorities(const std::string& type,
                                                                         const std::string& context) override final;

private:
  void load_certs();
  Botan::Certificate_Store_In_Memory certificate_store;
};

#endif //BIBOUMI_CREDENTIALS_MANAGER_HPP

M louloulibs/network/tcp_socket_handler.cpp => louloulibs/network/tcp_socket_handler.cpp +2 -10
@@ 19,7 19,7 @@
# include <botan/tls_exceptn.h>

Botan::AutoSeeded_RNG TCPSocketHandler::rng;
Permissive_Credentials_Manager TCPSocketHandler::credential_manager;
Basic_Credentials_Manager TCPSocketHandler::credential_manager;
Botan::TLS::Policy TCPSocketHandler::policy;
Botan::TLS::Session_Manager_In_Memory TCPSocketHandler::session_manager(TCPSocketHandler::rng);



@@ 451,15 451,7 @@ bool TCPSocketHandler::tls_handshake_cb(const Botan::TLS::Session& session)

void TCPSocketHandler::on_tls_activated()
{
  this->send_data("");
}

void Permissive_Credentials_Manager::verify_certificate_chain(const std::string& type,
                                                              const std::string& purported_hostname,
                                                              const std::vector<Botan::X509_Certificate>&)
{ // TODO: Offer the admin to disallow connection on untrusted
  // certificates
  log_debug("Checking remote certificate (" << type << ") for hostname " << purported_hostname);
  this->send_data({});
}

#endif // BOTAN_FOUND

M louloulibs/network/tcp_socket_handler.hpp => louloulibs/network/tcp_socket_handler.hpp +6 -18
@@ 1,9 1,13 @@
#ifndef SOCKET_HANDLER_INCLUDED
# define SOCKET_HANDLER_INCLUDED

#include "louloulibs.h"

#include <network/socket_handler.hpp>
#include <network/resolver.hpp>

#include <network/credentials_manager.hpp>

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>


@@ 13,23 17,6 @@
#include <string>
#include <list>

#include "louloulibs.h"

#ifdef BOTAN_FOUND
# include <botan/botan.h>
# include <botan/tls_client.h>

/**
 * A very simple credential manager that accepts any certificate.
 */
class Permissive_Credentials_Manager: public Botan::Credentials_Manager
{
public:
  void verify_certificate_chain(const std::string& type,
                                const std::string& purported_hostname,
                                const std::vector<Botan::X509_Certificate>&);
};
#endif // BOTAN_FOUND

/**
 * An interface, with a series of callbacks that should be implemented in


@@ 243,7 230,7 @@ private:
   * Botan stuff to manipulate a TLS session.
   */
  static Botan::AutoSeeded_RNG rng;
  static Permissive_Credentials_Manager credential_manager;
  static Basic_Credentials_Manager credential_manager;
  static Botan::TLS::Policy policy;
  static Botan::TLS::Session_Manager_In_Memory session_manager;
  /**


@@ 267,3 254,4 @@ private:
};

#endif // SOCKET_HANDLER_INCLUDED