diff options
Diffstat (limited to 'src/tls')
| -rw-r--r-- | src/tls/hello.cpp | 3 | ||||
| -rw-r--r-- | src/tls/tls_client.cpp | 45 | ||||
| -rw-r--r-- | src/tls/tls_client.h | 17 | ||||
| -rw-r--r-- | src/tls/tls_magic.h | 3 | ||||
| -rw-r--r-- | src/tls/tls_messages.h | 1 | ||||
| -rw-r--r-- | src/tls/tls_server.cpp | 36 | ||||
| -rw-r--r-- | src/tls/tls_server.h | 16 |
7 files changed, 48 insertions, 73 deletions
diff --git a/src/tls/hello.cpp b/src/tls/hello.cpp index 49115fd62..17a624381 100644 --- a/src/tls/hello.cpp +++ b/src/tls/hello.cpp @@ -282,10 +282,9 @@ Server_Hello::Server_Hello(Record_Writer& writer, const MemoryRegion<byte>& reneg_info, const std::vector<X509_Certificate>& certs, const Client_Hello& c_hello, - const MemoryRegion<byte>& session_id, Version_Code ver) : s_version(ver), - sess_id(session_id), + sess_id(rng.random_vec(32)), s_random(rng.random_vec(32)), m_fragment_size(c_hello.fragment_size()), has_secure_renegotiation(client_has_secure_renegotiation), diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp index 1d9554ee8..b7249081b 100644 --- a/src/tls/tls_client.cpp +++ b/src/tls/tls_client.cpp @@ -22,21 +22,23 @@ TLS_Client::TLS_Client(std::tr1::function<void (const byte[], size_t)> output_fn std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, std::tr1::function<void (const TLS_Session&)> handshake_fn, TLS_Session_Manager& session_manager, + Credentials_Manager& creds, const TLS_Policy& policy, RandomNumberGenerator& rng, - const std::string& hostname, - const std::string& srp_identifier, - const std::string& srp_password) : + const std::string& hostname) : TLS_Channel(output_fn, proc_fn, handshake_fn), policy(policy), rng(rng), - session_manager(session_manager) + session_manager(session_manager), + creds(creds) { writer.set_version(SSL_V3); state = new Handshake_State; state->set_expected_next(SERVER_HELLO); + const std::string srp_identifier = creds.srp_identifier("tls-client", hostname); + if(hostname != "") { TLS_Session session_info; @@ -70,21 +72,6 @@ TLS_Client::TLS_Client(std::tr1::function<void (const byte[], size_t)> output_fn secure_renegotiation.update(state->client_hello); } -void TLS_Client::add_client_cert(const X509_Certificate& cert, - Private_Key* cert_key) - { - certs.push_back(std::make_pair(cert, cert_key)); - } - -/* -* TLS Client Destructor -*/ -TLS_Client::~TLS_Client() - { - for(size_t i = 0; i != certs.size(); i++) - delete certs[i].second; - } - /* * Send a new client hello to renegotiate */ @@ -308,17 +295,19 @@ void TLS_Client::process_handshake_msg(Handshake_Type type, state->server_hello_done = new Server_Hello_Done(contents); - std::vector<X509_Certificate> send_certs; - if(state->received_handshake_msg(CERTIFICATE_REQUEST)) { std::vector<Certificate_Type> types = state->cert_req->acceptable_types(); - // FIXME: Fill in useful certs here, if any + std::vector<X509_Certificate> client_certs = + creds.cert_chain("", // use types here + "tls-client", + state->client_hello->sni_hostname()); + state->client_certs = new Certificate(writer, state->hash, - send_certs); + client_certs); } state->client_kex = @@ -327,11 +316,15 @@ void TLS_Client::process_handshake_msg(Handshake_Type type, state->client_hello->version()); if(state->received_handshake_msg(CERTIFICATE_REQUEST) && - !send_certs.empty()) + !state->client_certs->empty()) { - Private_Key* key_matching_cert = 0; // FIXME + Private_Key* private_key = + creds.private_key_for(state->client_certs->cert_chain()[0], + "tls-client", + state->client_hello->sni_hostname()); + state->client_verify = new Certificate_Verify(writer, state->hash, - rng, key_matching_cert); + rng, private_key); } state->keys = SessionKeys(state->suite, state->version, diff --git a/src/tls/tls_client.h b/src/tls/tls_client.h index eccddef6f..543dda144 100644 --- a/src/tls/tls_client.h +++ b/src/tls/tls_client.h @@ -10,6 +10,7 @@ #include <botan/tls_channel.h> #include <botan/tls_session_manager.h> +#include <botan/credentials_manager.h> #include <vector> namespace Botan { @@ -26,28 +27,21 @@ class BOTAN_DLL TLS_Client : public TLS_Channel * @param proc_fn is called when new data (application or alerts) is received * @param handshake_complete is called when a handshake is completed * @param session_manager manages session state + * @param creds manages application/user credentials * @param policy specifies other connection policy information * @param rng a random number generator * @param servername the server's DNS name, if known - * @param srp_username a SRP identifier to use for SRP key exchange - * @param srp_password a SRP password to use for SRP key exchange */ TLS_Client(std::tr1::function<void (const byte[], size_t)> socket_output_fn, std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, std::tr1::function<void (const TLS_Session&)> handshake_complete, TLS_Session_Manager& session_manager, + Credentials_Manager& creds, const TLS_Policy& policy, RandomNumberGenerator& rng, - const std::string& servername = "", - const std::string& srp_username = "", - const std::string& srp_password = ""); - - void add_client_cert(const X509_Certificate& cert, - Private_Key* cert_key); + const std::string& servername = ""); void renegotiate(); - - ~TLS_Client(); private: void process_handshake_msg(Handshake_Type type, const MemoryRegion<byte>& contents); @@ -55,8 +49,7 @@ class BOTAN_DLL TLS_Client : public TLS_Channel const TLS_Policy& policy; RandomNumberGenerator& rng; TLS_Session_Manager& session_manager; - - std::vector<std::pair<X509_Certificate, Private_Key*> > certs; + Credentials_Manager& creds; }; } diff --git a/src/tls/tls_magic.h b/src/tls/tls_magic.h index 3629cd112..d49ec1e48 100644 --- a/src/tls/tls_magic.h +++ b/src/tls/tls_magic.h @@ -164,11 +164,12 @@ enum TLS_Ciphersuite_Algos { TLS_ALGO_SIGNER_ECDSA = 0x04000000, TLS_ALGO_KEYEXCH_MASK = 0x00FF0000, - TLS_ALGO_KEYEXCH_NOKEX = 0x00010000, + TLS_ALGO_KEYEXCH_NOKEX = 0x00010000, // exchange via key in server cert TLS_ALGO_KEYEXCH_RSA = 0x00020000, TLS_ALGO_KEYEXCH_DH = 0x00030000, TLS_ALGO_KEYEXCH_ECDH = 0x00040000, TLS_ALGO_KEYEXCH_SRP = 0x00050000, + TLS_ALGO_KEYEXCH_ANON = 0x00060000, TLS_ALGO_MAC_MASK = 0x0000FF00, TLS_ALGO_MAC_MD5 = 0x00000100, diff --git a/src/tls/tls_messages.h b/src/tls/tls_messages.h index f0620003b..16069f048 100644 --- a/src/tls/tls_messages.h +++ b/src/tls/tls_messages.h @@ -150,7 +150,6 @@ class Server_Hello : public Handshake_Message const MemoryRegion<byte>& reneg_info, const std::vector<X509_Certificate>& certs, const Client_Hello& other, - const MemoryRegion<byte>& session_id, Version_Code version); Server_Hello(Record_Writer& writer, diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index 0e2e173cf..b981bdc69 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -85,25 +85,15 @@ TLS_Server::TLS_Server(std::tr1::function<void (const byte[], size_t)> output_fn std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, std::tr1::function<void (const TLS_Session&)> handshake_fn, TLS_Session_Manager& session_manager, + Credentials_Manager& creds, const TLS_Policy& policy, - RandomNumberGenerator& rng, - const X509_Certificate& cert, - const Private_Key& cert_key) : + RandomNumberGenerator& rng) : TLS_Channel(output_fn, proc_fn, handshake_fn), policy(policy), rng(rng), - session_manager(session_manager) + session_manager(session_manager), + creds(creds) { - cert_chain.push_back(cert); - private_key = PKCS8::copy_key(cert_key, rng); - } - -/* -* TLS Server Destructor -*/ -TLS_Server::~TLS_Server() - { - delete private_key; } /* @@ -183,7 +173,6 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, { // resume session - printf("Resuming a session\n"); state->server_hello = new Server_Hello( writer, state->hash, @@ -222,6 +211,17 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, } else // new session { + std::vector<X509_Certificate> server_certs = + creds.cert_chain("", + "tls-server", + client_requested_hostname); + + Private_Key* private_key = + server_certs.empty() ? 0 : + (creds.private_key_for(server_certs[0], + "tls-server", + client_requested_hostname)); + state->server_hello = new Server_Hello( writer, state->hash, @@ -229,9 +229,8 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, rng, secure_renegotiation.supported(), secure_renegotiation.for_server_hello(), - cert_chain, + server_certs, *(state->client_hello), - rng.random_vec(32), state->version); if(state->client_hello->fragment_size()) @@ -241,10 +240,9 @@ void TLS_Server::process_handshake_msg(Handshake_Type type, if(state->suite.sig_type() != TLS_ALGO_SIGNER_ANON) { - // FIXME: should choose certs based on sig type state->server_certs = new Certificate(writer, state->hash, - cert_chain); + server_certs); } if(state->suite.kex_type() == TLS_ALGO_KEYEXCH_NOKEX) diff --git a/src/tls/tls_server.h b/src/tls/tls_server.h index d684a4a11..e07f89eba 100644 --- a/src/tls/tls_server.h +++ b/src/tls/tls_server.h @@ -10,6 +10,7 @@ #include <botan/tls_channel.h> #include <botan/tls_session_manager.h> +#include <botan/credentials_manager.h> #include <vector> namespace Botan { @@ -20,23 +21,16 @@ namespace Botan { class BOTAN_DLL TLS_Server : public TLS_Channel { public: - /** * TLS_Server initialization - * - * FIXME: support cert chains (!) - * FIXME: support anonymous servers */ TLS_Server(std::tr1::function<void (const byte[], size_t)> socket_output_fn, std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, std::tr1::function<void (const TLS_Session&)> handshake_complete, TLS_Session_Manager& session_manager, + Credentials_Manager& creds, const TLS_Policy& policy, - RandomNumberGenerator& rng, - const X509_Certificate& cert, - const Private_Key& cert_key); - - ~TLS_Server(); + RandomNumberGenerator& rng); void renegotiate(); @@ -53,9 +47,7 @@ class BOTAN_DLL TLS_Server : public TLS_Channel const TLS_Policy& policy; RandomNumberGenerator& rng; TLS_Session_Manager& session_manager; - - std::vector<X509_Certificate> cert_chain; - Private_Key* private_key; + Credentials_Manager& creds; std::string client_requested_hostname; }; |