diff options
| author | Yonit Halperin <yhalperi@redhat.com> | 2009-12-30 16:07:14 +0200 |
|---|---|---|
| committer | Yaniv Kamay <ykamay@redhat.com> | 2010-01-06 16:06:46 +0200 |
| commit | e38a61900711169d66b1fa7e117b04d49106a1da (patch) | |
| tree | 15765c0bb0bcf7b8133203340350c09902cec541 /client/red_peer.h | |
| parent | 54a8e5027093baa1c847b43f2fb08bea93e0ed67 (diff) | |
| download | spice-e38a61900711169d66b1fa7e117b04d49106a1da.tar.gz spice-e38a61900711169d66b1fa7e117b04d49106a1da.tar.xz spice-e38a61900711169d66b1fa7e117b04d49106a1da.zip | |
server,client: server authentication for secured channels. #527411 #549673.
3 available mechanisms: by public key, by host name, and by certificate subject name.
In the former method, chain of trust verification is not performed.
The CA certificate files are looked for under <spice-config-dir>/spice_truststore.pem
windows <spice-config-dir>=%APPDATA%\spicec\
linux <spice-config-dir>=$HOME/.spicec
Diffstat (limited to 'client/red_peer.h')
| -rw-r--r-- | client/red_peer.h | 41 |
1 files changed, 37 insertions, 4 deletions
diff --git a/client/red_peer.h b/client/red_peer.h index f78405b5..761aed1d 100644 --- a/client/red_peer.h +++ b/client/red_peer.h @@ -42,6 +42,30 @@ public: class OutMessage; class DisconnectedException {}; + class HostAuthOptions { + public: + + enum Type { + HOST_AUTH_OP_PUBKEY = 1, + HOST_AUTH_OP_NAME = (1 << 1), + HOST_AUTH_OP_SUBJECT = (1 << 2), + }; + + typedef std::vector<uint8_t> PublicKey; + typedef std::pair<std::string, std::string> CertFieldValuePair; + typedef std::list<CertFieldValuePair> CertFieldValueList; + + HostAuthOptions() : type_flags(0) {} + + public: + + int type_flags; + + PublicKey host_pubkey; + CertFieldValueList host_subject; + std::string CA_file; + }; + class ConnectionOptions { public: @@ -52,10 +76,12 @@ public: CON_OP_BOTH, }; - ConnectionOptions(Type in_type, int in_port, int in_sport) + ConnectionOptions(Type in_type, int in_port, int in_sport, + const HostAuthOptions& in_host_auth) : type (in_type) , unsecure_port (in_port) , secure_port (in_sport) + , host_auth (in_host_auth) { } @@ -75,12 +101,10 @@ public: Type type; int unsecure_port; int secure_port; + HostAuthOptions host_auth; // for secure connection }; - void connect_unsecure(uint32_t ip, int port); void connect_unsecure(const char* host, int port); - - void connect_secure(const ConnectionOptions& options, uint32_t ip); void connect_secure(const ConnectionOptions& options, const char* host); void disconnect(); @@ -100,6 +124,15 @@ protected: virtual void on_event() {} virtual int get_socket() { return _peer;} + static bool x509_cert_host_name_compare(const char *cert_name, int cert_name_size, + const char *host_name); + + static bool verify_pubkey(X509* cert, const HostAuthOptions::PublicKey& key); + static bool verify_host_name(X509* cert, const char* host_name); + static bool verify_subject(X509* cert, const HostAuthOptions::CertFieldValueList& subject); + + static int ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx); + private: void shutdown(); void cleanup(); |