Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
biboumi
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
88
Issues
88
List
Boards
Labels
Service Desk
Milestones
Merge Requests
7
Merge Requests
7
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Repository
Value Stream
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
louiz’
biboumi
Commits
cb79fc1b
Commit
cb79fc1b
authored
Dec 04, 2016
by
louiz’
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update the verify_certificate_chain code to work with botan >= 1.11.34 as well
ref
#3245
parent
395297e4
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
76 additions
and
8 deletions
+76
-8
louloulibs/network/credentials_manager.cpp
louloulibs/network/credentials_manager.cpp
+27
-8
louloulibs/network/credentials_manager.hpp
louloulibs/network/credentials_manager.hpp
+15
-0
louloulibs/network/tcp_socket_handler.cpp
louloulibs/network/tcp_socket_handler.cpp
+25
-0
louloulibs/network/tcp_socket_handler.hpp
louloulibs/network/tcp_socket_handler.hpp
+9
-0
No files found.
louloulibs/network/credentials_manager.cpp
View file @
cb79fc1b
...
...
@@ -37,6 +37,28 @@ void BasicCredentialsManager::set_trusted_fingerprint(const std::string& fingerp
this
->
trusted_fingerprint
=
fingerprint
;
}
const
std
::
string
&
BasicCredentialsManager
::
get_trusted_fingerprint
()
const
{
return
this
->
trusted_fingerprint
;
}
void
check_tls_certificate
(
const
std
::
vector
<
Botan
::
X509_Certificate
>&
certs
,
const
std
::
string
&
hostname
,
const
std
::
string
&
trusted_fingerprint
,
std
::
exception_ptr
exc
)
{
if
(
!
trusted_fingerprint
.
empty
()
&&
!
certs
.
empty
()
&&
trusted_fingerprint
==
certs
[
0
].
fingerprint
()
&&
certs
[
0
].
matches_dns_name
(
hostname
))
// We trust the certificate, based on the trusted fingerprint and
// the fact that the hostname matches
return
;
if
(
exc
)
std
::
rethrow_exception
(
exc
);
}
#if BOTAN_VERSION_CODE < BOTAN_VERSION_CODE_FOR(1,11,34)
void
BasicCredentialsManager
::
verify_certificate_chain
(
const
std
::
string
&
type
,
const
std
::
string
&
purported_hostname
,
const
std
::
vector
<
Botan
::
X509_Certificate
>&
certs
)
...
...
@@ -50,17 +72,14 @@ void BasicCredentialsManager::verify_certificate_chain(const std::string& type,
catch
(
const
std
::
exception
&
tls_exception
)
{
log_warning
(
"TLS certificate check failed: "
,
tls_exception
.
what
());
if
(
!
this
->
trusted_fingerprint
.
empty
()
&&
!
certs
.
empty
()
&&
this
->
trusted_fingerprint
==
certs
[
0
].
fingerprint
()
&&
certs
[
0
].
matches_dns_name
(
purported_hostname
))
// We trust the certificate, based on the trusted fingerprint and
// the fact that the hostname matches
return
;
std
::
exception_ptr
exception_ptr
{};
if
(
this
->
socket_handler
->
abort_on_invalid_cert
())
throw
;
exception_ptr
=
std
::
current_exception
();
check_tls_certificate
(
certs
,
purported_hostname
,
this
->
trusted_fingerprint
,
exception_ptr
);
}
}
#endif
bool
BasicCredentialsManager
::
try_to_open_one_ca_bundle
(
const
std
::
vector
<
std
::
string
>&
paths
)
{
...
...
louloulibs/network/credentials_manager.hpp
View file @
cb79fc1b
...
...
@@ -9,6 +9,18 @@
class
TCPSocketHandler
;
/**
* If the given cert isn’t valid, based on the given hostname
* and fingerprint, then throws the exception if it’s non-empty.
*
* Must be called after the standard (from Botan) way of
* checking the certificate, if we want to also accept certificates based
* on a trusted fingerprint.
*/
void
check_tls_certificate
(
const
std
::
vector
<
Botan
::
X509_Certificate
>&
certs
,
const
std
::
string
&
hostname
,
const
std
::
string
&
trusted_fingerprint
,
std
::
exception_ptr
exc
);
class
BasicCredentialsManager
:
public
Botan
::
Credentials_Manager
{
public:
...
...
@@ -19,12 +31,15 @@ public:
BasicCredentialsManager
&
operator
=
(
const
BasicCredentialsManager
&
)
=
delete
;
BasicCredentialsManager
&
operator
=
(
BasicCredentialsManager
&&
)
=
delete
;
#if BOTAN_VERSION_CODE < BOTAN_VERSION_CODE_FOR(1,11,34)
void
verify_certificate_chain
(
const
std
::
string
&
type
,
const
std
::
string
&
purported_hostname
,
const
std
::
vector
<
Botan
::
X509_Certificate
>&
)
override
final
;
#endif
std
::
vector
<
Botan
::
Certificate_Store
*>
trusted_certificate_authorities
(
const
std
::
string
&
type
,
const
std
::
string
&
context
)
override
final
;
void
set_trusted_fingerprint
(
const
std
::
string
&
fingerprint
);
const
std
::
string
&
get_trusted_fingerprint
()
const
;
private:
const
TCPSocketHandler
*
const
socket_handler
;
...
...
louloulibs/network/tcp_socket_handler.cpp
View file @
cb79fc1b
...
...
@@ -509,6 +509,31 @@ bool TCPSocketHandler::tls_session_established(const Botan::TLS::Session& sessio
return
true
;
}
#if BOTAN_VERSION_CODE >= BOTAN_VERSION_CODE_FOR(1,11,34)
void
TCPSocketHandler
::
tls_verify_cert_chain
(
const
std
::
vector
<
Botan
::
X509_Certificate
>&
cert_chain
,
const
std
::
vector
<
std
::
shared_ptr
<
const
Botan
::
OCSP
::
Response
>>&
ocsp_responses
,
const
std
::
vector
<
Botan
::
Certificate_Store
*>&
trusted_roots
,
Botan
::
Usage_Type
usage
,
const
std
::
string
&
hostname
,
const
Botan
::
TLS
::
Policy
&
policy
)
{
log_debug
(
"Checking remote certificate for hostname "
,
hostname
);
try
{
Botan
::
TLS
::
Callbacks
::
tls_verify_cert_chain
(
cert_chain
,
ocsp_responses
,
trusted_roots
,
usage
,
hostname
,
policy
);
log_debug
(
"Certificate is valid"
);
}
catch
(
const
std
::
exception
&
tls_exception
)
{
log_warning
(
"TLS certificate check failed: "
,
tls_exception
.
what
());
std
::
exception_ptr
exception_ptr
{};
if
(
this
->
abort_on_invalid_cert
())
exception_ptr
=
std
::
current_exception
();
check_tls_certificate
(
cert_chain
,
hostname
,
this
->
credential_manager
.
get_trusted_fingerprint
(),
exception_ptr
);
}
}
#endif
void
TCPSocketHandler
::
on_tls_activated
()
{
this
->
send_data
({});
...
...
louloulibs/network/tcp_socket_handler.hpp
View file @
cb79fc1b
...
...
@@ -196,6 +196,15 @@ private:
* anything here appart from logging the TLS session information.
*/
bool
tls_session_established
(
const
Botan
::
TLS
::
Session
&
session
)
BOTAN_TLS_CALLBACKS_OVERRIDE
;
#if BOTAN_VERSION_CODE >= BOTAN_VERSION_CODE_FOR(1,11,34)
void
tls_verify_cert_chain
(
const
std
::
vector
<
Botan
::
X509_Certificate
>&
cert_chain
,
const
std
::
vector
<
std
::
shared_ptr
<
const
Botan
::
OCSP
::
Response
>>&
ocsp_responses
,
const
std
::
vector
<
Botan
::
Certificate_Store
*>&
trusted_roots
,
Botan
::
Usage_Type
usage
,
const
std
::
string
&
hostname
,
const
Botan
::
TLS
::
Policy
&
policy
)
BOTAN_TLS_CALLBACKS_OVERRIDE
;
#endif
/**
* Called whenever the tls session goes from inactive to active. This
* means that the handshake has just been successfully done, and we can
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment