diff options
| author | lloyd <[email protected]> | 2010-09-17 13:55:23 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2010-09-17 13:55:23 +0000 |
| commit | 8fa7d0b4f91eec572d8b2971d87e68741d1cd330 (patch) | |
| tree | 6caf8dfc00dadc1000c73c3cf875430474153425 | |
| parent | c037226de0af018187d03e7caaf6acb754fe1039 (diff) | |
Require a TLS_Policy
| -rw-r--r-- | src/ssl/hello.cpp | 19 | ||||
| -rw-r--r-- | src/ssl/tls_client.cpp | 34 | ||||
| -rw-r--r-- | src/ssl/tls_client.h | 23 | ||||
| -rw-r--r-- | src/ssl/tls_magic.h | 1 | ||||
| -rw-r--r-- | src/ssl/tls_messages.h | 4 | ||||
| -rw-r--r-- | src/ssl/tls_policy.cpp | 3 | ||||
| -rw-r--r-- | src/ssl/tls_policy.h | 5 | ||||
| -rw-r--r-- | src/ssl/tls_server.cpp | 25 | ||||
| -rw-r--r-- | src/ssl/tls_server.h | 10 |
9 files changed, 60 insertions, 64 deletions
diff --git a/src/ssl/hello.cpp b/src/ssl/hello.cpp index 5228807b4..a06fd75b4 100644 --- a/src/ssl/hello.cpp +++ b/src/ssl/hello.cpp @@ -63,14 +63,15 @@ void Hello_Request::deserialize(const MemoryRegion<byte>& buf) * Create a new Client Hello message */ Client_Hello::Client_Hello(RandomNumberGenerator& rng, - Record_Writer& writer, const TLS_Policy* policy, + Record_Writer& writer, + const TLS_Policy& policy, HandshakeHash& hash) { c_random = rng.random_vec(32); - suites = policy->ciphersuites(); - comp_algos = policy->compression(); - c_version = policy->pref_version(); + suites = policy.ciphersuites(); + comp_algos = policy.compression(); + c_version = policy.pref_version(); send(writer, hash); } @@ -210,9 +211,11 @@ bool Client_Hello::offered_suite(u16bit ciphersuite) const * Create a new Server Hello message */ Server_Hello::Server_Hello(RandomNumberGenerator& rng, - Record_Writer& writer, const TLS_Policy* policy, + Record_Writer& writer, + const TLS_Policy& policy, const std::vector<X509_Certificate>& certs, - const Client_Hello& c_hello, Version_Code ver, + const Client_Hello& c_hello, + Version_Code ver, HandshakeHash& hash) { bool have_rsa = false, have_dsa = false; @@ -227,13 +230,13 @@ Server_Hello::Server_Hello(RandomNumberGenerator& rng, have_dsa = true; } - suite = policy->choose_suite(c_hello.ciphersuites(), have_rsa, have_dsa); + suite = policy.choose_suite(c_hello.ciphersuites(), have_rsa, have_dsa); if(suite == 0) throw TLS_Exception(PROTOCOL_VERSION, "Can't agree on a ciphersuite with client"); - comp_algo = policy->choose_compression(c_hello.compression_algos()); + comp_algo = policy.choose_compression(c_hello.compression_algos()); s_version = ver; s_random = rng.random_vec(32); diff --git a/src/ssl/tls_client.cpp b/src/ssl/tls_client.cpp index 323fb6bd3..ad4074ab2 100644 --- a/src/ssl/tls_client.cpp +++ b/src/ssl/tls_client.cpp @@ -81,25 +81,30 @@ void client_check_state(Handshake_Type new_msg, Handshake_State* state) /** * TLS Client Constructor */ -TLS_Client::TLS_Client(RandomNumberGenerator& r, - Socket& sock, const TLS_Policy* pol) : - rng(r), peer(sock), writer(sock), policy(pol ? pol : new TLS_Policy) +TLS_Client::TLS_Client(const TLS_Policy& pol, + RandomNumberGenerator& r, + Socket& sock) : + policy(pol), + rng(r), + peer(sock), + writer(sock) { - peer_id = sock.peer_id(); - initialize(); } /** * TLS Client Constructor */ -TLS_Client::TLS_Client(RandomNumberGenerator& r, - Socket& sock, const X509_Certificate& cert, - const Private_Key& key, const TLS_Policy* pol) : - rng(r), peer(sock), writer(sock), policy(pol ? pol : new TLS_Policy) +TLS_Client::TLS_Client(const TLS_Policy& pol, + RandomNumberGenerator& r, + Socket& sock, + const X509_Certificate& cert, + const Private_Key& key) : + policy(pol), + rng(r), + peer(sock), + writer(sock) { - peer_id = sock.peer_id(); - certs.push_back(cert); keys.push_back(PKCS8::copy_key(key, rng)); @@ -114,7 +119,6 @@ TLS_Client::~TLS_Client() close(); for(u32bit j = 0; j != keys.size(); j++) delete keys[j]; - delete policy; delete state; } @@ -129,7 +133,7 @@ void TLS_Client::initialize() try { state = 0; active = false; - writer.set_version(policy->pref_version()); + writer.set_version(policy.pref_version()); do_handshake(); } catch(TLS_Exception& e) @@ -411,7 +415,7 @@ void TLS_Client::process_handshake_msg(Handshake_Type type, throw TLS_Exception(HANDSHAKE_FAILURE, "TLS_Client: Server replied with bad version"); - if(state->version < policy->min_version()) + if(state->version < policy.min_version()) throw TLS_Exception(PROTOCOL_VERSION, "TLS_Client: Server is too old for specified policy"); @@ -434,7 +438,7 @@ void TLS_Client::process_handshake_msg(Handshake_Type type, throw TLS_Exception(HANDSHAKE_FAILURE, "TLS_Client: No certificates sent by server"); - if(!policy->check_cert(peer_certs, peer_id)) + if(!policy.check_cert(peer_certs)) throw TLS_Exception(BAD_CERTIFICATE, "TLS_Client: Server certificate is not valid"); diff --git a/src/ssl/tls_client.h b/src/ssl/tls_client.h index 14b3b6451..e59218892 100644 --- a/src/ssl/tls_client.h +++ b/src/ssl/tls_client.h @@ -33,21 +33,16 @@ class BOTAN_DLL TLS_Client : public TLS_Connection void close(); bool is_closed() const; - TLS_Client(RandomNumberGenerator& rng, - Socket& peer, - const TLS_Policy* policy = 0); - -#if 0 - void add_cert(const X509_Certificate& cert, - const Private_Key& cert_key); -#endif + TLS_Client(const TLS_Policy& policy, + RandomNumberGenerator& rng, + Socket& peer); - // FIXME: support multiple cert/key pairs - TLS_Client(RandomNumberGenerator& rng, + // FIXME: support multiple/arbitrary # of cert/key pairs + TLS_Client(const TLS_Policy& policy, + RandomNumberGenerator& rng, Socket& peer, const X509_Certificate& cert, - const Private_Key& cert_key, - const TLS_Policy* policy = 0); + const Private_Key& cert_key); ~TLS_Client(); private: @@ -60,13 +55,12 @@ class BOTAN_DLL TLS_Client : public TLS_Connection void read_handshake(byte, const MemoryRegion<byte>&); void process_handshake_msg(Handshake_Type, const MemoryRegion<byte>&); + const TLS_Policy& policy; RandomNumberGenerator& rng; - Socket& peer; Record_Writer writer; Record_Reader reader; - const TLS_Policy* policy; std::vector<X509_Certificate> certs, peer_certs; std::vector<Private_Key*> keys; @@ -74,7 +68,6 @@ class BOTAN_DLL TLS_Client : public TLS_Connection class Handshake_State* state; SecureVector<byte> session_id; SecureQueue read_buf; - std::string peer_id; bool active; }; diff --git a/src/ssl/tls_magic.h b/src/ssl/tls_magic.h index 6936986f2..0c2a610b1 100644 --- a/src/ssl/tls_magic.h +++ b/src/ssl/tls_magic.h @@ -101,7 +101,6 @@ enum Ciphersuite_Code { TLS_RSA_WITH_RC4_128_SHA = 0x0005, TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A, - TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F, TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035, TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C, diff --git a/src/ssl/tls_messages.h b/src/ssl/tls_messages.h index 63c4acd0d..c5d4d8cb8 100644 --- a/src/ssl/tls_messages.h +++ b/src/ssl/tls_messages.h @@ -54,7 +54,7 @@ class BOTAN_DLL Client_Hello : public HandshakeMessage bool offered_suite(u16bit) const; Client_Hello(RandomNumberGenerator& rng, - Record_Writer&, const TLS_Policy*, HandshakeHash&); + Record_Writer&, const TLS_Policy&, HandshakeHash&); Client_Hello(const MemoryRegion<byte>& buf, Handshake_Type type) @@ -232,7 +232,7 @@ class BOTAN_DLL Server_Hello : public HandshakeMessage const SecureVector<byte>& random() const { return s_random; } Server_Hello(RandomNumberGenerator& rng, - Record_Writer&, const TLS_Policy*, + Record_Writer&, const TLS_Policy&, const std::vector<X509_Certificate>&, const Client_Hello&, Version_Code, HandshakeHash&); diff --git a/src/ssl/tls_policy.cpp b/src/ssl/tls_policy.cpp index 03a83319c..e7e25a877 100644 --- a/src/ssl/tls_policy.cpp +++ b/src/ssl/tls_policy.cpp @@ -118,8 +118,7 @@ DL_Group TLS_Policy::dh_group() const /** * Default certificate check */ -bool TLS_Policy::check_cert(const std::vector<X509_Certificate>&, - const std::string&) const +bool TLS_Policy::check_cert(const std::vector<X509_Certificate>& certs) const { return true; } diff --git a/src/ssl/tls_policy.h b/src/ssl/tls_policy.h index 5555f0ca6..022eed4ec 100644 --- a/src/ssl/tls_policy.h +++ b/src/ssl/tls_policy.h @@ -16,7 +16,7 @@ namespace Botan { /** -* TLS_Policy Base Class +* TLS Policy Base Class * Inherit and overload as desired to suite local policy concerns */ class BOTAN_DLL TLS_Policy @@ -42,8 +42,7 @@ class BOTAN_DLL TLS_Policy virtual Version_Code min_version() const { return SSL_V3; } virtual Version_Code pref_version() const { return TLS_V11; } - virtual bool check_cert(const std::vector<X509_Certificate>&, - const std::string&) const; + virtual bool check_cert(const std::vector<X509_Certificate>& cert_chain) const; virtual ~TLS_Policy() {} private: diff --git a/src/ssl/tls_server.cpp b/src/ssl/tls_server.cpp index 33210dccb..3d72d9dca 100644 --- a/src/ssl/tls_server.cpp +++ b/src/ssl/tls_server.cpp @@ -85,14 +85,16 @@ void server_check_state(Handshake_Type new_msg, Handshake_State* state) /** * TLS Server Constructor */ -TLS_Server::TLS_Server(RandomNumberGenerator& r, - Socket& sock, const X509_Certificate& cert, - const Private_Key& key, const TLS_Policy* pol) : - rng(r), peer(sock), - writer(sock), policy(pol ? pol : new TLS_Policy) +TLS_Server::TLS_Server(const TLS_Policy& pol, + RandomNumberGenerator& r, + Socket& sock, + const X509_Certificate& cert, + const Private_Key& key) : + policy(pol), + rng(r), + peer(sock), + writer(sock) { - peer_id = sock.peer_id(); - state = 0; cert_chain.push_back(cert); @@ -125,7 +127,6 @@ TLS_Server::~TLS_Server() { close(); delete private_key; - delete policy; delete state; } @@ -353,7 +354,7 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, client_requested_hostname = state->client_hello->hostname(); state->version = choose_version(state->client_hello->version(), - policy->min_version()); + policy.min_version()); writer.set_version(state->version); reader.set_version(state->version); @@ -378,11 +379,11 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, if(state->suite.kex_type() == TLS_ALGO_KEYEXCH_RSA) { state->kex_priv = new RSA_PrivateKey(rng, - policy->rsa_export_keysize()); + policy.rsa_export_keysize()); } else if(state->suite.kex_type() == TLS_ALGO_KEYEXCH_DH) { - state->kex_priv = new DH_PrivateKey(rng, policy->dh_group()); + state->kex_priv = new DH_PrivateKey(rng, policy.dh_group()); } else throw Internal_Error("TLS_Server: Unknown ciphersuite kex type"); @@ -395,7 +396,7 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, state->hash); } - if(policy->require_client_auth()) + if(policy.require_client_auth()) { state->do_client_auth = true; throw Internal_Error("Client auth not implemented"); diff --git a/src/ssl/tls_server.h b/src/ssl/tls_server.h index 13f8f46df..fc6adc9ce 100644 --- a/src/ssl/tls_server.h +++ b/src/ssl/tls_server.h @@ -36,11 +36,11 @@ class BOTAN_DLL TLS_Server : public TLS_Connection // FIXME: support cert chains (!) // FIXME: support anonymous servers - TLS_Server(RandomNumberGenerator& rng, + TLS_Server(const TLS_Policy& policy, + RandomNumberGenerator& rng, Socket& peer, const X509_Certificate& cert, - const Private_Key& cert_key, - const TLS_Policy* policy = 0); + const Private_Key& cert_key); ~TLS_Server(); private: @@ -52,13 +52,12 @@ class BOTAN_DLL TLS_Server : public TLS_Connection void process_handshake_msg(Handshake_Type, const MemoryRegion<byte>&); + const TLS_Policy& policy; RandomNumberGenerator& rng; - Socket& peer; Record_Writer writer; Record_Reader reader; - const TLS_Policy* policy; // FIXME: rename to match TLS_Client std::vector<X509_Certificate> cert_chain, peer_certs; @@ -67,7 +66,6 @@ class BOTAN_DLL TLS_Server : public TLS_Connection class Handshake_State* state; SecureVector<byte> session_id; SecureQueue read_buf; - std::string peer_id; std::string client_requested_hostname; bool active; }; |