aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/tls_callbacks.h
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-11-21 20:13:15 -0500
committerJack Lloyd <[email protected]>2016-11-23 08:31:07 -0500
commit33e855853886193867b32da847b8b77f7bc102ee (patch)
treeed8d4d93f247832f7768b5fe1e92cde7109e4352 /src/lib/tls/tls_callbacks.h
parent987fcef3f93fe06500b81da2706b358cff85d53a (diff)
Move TLS cert verification callback from Credentials_Manager to TLS::Callbacks
It is the only function in C_M which is called on to process session-specific (and adversarially provided) inputs, rather than passively returning some credential which is typically not session specific.
Diffstat (limited to 'src/lib/tls/tls_callbacks.h')
-rw-r--r--src/lib/tls/tls_callbacks.h45
1 files changed, 44 insertions, 1 deletions
diff --git a/src/lib/tls/tls_callbacks.h b/src/lib/tls/tls_callbacks.h
index f81071a05..9de7710f4 100644
--- a/src/lib/tls/tls_callbacks.h
+++ b/src/lib/tls/tls_callbacks.h
@@ -11,8 +11,18 @@
#include <botan/tls_session.h>
#include <botan/tls_alert.h>
+
namespace Botan {
+class Certificate_Store;
+class X509_Certificate;
+
+namespace OCSP {
+
+class Response;
+
+}
+
namespace TLS {
class Handshake_Message;
@@ -53,7 +63,7 @@ class BOTAN_DLL Callbacks
virtual void tls_record_received(u64bit seq_no, const uint8_t data[], size_t size) = 0;
/**
- * Mandary callback: alert received
+ * Mandatory callback: alert received
* Called when an alert is received from the peer
* If fatal, the connection is closing. If not fatal, the connection may
* still be closing (depending on the error and the peer).
@@ -81,6 +91,39 @@ class BOTAN_DLL Callbacks
virtual void tls_session_activated() {}
/**
+ * Optional callback with default impl: verify cert chain
+ *
+ * Default implementation performs a standard PKIX validation
+ * and initiates network OCSP request for end-entity cert.
+ * Override to provide different behavior.
+ *
+ * Check the certificate chain is valid up to a trusted root, and
+ * optionally (if hostname != "") that the hostname given is
+ * consistent with the leaf certificate.
+ *
+ * This function should throw an exception derived from
+ * std::exception with an informative what() result if the
+ * certificate chain cannot be verified.
+ *
+ * @param cert_chain specifies a certificate chain leading to a
+ * trusted root CA certificate.
+
+ * @param usage what this cert chain is being used for
+ * Usage_Type::TLS_SERVER_AUTH for server chains,
+ * Usage_Type::TLS_CLIENT_AUTH for client chains,
+ * Usage_Type::UNSPECIFIED for other uses
+ * @param hostname when authenticating a server, this is the hostname
+ * the client requested (eg via SNI). When authenticating a client,
+ * this is the server name the client is authenticating *to*.
+ * Empty in other cases or if no hostname was used.
+ */
+ virtual void tls_verify_cert_chain(
+ const std::vector<X509_Certificate>& cert_chain,
+ const std::vector<Certificate_Store*>& trusted_roots,
+ Usage_Type usage,
+ const std::string& hostname);
+
+ /**
* Optional callback: inspect handshake message
* Throw an exception to abort the handshake.
* Default simply ignores the message.