Commit f928f762 authored by louiz’'s avatar louiz’

Verify the remote TLS certificates using the system-wide trusted CAs

parent 7e07a174
#include <network/credentials_manager.hpp>
#include <logger/logger.hpp>
Basic_Credentials_Manager::Basic_Credentials_Manager():
Botan::Credentials_Manager()
{
this->load_certs();
}
void Basic_Credentials_Manager::verify_certificate_chain(const std::string& type,
const std::string& purported_hostname,
const std::vector<Botan::X509_Certificate>& certs)
{
log_debug("Checking remote certificate (" << type << ") for hostname " << purported_hostname);
Botan::Credentials_Manager::verify_certificate_chain(type, "louiz.org", certs);
log_debug("Certificate is valid");
}
void Basic_Credentials_Manager::load_certs()
{
const std::vector<std::string> paths = {"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"};
for (const auto& path: paths)
{
Botan::DataSource_Stream bundle(path);
while (!bundle.end_of_data() && bundle.check_available(27))
{
const Botan::X509_Certificate cert(bundle);
this->certificate_store.add_certificate(cert);
}
}
}
std::vector<Botan::Certificate_Store*> Basic_Credentials_Manager::trusted_certificate_authorities(const std::string&, const std::string&)
{
return {&this->certificate_store};
}
#ifndef BIBOUMI_CREDENTIALS_MANAGER_HPP
#define BIBOUMI_CREDENTIALS_MANAGER_HPP
#include <botan/botan.h>
#include <botan/tls_client.h>
class Basic_Credentials_Manager: public Botan::Credentials_Manager
{
public:
Basic_Credentials_Manager();
void verify_certificate_chain(const std::string& type,
const std::string& purported_hostname,
const std::vector<Botan::X509_Certificate>&) override final;
std::vector<Botan::Certificate_Store*> trusted_certificate_authorities(const std::string& type,
const std::string& context) override final;
private:
void load_certs();
Botan::Certificate_Store_In_Memory certificate_store;
};
#endif //BIBOUMI_CREDENTIALS_MANAGER_HPP
......@@ -19,7 +19,7 @@
# include <botan/tls_exceptn.h>
Botan::AutoSeeded_RNG TCPSocketHandler::rng;
Permissive_Credentials_Manager TCPSocketHandler::credential_manager;
Basic_Credentials_Manager TCPSocketHandler::credential_manager;
Botan::TLS::Policy TCPSocketHandler::policy;
Botan::TLS::Session_Manager_In_Memory TCPSocketHandler::session_manager(TCPSocketHandler::rng);
......@@ -451,15 +451,7 @@ bool TCPSocketHandler::tls_handshake_cb(const Botan::TLS::Session& session)
void TCPSocketHandler::on_tls_activated()
{
this->send_data("");
}
void Permissive_Credentials_Manager::verify_certificate_chain(const std::string& type,
const std::string& purported_hostname,
const std::vector<Botan::X509_Certificate>&)
{ // TODO: Offer the admin to disallow connection on untrusted
// certificates
log_debug("Checking remote certificate (" << type << ") for hostname " << purported_hostname);
this->send_data({});
}
#endif // BOTAN_FOUND
#ifndef SOCKET_HANDLER_INCLUDED
# define SOCKET_HANDLER_INCLUDED
#include "louloulibs.h"
#include <network/socket_handler.hpp>
#include <network/resolver.hpp>
#include <network/credentials_manager.hpp>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
......@@ -13,23 +17,6 @@
#include <string>
#include <list>
#include "louloulibs.h"
#ifdef BOTAN_FOUND
# include <botan/botan.h>
# include <botan/tls_client.h>
/**
* A very simple credential manager that accepts any certificate.
*/
class Permissive_Credentials_Manager: public Botan::Credentials_Manager
{
public:
void verify_certificate_chain(const std::string& type,
const std::string& purported_hostname,
const std::vector<Botan::X509_Certificate>&);
};
#endif // BOTAN_FOUND
/**
* An interface, with a series of callbacks that should be implemented in
......@@ -243,7 +230,7 @@ private:
* Botan stuff to manipulate a TLS session.
*/
static Botan::AutoSeeded_RNG rng;
static Permissive_Credentials_Manager credential_manager;
static Basic_Credentials_Manager credential_manager;
static Botan::TLS::Policy policy;
static Botan::TLS::Session_Manager_In_Memory session_manager;
/**
......@@ -267,3 +254,4 @@ private:
};
#endif // SOCKET_HANDLER_INCLUDED
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment