aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-01-23 23:36:19 +0000
committerlloyd <[email protected]>2012-01-23 23:36:19 +0000
commitf34cc48100c672824aa70869adfb59669055d173 (patch)
tree6cbcd0d984b1a38b8024cf3b0642edc2a0498368 /src/tls
parente3dc1e69f53f93e03411f258e976d2befcf45f91 (diff)
The credentials manager interface seems a much better place for cert
checking, allowed client auth CAs, etc than the policy class. With this change, most users won't ever need to modify the default policy which is likely a good thing. Remove copy and paste of the credentials manager implemenation in the examples.
Diffstat (limited to 'src/tls')
-rw-r--r--src/tls/tls_client.cpp12
-rw-r--r--src/tls/tls_policy.h11
-rw-r--r--src/tls/tls_server.cpp12
3 files changed, 20 insertions, 15 deletions
diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp
index 835e8d4bd..215ff6972 100644
--- a/src/tls/tls_client.cpp
+++ b/src/tls/tls_client.cpp
@@ -251,9 +251,15 @@ void Client::process_handshake_msg(Handshake_Type type,
throw TLS_Exception(HANDSHAKE_FAILURE,
"Client: No certificates sent by server");
- if(!policy.check_cert(peer_certs))
- throw TLS_Exception(BAD_CERTIFICATE,
- "Client: Server certificate is not valid");
+ try
+ {
+ creds.verify_certificate_chain(peer_certs,
+ state->client_hello->sni_hostname());
+ }
+ catch(std::exception& e)
+ {
+ throw TLS_Exception(BAD_CERTIFICATE, e.what());
+ }
std::auto_ptr<Public_Key> peer_key(peer_certs[0].subject_public_key());
diff --git a/src/tls/tls_policy.h b/src/tls/tls_policy.h
index 61de53dcd..68de2c4df 100644
--- a/src/tls/tls_policy.h
+++ b/src/tls/tls_policy.h
@@ -46,15 +46,6 @@ class BOTAN_DLL Policy
virtual std::vector<byte> compression() const;
- virtual bool check_cert(const std::vector<X509_Certificate>& cert_chain) const = 0;
-
- /**
- * If client authentication is desired, returns a list of allowable
- * CAs for same. If not desired, returns empty list.
- */
- virtual std::vector<X509_Certificate> client_auth_CAs() const
- { return std::vector<X509_Certificate>(); }
-
/**
* Require support for RFC 5746 extensions to enable
* renegotiation.
@@ -70,7 +61,7 @@ class BOTAN_DLL Policy
virtual DL_Group dh_group() const { return DL_Group("modp/ietf/1536"); }
/*
- * @return the minimum version that we will negotiate
+ * @return the minimum version that we are willing to negotiate
*/
virtual Protocol_Version min_version() const
{ return Protocol_Version::SSL_V3; }
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index cd7888c8b..b38a010dd 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -270,7 +270,8 @@ void Server::process_handshake_msg(Handshake_Type type,
else
state->kex_priv = PKCS8::copy_key(*private_key, rng);
- std::vector<X509_Certificate> client_auth_CAs = policy.client_auth_CAs();
+ std::vector<X509_Certificate> client_auth_CAs =
+ creds.trusted_certificate_authorities("tls-server", m_hostname);
if(!client_auth_CAs.empty() && state->suite.sig_algo() != "")
{
@@ -342,7 +343,14 @@ void Server::process_handshake_msg(Handshake_Type type,
if(!sig_valid)
throw TLS_Exception(DECRYPT_ERROR, "Client cert verify failed");
- // FIXME: check cert was issued by a CA we requested, signatures, etc.
+ try
+ {
+ creds.verify_certificate_chain(client_certs);
+ }
+ catch(std::exception& e)
+ {
+ throw TLS_Exception(BAD_CERTIFICATE, e.what());
+ }
state->set_expected_next(HANDSHAKE_CCS);
}