diff options
| author | Yonit Halperin <yhalperi@redhat.com> | 2010-01-10 09:48:38 +0200 |
|---|---|---|
| committer | Yaniv Kamay <ykamay@redhat.com> | 2010-01-11 19:10:54 +0200 |
| commit | 3eae1c80d97ce6d1e0eee69f7454973abdb94ef6 (patch) | |
| tree | f8e88491e6ea9d4be7feb7e03ed1349325d7983a /client/red_peer.h | |
| parent | dcf326cfd523c135bd0be8f9a4bc2da6c78b2d23 (diff) | |
| download | spice-3eae1c80d97ce6d1e0eee69f7454973abdb94ef6.tar.gz spice-3eae1c80d97ce6d1e0eee69f7454973abdb94ef6.tar.xz spice-3eae1c80d97ce6d1e0eee69f7454973abdb94ef6.zip | |
server,client: server authentication for secured channels.
3 available mechanisms: by public key, by host name, and by certificate subject name.
In the former method, chain of trust verification is not performed.
The CA certificate files are looked for under <spice-config-dir>/spice_truststore.pem
windows <spice-config-dir>=%APPDATA%\spicec\
linux <spice-config-dir>=$HOME/.spicec/
Diffstat (limited to 'client/red_peer.h')
| -rw-r--r-- | client/red_peer.h | 41 |
1 files changed, 37 insertions, 4 deletions
diff --git a/client/red_peer.h b/client/red_peer.h index 2a53eae8..8a4060df 100644 --- a/client/red_peer.h +++ b/client/red_peer.h @@ -37,6 +37,30 @@ public: class OutMessage; class DisconnectedException {}; + class HostAuthOptions { + public: + + enum Type { + HOST_AUTH_OP_PUBKEY = 1, + HOST_AUTH_OP_NAME = (1 << 1), + HOST_AUTH_OP_SUBJECT = (1 << 2), + }; + + typedef std::vector<uint8_t> PublicKey; + typedef std::pair<std::string, std::string> CertFieldValuePair; + typedef std::list<CertFieldValuePair> CertFieldValueList; + + HostAuthOptions() : type_flags(0) {} + + public: + + int type_flags; + + PublicKey host_pubkey; + CertFieldValueList host_subject; + std::string CA_file; + }; + class ConnectionOptions { public: @@ -47,10 +71,12 @@ public: CON_OP_BOTH, }; - ConnectionOptions(Type in_type, int in_port, int in_sport) + ConnectionOptions(Type in_type, int in_port, int in_sport, + const HostAuthOptions& in_host_auth) : type (in_type) , unsecure_port (in_port) , secure_port (in_sport) + , host_auth (in_host_auth) { } @@ -70,12 +96,10 @@ public: Type type; int unsecure_port; int secure_port; + HostAuthOptions host_auth; // for secure connection }; - void connect_unsecure(uint32_t ip, int port); void connect_unsecure(const char* host, int port); - - void connect_secure(const ConnectionOptions& options, uint32_t ip); void connect_secure(const ConnectionOptions& options, const char* host); void disconnect(); @@ -95,6 +119,15 @@ protected: virtual void on_event() {} virtual int get_socket() { return _peer;} + static bool x509_cert_host_name_compare(const char *cert_name, int cert_name_size, + const char *host_name); + + static bool verify_pubkey(X509* cert, const HostAuthOptions::PublicKey& key); + static bool verify_host_name(X509* cert, const char* host_name); + static bool verify_subject(X509* cert, const HostAuthOptions::CertFieldValueList& subject); + + static int ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx); + private: void shutdown(); void cleanup(); |