Finish up server side SRP support, a little ugly but it works.

Add SRP hooks in the examples

Fix next protocol support in the tls_server example.

4 files changed, 137 insertions, 24 deletions

diff --git a/doc/examples/asio_tls_server.cpp b/doc/examples/asio_tls_server.cpp
index 5c606a3f2..e721d0455 100644
--- a/doc/examples/asio_tls_server.cpp
+++ b/doc/examples/asio_tls_server.cpp
@@ -215,6 +215,11 @@ class Session_Manager_Locked : public Botan::TLS::Session_Manager
          m_session_manager.save(session);
          }
 
+      Botan::u32bit session_lifetime() const
+         {
+         return m_session_manager.session_lifetime();
+         }
+
    private:
       boost::mutex m_mutex;
       Botan::TLS::Session_Manager_In_Memory m_session_manager;
diff --git a/doc/examples/credentials.h b/doc/examples/credentials.h
index 0999b251d..047e42339 100644
--- a/doc/examples/credentials.h
+++ b/doc/examples/credentials.h
@@ -6,6 +6,8 @@
 #include <botan/x509self.h>
 #include <botan/rsa.h>
 #include <botan/dsa.h>
+#include <botan/srp6.h>
+#include <botan/srp6_files.h>
 #include <botan/ecdsa.h>
 #include <iostream>
 #include <fstream>
@@ -25,6 +27,94 @@ class Credentials_Manager_Simple : public Botan::Credentials_Manager
    public:
       Credentials_Manager_Simple(Botan::RandomNumberGenerator& rng) : rng(rng) {}
 
+      std::string srp_identifier(const std::string& type,
+                                 const std::string& hostname)
+         {
+         if(type == "tls-client" && hostname == "localhost")
+            return "user";
+         return "";
+         }
+
+      bool attempt_srp(const std::string& type,
+                       const std::string& hostname)
+         {
+         return true;
+         if(hostname == "localhost")
+            return true;
+         return false;
+         }
+
+      std::vector<Botan::X509_Certificate>
+      trusted_certificate_authorities(const std::string&,
+                                      const std::string&)
+         {
+         std::vector<Botan::X509_Certificate> certs;
+
+         Botan::X509_Certificate verisign("/usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt");
+         certs.push_back(verisign);
+         return certs;
+         }
+
+      void verify_certificate_chain(
+         const std::string& type,
+         const std::string& purported_hostname,
+         const std::vector<Botan::X509_Certificate>& cert_chain)
+         {
+         try
+            {
+            Botan::Credentials_Manager::verify_certificate_chain(type,
+                                                                 purported_hostname,
+                                                                 cert_chain);
+            }
+         catch(std::exception& e)
+            {
+            std::cout << "Certificate verification failed - " << e.what() << "\n";
+            }
+         }
+
+      std::string srp_password(const std::string& type,
+                               const std::string& hostname,
+                               const std::string& identifier)
+         {
+         if(type == "tls-client" && hostname == "localhost" && identifier == "user")
+            return "password";
+
+         return "";
+         }
+
+      bool srp_verifier(const std::string& type,
+                        const std::string& context,
+                        const std::string& identifier,
+                        std::string& group_id,
+                        Botan::BigInt& verifier,
+                        Botan::MemoryRegion<Botan::byte>& salt,
+                        bool generate_fake_on_unknown)
+         {
+
+         std::string pass = srp_password("tls-client", context, identifier);
+         if(pass == "")
+            {
+            if(!generate_fake_on_unknown)
+               return false;
+
+            pass.resize(16);
+            Botan::global_state().global_rng().randomize((Botan::byte*)&pass[0], pass.size());
+            }
+
+         group_id = "modp/srp/2048";
+
+         salt.resize(16);
+         Botan::global_state().global_rng().randomize(&salt[0], salt.size());
+
+         verifier = Botan::generate_srp6_verifier(identifier,
+                                                  pass,
+                                                  salt,
+                                                  group_id,
+                                                  "SHA-1");
+
+         return true;
+         }
+
       std::string psk_identity_hint(const std::string&,
                                     const std::string&)
          {
@@ -34,6 +124,7 @@ class Credentials_Manager_Simple : public Botan::Credentials_Manager
       std::string psk_identity(const std::string&, const std::string&,
                                const std::string& identity_hint)
          {
+         //return "lloyd";
          return "Client_identity";
          }
 
@@ -49,6 +140,8 @@ class Credentials_Manager_Simple : public Botan::Credentials_Manager
 
          if(identity == "Client_identity")
             return Botan::SymmetricKey("b5a72e1387552e6dc10766dc0eda12961f5b21e17f98ef4c41e6572e53bd7527");
+         if(identity == "lloyd")
+            return Botan::SymmetricKey("85b3c1b7dc62b507636ac767999c9630");
 
          throw Botan::Internal_Error("No PSK set for " + identity);
          }
@@ -129,6 +222,9 @@ class Credentials_Manager_Simple : public Botan::Credentials_Manager
                {
                const std::string hostname = (context == "" ? "localhost" : context);
 
+               if(hostname == "nosuchname")
+                  return std::vector<Botan::X509_Certificate>();
+
                std::string key_name = "";
 
                if(value_exists(cert_key_types, "RSA"))
diff --git a/doc/examples/tls_server.cpp b/doc/examples/tls_server.cpp
index a5f2c5d78..057584677 100644
--- a/doc/examples/tls_server.cpp
+++ b/doc/examples/tls_server.cpp
@@ -19,17 +19,6 @@ using namespace std::tr1::placeholders;
 #include <iostream>
 #include <memory>
 
-bool handshake_complete(const TLS::Session& session)
-   {
-   printf("Handshake complete, protocol=%04X ciphersuite=%s compression=%d\n",
-          session.version(), session.ciphersuite().to_string().c_str(),
-          session.compression_method());
-
-   printf("Session id = %s\n", hex_encode(session.session_id()).c_str());
-   printf("Master secret = %s\n", hex_encode(session.master_secret()).c_str());
-   return true;
-   }
-
 class Blocking_TLS_Server
    {
    public:
@@ -44,23 +33,40 @@ class Blocking_TLS_Server
          server(
             output_fn,
             std::tr1::bind(&Blocking_TLS_Server::reader_fn, std::tr1::ref(*this), _1, _2, _3),
-            handshake_complete,
+            std::tr1::bind(&Blocking_TLS_Server::handshake_complete, std::tr1::ref(*this), _1),
             sessions,
             creds,
             policy,
-            rng),
+            rng,
+            protocols),
          exit(false)
          {
          read_loop();
          }
 
+      bool handshake_complete(const TLS::Session& session)
+         {
+         std::cout << "Handshake complete: "
+                   << session.version().to_string() << " "
+                   << session.ciphersuite().to_string() << " "
+                   << "SessionID: " << hex_encode(session.session_id()) << "\n";
+
+         if(session.srp_identifier() != "")
+            std::cout << "SRP identifier: " << session.srp_identifier() << "\n";
+
+         if(server.next_protocol() != "")
+            std::cout << "Next protocol: " << server.next_protocol() << "\n";
+
+         return true;
+         }
+
       size_t read(byte buf[], size_t buf_len)
          {
          size_t got = read_queue.read(buf, buf_len);
 
          while(!exit && !got)
             {
-            read_loop(5); // header size
+            read_loop(TLS::TLS_HEADER_SIZE);
             got = read_queue.read(buf, buf_len);
             }
 
@@ -148,8 +154,14 @@ int main(int argc, char* argv[])
       Credentials_Manager_Simple creds(rng);
 
       std::vector<std::string> protocols;
-      protocols.push_back("spdy/2");
-      protocols.push_back("http/1.0");
+
+      /*
+      * These are the protocols we advertise to the client, but the
+      * client will send back whatever it actually plans on talking,
+      * which may or may not take into account what we advertise.
+      */
+      protocols.push_back("echo/1.0");
+      protocols.push_back("echo/1.1");
 
       while(true)
          {
diff --git a/doc/tls.txt b/doc/tls.txt
index dd4fb1270..267fb6e62 100644
--- a/doc/tls.txt
+++ b/doc/tls.txt
@@ -7,14 +7,14 @@ SSL and TLS
 .. versionadded:: 1.10.2
 
 Botan supports both client and server implementations of the SSL/TLS
-protocols, including SSL v3, TLS v1.0, and TLS v1.1 (the insecure and
-obsolete SSL v2 protocol is not supported, beyond processing SSL v2
-client hellos which some implementations send for backwards
-compatability).
-
-The implementation uses ``std::tr1::function``, so it may not have
-been compiled into the version you are using; you can test for the
-feature macro ``BOTAN_HAS_TLS`` to check.
+protocols, including SSL v3, TLS v1.0, TLS v1.1, and TLS v1.2 (the
+insecure and obsolete SSL v2 protocol is not supported, beyond
+processing SSL v2 client hellos which some clients still send for
+backwards compatability with ancient servers).
+
+The implementation uses ``std::tr1::function`` for callbacks, so it
+may not have been compiled into the version you are using; you can
+test for the feature macro ``BOTAN_HAS_TLS`` to check.
 
 General TLS Interface
 ----------------------------------------