aboutsummaryrefslogtreecommitdiffstats
path: root/src/ssl
diff options
context:
space:
mode:
authorlloyd <[email protected]>2010-09-17 13:55:23 +0000
committerlloyd <[email protected]>2010-09-17 13:55:23 +0000
commit8fa7d0b4f91eec572d8b2971d87e68741d1cd330 (patch)
tree6caf8dfc00dadc1000c73c3cf875430474153425 /src/ssl
parentc037226de0af018187d03e7caaf6acb754fe1039 (diff)
Require a TLS_Policy
Diffstat (limited to 'src/ssl')
-rw-r--r--src/ssl/hello.cpp19
-rw-r--r--src/ssl/tls_client.cpp34
-rw-r--r--src/ssl/tls_client.h23
-rw-r--r--src/ssl/tls_magic.h1
-rw-r--r--src/ssl/tls_messages.h4
-rw-r--r--src/ssl/tls_policy.cpp3
-rw-r--r--src/ssl/tls_policy.h5
-rw-r--r--src/ssl/tls_server.cpp25
-rw-r--r--src/ssl/tls_server.h10
9 files changed, 60 insertions, 64 deletions
diff --git a/src/ssl/hello.cpp b/src/ssl/hello.cpp
index 5228807b4..a06fd75b4 100644
--- a/src/ssl/hello.cpp
+++ b/src/ssl/hello.cpp
@@ -63,14 +63,15 @@ void Hello_Request::deserialize(const MemoryRegion<byte>& buf)
* Create a new Client Hello message
*/
Client_Hello::Client_Hello(RandomNumberGenerator& rng,
- Record_Writer& writer, const TLS_Policy* policy,
+ Record_Writer& writer,
+ const TLS_Policy& policy,
HandshakeHash& hash)
{
c_random = rng.random_vec(32);
- suites = policy->ciphersuites();
- comp_algos = policy->compression();
- c_version = policy->pref_version();
+ suites = policy.ciphersuites();
+ comp_algos = policy.compression();
+ c_version = policy.pref_version();
send(writer, hash);
}
@@ -210,9 +211,11 @@ bool Client_Hello::offered_suite(u16bit ciphersuite) const
* Create a new Server Hello message
*/
Server_Hello::Server_Hello(RandomNumberGenerator& rng,
- Record_Writer& writer, const TLS_Policy* policy,
+ Record_Writer& writer,
+ const TLS_Policy& policy,
const std::vector<X509_Certificate>& certs,
- const Client_Hello& c_hello, Version_Code ver,
+ const Client_Hello& c_hello,
+ Version_Code ver,
HandshakeHash& hash)
{
bool have_rsa = false, have_dsa = false;
@@ -227,13 +230,13 @@ Server_Hello::Server_Hello(RandomNumberGenerator& rng,
have_dsa = true;
}
- suite = policy->choose_suite(c_hello.ciphersuites(), have_rsa, have_dsa);
+ suite = policy.choose_suite(c_hello.ciphersuites(), have_rsa, have_dsa);
if(suite == 0)
throw TLS_Exception(PROTOCOL_VERSION,
"Can't agree on a ciphersuite with client");
- comp_algo = policy->choose_compression(c_hello.compression_algos());
+ comp_algo = policy.choose_compression(c_hello.compression_algos());
s_version = ver;
s_random = rng.random_vec(32);
diff --git a/src/ssl/tls_client.cpp b/src/ssl/tls_client.cpp
index 323fb6bd3..ad4074ab2 100644
--- a/src/ssl/tls_client.cpp
+++ b/src/ssl/tls_client.cpp
@@ -81,25 +81,30 @@ void client_check_state(Handshake_Type new_msg, Handshake_State* state)
/**
* TLS Client Constructor
*/
-TLS_Client::TLS_Client(RandomNumberGenerator& r,
- Socket& sock, const TLS_Policy* pol) :
- rng(r), peer(sock), writer(sock), policy(pol ? pol : new TLS_Policy)
+TLS_Client::TLS_Client(const TLS_Policy& pol,
+ RandomNumberGenerator& r,
+ Socket& sock) :
+ policy(pol),
+ rng(r),
+ peer(sock),
+ writer(sock)
{
- peer_id = sock.peer_id();
-
initialize();
}
/**
* TLS Client Constructor
*/
-TLS_Client::TLS_Client(RandomNumberGenerator& r,
- Socket& sock, const X509_Certificate& cert,
- const Private_Key& key, const TLS_Policy* pol) :
- rng(r), peer(sock), writer(sock), policy(pol ? pol : new TLS_Policy)
+TLS_Client::TLS_Client(const TLS_Policy& pol,
+ RandomNumberGenerator& r,
+ Socket& sock,
+ const X509_Certificate& cert,
+ const Private_Key& key) :
+ policy(pol),
+ rng(r),
+ peer(sock),
+ writer(sock)
{
- peer_id = sock.peer_id();
-
certs.push_back(cert);
keys.push_back(PKCS8::copy_key(key, rng));
@@ -114,7 +119,6 @@ TLS_Client::~TLS_Client()
close();
for(u32bit j = 0; j != keys.size(); j++)
delete keys[j];
- delete policy;
delete state;
}
@@ -129,7 +133,7 @@ void TLS_Client::initialize()
try {
state = 0;
active = false;
- writer.set_version(policy->pref_version());
+ writer.set_version(policy.pref_version());
do_handshake();
}
catch(TLS_Exception& e)
@@ -411,7 +415,7 @@ void TLS_Client::process_handshake_msg(Handshake_Type type,
throw TLS_Exception(HANDSHAKE_FAILURE,
"TLS_Client: Server replied with bad version");
- if(state->version < policy->min_version())
+ if(state->version < policy.min_version())
throw TLS_Exception(PROTOCOL_VERSION,
"TLS_Client: Server is too old for specified policy");
@@ -434,7 +438,7 @@ void TLS_Client::process_handshake_msg(Handshake_Type type,
throw TLS_Exception(HANDSHAKE_FAILURE,
"TLS_Client: No certificates sent by server");
- if(!policy->check_cert(peer_certs, peer_id))
+ if(!policy.check_cert(peer_certs))
throw TLS_Exception(BAD_CERTIFICATE,
"TLS_Client: Server certificate is not valid");
diff --git a/src/ssl/tls_client.h b/src/ssl/tls_client.h
index 14b3b6451..e59218892 100644
--- a/src/ssl/tls_client.h
+++ b/src/ssl/tls_client.h
@@ -33,21 +33,16 @@ class BOTAN_DLL TLS_Client : public TLS_Connection
void close();
bool is_closed() const;
- TLS_Client(RandomNumberGenerator& rng,
- Socket& peer,
- const TLS_Policy* policy = 0);
-
-#if 0
- void add_cert(const X509_Certificate& cert,
- const Private_Key& cert_key);
-#endif
+ TLS_Client(const TLS_Policy& policy,
+ RandomNumberGenerator& rng,
+ Socket& peer);
- // FIXME: support multiple cert/key pairs
- TLS_Client(RandomNumberGenerator& rng,
+ // FIXME: support multiple/arbitrary # of cert/key pairs
+ TLS_Client(const TLS_Policy& policy,
+ RandomNumberGenerator& rng,
Socket& peer,
const X509_Certificate& cert,
- const Private_Key& cert_key,
- const TLS_Policy* policy = 0);
+ const Private_Key& cert_key);
~TLS_Client();
private:
@@ -60,13 +55,12 @@ class BOTAN_DLL TLS_Client : public TLS_Connection
void read_handshake(byte, const MemoryRegion<byte>&);
void process_handshake_msg(Handshake_Type, const MemoryRegion<byte>&);
+ const TLS_Policy& policy;
RandomNumberGenerator& rng;
-
Socket& peer;
Record_Writer writer;
Record_Reader reader;
- const TLS_Policy* policy;
std::vector<X509_Certificate> certs, peer_certs;
std::vector<Private_Key*> keys;
@@ -74,7 +68,6 @@ class BOTAN_DLL TLS_Client : public TLS_Connection
class Handshake_State* state;
SecureVector<byte> session_id;
SecureQueue read_buf;
- std::string peer_id;
bool active;
};
diff --git a/src/ssl/tls_magic.h b/src/ssl/tls_magic.h
index 6936986f2..0c2a610b1 100644
--- a/src/ssl/tls_magic.h
+++ b/src/ssl/tls_magic.h
@@ -101,7 +101,6 @@ enum Ciphersuite_Code {
TLS_RSA_WITH_RC4_128_SHA = 0x0005,
TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A,
-
TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F,
TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035,
TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C,
diff --git a/src/ssl/tls_messages.h b/src/ssl/tls_messages.h
index 63c4acd0d..c5d4d8cb8 100644
--- a/src/ssl/tls_messages.h
+++ b/src/ssl/tls_messages.h
@@ -54,7 +54,7 @@ class BOTAN_DLL Client_Hello : public HandshakeMessage
bool offered_suite(u16bit) const;
Client_Hello(RandomNumberGenerator& rng,
- Record_Writer&, const TLS_Policy*, HandshakeHash&);
+ Record_Writer&, const TLS_Policy&, HandshakeHash&);
Client_Hello(const MemoryRegion<byte>& buf,
Handshake_Type type)
@@ -232,7 +232,7 @@ class BOTAN_DLL Server_Hello : public HandshakeMessage
const SecureVector<byte>& random() const { return s_random; }
Server_Hello(RandomNumberGenerator& rng,
- Record_Writer&, const TLS_Policy*,
+ Record_Writer&, const TLS_Policy&,
const std::vector<X509_Certificate>&,
const Client_Hello&, Version_Code, HandshakeHash&);
diff --git a/src/ssl/tls_policy.cpp b/src/ssl/tls_policy.cpp
index 03a83319c..e7e25a877 100644
--- a/src/ssl/tls_policy.cpp
+++ b/src/ssl/tls_policy.cpp
@@ -118,8 +118,7 @@ DL_Group TLS_Policy::dh_group() const
/**
* Default certificate check
*/
-bool TLS_Policy::check_cert(const std::vector<X509_Certificate>&,
- const std::string&) const
+bool TLS_Policy::check_cert(const std::vector<X509_Certificate>& certs) const
{
return true;
}
diff --git a/src/ssl/tls_policy.h b/src/ssl/tls_policy.h
index 5555f0ca6..022eed4ec 100644
--- a/src/ssl/tls_policy.h
+++ b/src/ssl/tls_policy.h
@@ -16,7 +16,7 @@
namespace Botan {
/**
-* TLS_Policy Base Class
+* TLS Policy Base Class
* Inherit and overload as desired to suite local policy concerns
*/
class BOTAN_DLL TLS_Policy
@@ -42,8 +42,7 @@ class BOTAN_DLL TLS_Policy
virtual Version_Code min_version() const { return SSL_V3; }
virtual Version_Code pref_version() const { return TLS_V11; }
- virtual bool check_cert(const std::vector<X509_Certificate>&,
- const std::string&) const;
+ virtual bool check_cert(const std::vector<X509_Certificate>& cert_chain) const;
virtual ~TLS_Policy() {}
private:
diff --git a/src/ssl/tls_server.cpp b/src/ssl/tls_server.cpp
index 33210dccb..3d72d9dca 100644
--- a/src/ssl/tls_server.cpp
+++ b/src/ssl/tls_server.cpp
@@ -85,14 +85,16 @@ void server_check_state(Handshake_Type new_msg, Handshake_State* state)
/**
* TLS Server Constructor
*/
-TLS_Server::TLS_Server(RandomNumberGenerator& r,
- Socket& sock, const X509_Certificate& cert,
- const Private_Key& key, const TLS_Policy* pol) :
- rng(r), peer(sock),
- writer(sock), policy(pol ? pol : new TLS_Policy)
+TLS_Server::TLS_Server(const TLS_Policy& pol,
+ RandomNumberGenerator& r,
+ Socket& sock,
+ const X509_Certificate& cert,
+ const Private_Key& key) :
+ policy(pol),
+ rng(r),
+ peer(sock),
+ writer(sock)
{
- peer_id = sock.peer_id();
-
state = 0;
cert_chain.push_back(cert);
@@ -125,7 +127,6 @@ TLS_Server::~TLS_Server()
{
close();
delete private_key;
- delete policy;
delete state;
}
@@ -353,7 +354,7 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
client_requested_hostname = state->client_hello->hostname();
state->version = choose_version(state->client_hello->version(),
- policy->min_version());
+ policy.min_version());
writer.set_version(state->version);
reader.set_version(state->version);
@@ -378,11 +379,11 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
if(state->suite.kex_type() == TLS_ALGO_KEYEXCH_RSA)
{
state->kex_priv = new RSA_PrivateKey(rng,
- policy->rsa_export_keysize());
+ policy.rsa_export_keysize());
}
else if(state->suite.kex_type() == TLS_ALGO_KEYEXCH_DH)
{
- state->kex_priv = new DH_PrivateKey(rng, policy->dh_group());
+ state->kex_priv = new DH_PrivateKey(rng, policy.dh_group());
}
else
throw Internal_Error("TLS_Server: Unknown ciphersuite kex type");
@@ -395,7 +396,7 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
state->hash);
}
- if(policy->require_client_auth())
+ if(policy.require_client_auth())
{
state->do_client_auth = true;
throw Internal_Error("Client auth not implemented");
diff --git a/src/ssl/tls_server.h b/src/ssl/tls_server.h
index 13f8f46df..fc6adc9ce 100644
--- a/src/ssl/tls_server.h
+++ b/src/ssl/tls_server.h
@@ -36,11 +36,11 @@ class BOTAN_DLL TLS_Server : public TLS_Connection
// FIXME: support cert chains (!)
// FIXME: support anonymous servers
- TLS_Server(RandomNumberGenerator& rng,
+ TLS_Server(const TLS_Policy& policy,
+ RandomNumberGenerator& rng,
Socket& peer,
const X509_Certificate& cert,
- const Private_Key& cert_key,
- const TLS_Policy* policy = 0);
+ const Private_Key& cert_key);
~TLS_Server();
private:
@@ -52,13 +52,12 @@ class BOTAN_DLL TLS_Server : public TLS_Connection
void process_handshake_msg(Handshake_Type, const MemoryRegion<byte>&);
+ const TLS_Policy& policy;
RandomNumberGenerator& rng;
-
Socket& peer;
Record_Writer writer;
Record_Reader reader;
- const TLS_Policy* policy;
// FIXME: rename to match TLS_Client
std::vector<X509_Certificate> cert_chain, peer_certs;
@@ -67,7 +66,6 @@ class BOTAN_DLL TLS_Server : public TLS_Connection
class Handshake_State* state;
SecureVector<byte> session_id;
SecureQueue read_buf;
- std::string peer_id;
std::string client_requested_hostname;
bool active;
};