Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
biboumi
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
98
Issues
98
List
Boards
Labels
Service Desk
Milestones
Merge Requests
12
Merge Requests
12
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Repository
Value Stream
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
louiz’
biboumi
Commits
f928f762
Commit
f928f762
authored
Nov 02, 2015
by
louiz’
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Verify the remote TLS certificates using the system-wide trusted CAs
parent
7e07a174
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
63 additions
and
28 deletions
+63
-28
louloulibs/network/credentials_manager.cpp
louloulibs/network/credentials_manager.cpp
+33
-0
louloulibs/network/credentials_manager.hpp
louloulibs/network/credentials_manager.hpp
+22
-0
louloulibs/network/tcp_socket_handler.cpp
louloulibs/network/tcp_socket_handler.cpp
+2
-10
louloulibs/network/tcp_socket_handler.hpp
louloulibs/network/tcp_socket_handler.hpp
+6
-18
No files found.
louloulibs/network/credentials_manager.cpp
0 → 100644
View file @
f928f762
#include <network/credentials_manager.hpp>
#include <logger/logger.hpp>
Basic_Credentials_Manager
::
Basic_Credentials_Manager
()
:
Botan
::
Credentials_Manager
()
{
this
->
load_certs
();
}
void
Basic_Credentials_Manager
::
verify_certificate_chain
(
const
std
::
string
&
type
,
const
std
::
string
&
purported_hostname
,
const
std
::
vector
<
Botan
::
X509_Certificate
>&
certs
)
{
log_debug
(
"Checking remote certificate ("
<<
type
<<
") for hostname "
<<
purported_hostname
);
Botan
::
Credentials_Manager
::
verify_certificate_chain
(
type
,
"louiz.org"
,
certs
);
log_debug
(
"Certificate is valid"
);
}
void
Basic_Credentials_Manager
::
load_certs
()
{
const
std
::
vector
<
std
::
string
>
paths
=
{
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
};
for
(
const
auto
&
path
:
paths
)
{
Botan
::
DataSource_Stream
bundle
(
path
);
while
(
!
bundle
.
end_of_data
()
&&
bundle
.
check_available
(
27
))
{
const
Botan
::
X509_Certificate
cert
(
bundle
);
this
->
certificate_store
.
add_certificate
(
cert
);
}
}
}
std
::
vector
<
Botan
::
Certificate_Store
*>
Basic_Credentials_Manager
::
trusted_certificate_authorities
(
const
std
::
string
&
,
const
std
::
string
&
)
{
return
{
&
this
->
certificate_store
};
}
louloulibs/network/credentials_manager.hpp
0 → 100644
View file @
f928f762
#ifndef BIBOUMI_CREDENTIALS_MANAGER_HPP
#define BIBOUMI_CREDENTIALS_MANAGER_HPP
#include <botan/botan.h>
#include <botan/tls_client.h>
class
Basic_Credentials_Manager
:
public
Botan
::
Credentials_Manager
{
public:
Basic_Credentials_Manager
();
void
verify_certificate_chain
(
const
std
::
string
&
type
,
const
std
::
string
&
purported_hostname
,
const
std
::
vector
<
Botan
::
X509_Certificate
>&
)
override
final
;
std
::
vector
<
Botan
::
Certificate_Store
*>
trusted_certificate_authorities
(
const
std
::
string
&
type
,
const
std
::
string
&
context
)
override
final
;
private:
void
load_certs
();
Botan
::
Certificate_Store_In_Memory
certificate_store
;
};
#endif //BIBOUMI_CREDENTIALS_MANAGER_HPP
louloulibs/network/tcp_socket_handler.cpp
View file @
f928f762
...
...
@@ -19,7 +19,7 @@
# include <botan/tls_exceptn.h>
Botan
::
AutoSeeded_RNG
TCPSocketHandler
::
rng
;
Permissive
_Credentials_Manager
TCPSocketHandler
::
credential_manager
;
Basic
_Credentials_Manager
TCPSocketHandler
::
credential_manager
;
Botan
::
TLS
::
Policy
TCPSocketHandler
::
policy
;
Botan
::
TLS
::
Session_Manager_In_Memory
TCPSocketHandler
::
session_manager
(
TCPSocketHandler
::
rng
);
...
...
@@ -451,15 +451,7 @@ bool TCPSocketHandler::tls_handshake_cb(const Botan::TLS::Session& session)
void
TCPSocketHandler
::
on_tls_activated
()
{
this
->
send_data
(
""
);
}
void
Permissive_Credentials_Manager
::
verify_certificate_chain
(
const
std
::
string
&
type
,
const
std
::
string
&
purported_hostname
,
const
std
::
vector
<
Botan
::
X509_Certificate
>&
)
{
// TODO: Offer the admin to disallow connection on untrusted
// certificates
log_debug
(
"Checking remote certificate ("
<<
type
<<
") for hostname "
<<
purported_hostname
);
this
->
send_data
({});
}
#endif // BOTAN_FOUND
louloulibs/network/tcp_socket_handler.hpp
View file @
f928f762
#ifndef SOCKET_HANDLER_INCLUDED
# define SOCKET_HANDLER_INCLUDED
#include "louloulibs.h"
#include <network/socket_handler.hpp>
#include <network/resolver.hpp>
#include <network/credentials_manager.hpp>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
...
...
@@ -13,23 +17,6 @@
#include <string>
#include <list>
#include "louloulibs.h"
#ifdef BOTAN_FOUND
# include <botan/botan.h>
# include <botan/tls_client.h>
/**
* A very simple credential manager that accepts any certificate.
*/
class
Permissive_Credentials_Manager
:
public
Botan
::
Credentials_Manager
{
public:
void
verify_certificate_chain
(
const
std
::
string
&
type
,
const
std
::
string
&
purported_hostname
,
const
std
::
vector
<
Botan
::
X509_Certificate
>&
);
};
#endif // BOTAN_FOUND
/**
* An interface, with a series of callbacks that should be implemented in
...
...
@@ -243,7 +230,7 @@ private:
* Botan stuff to manipulate a TLS session.
*/
static
Botan
::
AutoSeeded_RNG
rng
;
static
Permissive
_Credentials_Manager
credential_manager
;
static
Basic
_Credentials_Manager
credential_manager
;
static
Botan
::
TLS
::
Policy
policy
;
static
Botan
::
TLS
::
Session_Manager_In_Memory
session_manager
;
/**
...
...
@@ -267,3 +254,4 @@ private:
};
#endif // SOCKET_HANDLER_INCLUDED
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment