diff options
| author | lloyd <[email protected]> | 2012-01-03 14:18:03 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2012-01-03 14:18:03 +0000 |
| commit | 5c00cc7305718fe209757142f7a43b711cccd8f9 (patch) | |
| tree | 560b225a66b06682d16182c5f0c57988242c8d48 /src/tls | |
| parent | 52868a93300a3b7e8666c49ccc786e6dba66438e (diff) | |
Add Credentials_Manager which is an interface to something that knows
what certs, keys, etc are available to the app. Needs polishing but it
seems like it should be sound.
Diffstat (limited to 'src/tls')
| -rw-r--r-- | src/tls/hello.cpp | 3 | ||||
| -rw-r--r-- | src/tls/tls_client.cpp | 45 | ||||
| -rw-r--r-- | src/tls/tls_client.h | 17 | ||||
| -rw-r--r-- | src/tls/tls_magic.h | 3 | ||||
| -rw-r--r-- | src/tls/tls_messages.h | 1 | ||||
| -rw-r--r-- | src/tls/tls_server.cpp | 36 | ||||
| -rw-r--r-- | src/tls/tls_server.h | 16 |
7 files changed, 48 insertions, 73 deletions
diff --git a/src/tls/hello.cpp b/src/tls/hello.cpp index 49115fd62..17a624381 100644 --- a/src/tls/hello.cpp +++ b/src/tls/hello.cpp @@ -282,10 +282,9 @@ Server_Hello::Server_Hello(Record_Writer& writer, const MemoryRegion<byte>& reneg_info, const std::vector<X509_Certificate>& certs, const Client_Hello& c_hello, - const MemoryRegion<byte>& session_id, Version_Code ver) : s_version(ver), - sess_id(session_id), + sess_id(rng.random_vec(32)), s_random(rng.random_vec(32)), m_fragment_size(c_hello.fragment_size()), has_secure_renegotiation(client_has_secure_renegotiation), diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp index 1d9554ee8..b7249081b 100644 --- a/src/tls/tls_client.cpp +++ b/src/tls/tls_client.cpp @@ -22,21 +22,23 @@ TLS_Client::TLS_Client(std::tr1::function<void (const byte[], size_t)> output_fn std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, std::tr1::function<void (const TLS_Session&)> handshake_fn, TLS_Session_Manager& session_manager, + Credentials_Manager& creds, const TLS_Policy& policy, RandomNumberGenerator& rng, - const std::string& hostname, - const std::string& srp_identifier, - const std::string& srp_password) : + const std::string& hostname) : TLS_Channel(output_fn, proc_fn, handshake_fn), policy(policy), rng(rng), - session_manager(session_manager) + session_manager(session_manager), + creds(creds) { writer.set_version(SSL_V3); state = new Handshake_State; state->set_expected_next(SERVER_HELLO); + const std::string srp_identifier = creds.srp_identifier("tls-client", hostname); + if(hostname != "") { TLS_Session session_info; @@ -70,21 +72,6 @@ TLS_Client::TLS_Client(std::tr1::function<void (const byte[], size_t)> output_fn secure_renegotiation.update(state->client_hello); } -void TLS_Client::add_client_cert(const X509_Certificate& cert, - Private_Key* cert_key) - { - certs.push_back(std::make_pair(cert, cert_key)); - } - -/* -* TLS Client Destructor -*/ -TLS_Client::~TLS_Client() - { - for(size_t i = 0; i != certs.size(); i++) - delete certs[i].second; - } - /* * Send a new client hello to renegotiate */ @@ -308,17 +295,19 @@ void TLS_Client::process_handshake_msg(Handshake_Type type, state->server_hello_done = new Server_Hello_Done(contents); - std::vector<X509_Certificate> send_certs; - if(state->received_handshake_msg(CERTIFICATE_REQUEST)) { std::vector<Certificate_Type> types = state->cert_req->acceptable_types(); - // FIXME: Fill in useful certs here, if any + std::vector<X509_Certificate> client_certs = + creds.cert_chain("", // use types here + "tls-client", + state->client_hello->sni_hostname()); + state->client_certs = new Certificate(writer, state->hash, - send_certs); + client_certs); } state->client_kex = @@ -327,11 +316,15 @@ void TLS_Client::process_handshake_msg(Handshake_Type type, state->client_hello->version()); if(state->received_handshake_msg(CERTIFICATE_REQUEST) && - !send_certs.empty()) + !state->client_certs->empty()) { - Private_Key* key_matching_cert = 0; // FIXME + Private_Key* private_key = + creds.private_key_for(state->client_certs->cert_chain()[0], + "tls-client", + state->client_hello->sni_hostname()); + state->client_verify = new Certificate_Verify(writer, state->hash, - rng, key_matching_cert); + rng, private_key); } state->keys = SessionKeys(state->suite, state->version, diff --git a/src/tls/tls_client.h b/src/tls/tls_client.h index eccddef6f..543dda144 100644 --- a/src/tls/tls_client.h +++ b/src/tls/tls_client.h @@ -10,6 +10,7 @@ #include <botan/tls_channel.h> #include <botan/tls_session_manager.h> +#include <botan/credentials_manager.h> #include <vector> namespace Botan { @@ -26,28 +27,21 @@ class BOTAN_DLL TLS_Client : public TLS_Channel * @param proc_fn is called when new data (application or alerts) is received * @param handshake_complete is called when a handshake is completed * @param session_manager manages session state + * @param creds manages application/user credentials * @param policy specifies other connection policy information * @param rng a random number generator * @param servername the server's DNS name, if known - * @param srp_username a SRP identifier to use for SRP key exchange - * @param srp_password a SRP password to use for SRP key exchange */ TLS_Client(std::tr1::function<void (const byte[], size_t)> socket_output_fn, std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, std::tr1::function<void (const TLS_Session&)> handshake_complete, TLS_Session_Manager& session_manager, + Credentials_Manager& creds, const TLS_Policy& policy, RandomNumberGenerator& rng, - const std::string& servername = "", - const std::string& srp_username = "", - const std::string& srp_password = ""); - - void add_client_cert(const X509_Certificate& cert, - Private_Key* cert_key); + const std::string& servername = ""); void renegotiate(); - - ~TLS_Client(); private: void process_handshake_msg(Handshake_Type type, const MemoryRegion<byte>& contents); @@ -55,8 +49,7 @@ class BOTAN_DLL TLS_Client : public TLS_Channel const TLS_Policy& policy; RandomNumberGenerator& rng; TLS_Session_Manager& session_manager; - - std::vector<std::pair<X509_Certificate, Private_Key*> > certs; + Credentials_Manager& creds; }; } diff --git a/src/tls/tls_magic.h b/src/tls/tls_magic.h index 3629cd112..d49ec1e48 100644 --- a/src/tls/tls_magic.h +++ b/src/tls/tls_magic.h @@ -164,11 +164,12 @@ enum TLS_Ciphersuite_Algos { TLS_ALGO_SIGNER_ECDSA = 0x04000000, TLS_ALGO_KEYEXCH_MASK = 0x00FF0000, - TLS_ALGO_KEYEXCH_NOKEX = 0x00010000, + TLS_ALGO_KEYEXCH_NOKEX = 0x00010000, // exchange via key in server cert TLS_ALGO_KEYEXCH_RSA = 0x00020000, TLS_ALGO_KEYEXCH_DH = 0x00030000, TLS_ALGO_KEYEXCH_ECDH = 0x00040000, TLS_ALGO_KEYEXCH_SRP = 0x00050000, + TLS_ALGO_KEYEXCH_ANON = 0x00060000, TLS_ALGO_MAC_MASK = 0x0000FF00, TLS_ALGO_MAC_MD5 = 0x00000100, diff --git a/src/tls/tls_messages.h b/src/tls/tls_messages.h index f0620003b..16069f048 100644 --- a/src/tls/tls_messages.h +++ b/src/tls/tls_messages.h @@ -150,7 +150,6 @@ class Server_Hello : public Handshake_Message const MemoryRegion<byte>& reneg_info, const std::vector<X509_Certificate>& certs, const Client_Hello& other, - const MemoryRegion<byte>& session_id, Version_Code version); Server_Hello(Record_Writer& writer, diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index 0e2e173cf..b981bdc69 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -85,25 +85,15 @@ TLS_Server::TLS_Server(std::tr1::function<void (const byte[], size_t)> output_fn std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, std::tr1::function<void (const TLS_Session&)> handshake_fn, TLS_Session_Manager& session_manager, + Credentials_Manager& creds, const TLS_Policy& policy, - RandomNumberGenerator& rng, - const X509_Certificate& cert, - const Private_Key& cert_key) : + RandomNumberGenerator& rng) : TLS_Channel(output_fn, proc_fn, handshake_fn), policy(policy), rng(rng), - session_manager(session_manager) + session_manager(session_manager), + creds(creds) { - cert_chain.push_back(cert); - private_key = PKCS8::copy_key(cert_key, rng); - } - -/* -* TLS Server Destructor -*/ -TLS_Server::~TLS_Server() - { - delete private_key; } /* @@ -183,7 +173,6 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, { // resume session - printf("Resuming a session\n"); state->server_hello = new Server_Hello( writer, state->hash, @@ -222,6 +211,17 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, } else // new session { + std::vector<X509_Certificate> server_certs = + creds.cert_chain("", + "tls-server", + client_requested_hostname); + + Private_Key* private_key = + server_certs.empty() ? 0 : + (creds.private_key_for(server_certs[0], + "tls-server", + client_requested_hostname)); + state->server_hello = new Server_Hello( writer, state->hash, @@ -229,9 +229,8 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, rng, secure_renegotiation.supported(), secure_renegotiation.for_server_hello(), - cert_chain, + server_certs, *(state->client_hello), - rng.random_vec(32), state->version); if(state->client_hello->fragment_size()) @@ -241,10 +240,9 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, if(state->suite.sig_type() != TLS_ALGO_SIGNER_ANON) { - // FIXME: should choose certs based on sig type state->server_certs = new Certificate(writer, state->hash, - cert_chain); + server_certs); } if(state->suite.kex_type() == TLS_ALGO_KEYEXCH_NOKEX) diff --git a/src/tls/tls_server.h b/src/tls/tls_server.h index d684a4a11..e07f89eba 100644 --- a/src/tls/tls_server.h +++ b/src/tls/tls_server.h @@ -10,6 +10,7 @@ #include <botan/tls_channel.h> #include <botan/tls_session_manager.h> +#include <botan/credentials_manager.h> #include <vector> namespace Botan { @@ -20,23 +21,16 @@ namespace Botan { class BOTAN_DLL TLS_Server : public TLS_Channel { public: - /** * TLS_Server initialization - * - * FIXME: support cert chains (!) - * FIXME: support anonymous servers */ TLS_Server(std::tr1::function<void (const byte[], size_t)> socket_output_fn, std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, std::tr1::function<void (const TLS_Session&)> handshake_complete, TLS_Session_Manager& session_manager, + Credentials_Manager& creds, const TLS_Policy& policy, - RandomNumberGenerator& rng, - const X509_Certificate& cert, - const Private_Key& cert_key); - - ~TLS_Server(); + RandomNumberGenerator& rng); void renegotiate(); @@ -53,9 +47,7 @@ class BOTAN_DLL TLS_Server : public TLS_Channel const TLS_Policy& policy; RandomNumberGenerator& rng; TLS_Session_Manager& session_manager; - - std::vector<X509_Certificate> cert_chain; - Private_Key* private_key; + Credentials_Manager& creds; std::string client_requested_hostname; }; |