Helper class that implements Botan::TLS::Callbacks. More...
#include <asio_stream.h>
Public Member Functions | |
| StreamCore (Stream &stream) | |
| void | tls_alert (Botan::TLS::Alert alert) override |
| virtual std::string | tls_decode_group_param (Group_Params group_param) |
| virtual std::pair< secure_vector< uint8_t >, std::vector< uint8_t > > | tls_dh_agree (const std::vector< uint8_t > &modulus, const std::vector< uint8_t > &generator, const std::vector< uint8_t > &peer_public_value, const Policy &policy, RandomNumberGenerator &rng) |
| virtual std::pair< secure_vector< uint8_t >, std::vector< uint8_t > > | tls_ecdh_agree (const std::string &curve_name, const std::vector< uint8_t > &peer_public_value, const Policy &policy, RandomNumberGenerator &rng, bool compressed) |
| virtual void | tls_emit_data (const uint8_t data[], size_t size)=0 |
| void | tls_emit_data (const uint8_t data[], std::size_t size) override |
| virtual void | tls_examine_extensions (const Extensions &extn, Connection_Side which_side) |
| virtual void | tls_inspect_handshake_msg (const Handshake_Message &message) |
| virtual void | tls_log_debug (const char *what) |
| virtual void | tls_log_debug_bin (const char *descr, const uint8_t val[], size_t val_len) |
| virtual void | tls_log_error (const char *err) |
| virtual void | tls_modify_extensions (Extensions &extn, Connection_Side which_side) |
| virtual std::string | tls_peer_network_identity () |
| virtual std::vector< uint8_t > | tls_provide_cert_status (const std::vector< X509_Certificate > &chain, const Certificate_Status_Request &csr) |
| virtual void | tls_record_received (uint64_t seq_no, const uint8_t data[], size_t size)=0 |
| void | tls_record_received (uint64_t, const uint8_t data[], std::size_t size) override |
| virtual std::string | tls_server_choose_app_protocol (const std::vector< std::string > &client_protos) |
| virtual void | tls_session_activated () |
| bool | tls_session_established (const Botan::TLS::Session &) override |
| virtual std::vector< uint8_t > | tls_sign_message (const Private_Key &key, RandomNumberGenerator &rng, const std::string &emsa, Signature_Format format, const std::vector< uint8_t > &msg) |
| void | tls_verify_cert_chain (const std::vector< X509_Certificate > &cert_chain, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_responses, const std::vector< Certificate_Store *> &trusted_roots, Usage_Type usage, const std::string &hostname, const TLS::Policy &policy) override |
| std::chrono::milliseconds | tls_verify_cert_chain_ocsp_timeout () const override |
| virtual bool | tls_verify_message (const Public_Key &key, const std::string &emsa, Signature_Format format, const std::vector< uint8_t > &msg, const std::vector< uint8_t > &sig) |
| virtual | ~StreamCore ()=default |
Detailed Description
template<class StreamLayer, class ChannelT = Channel>
class Botan::TLS::Stream< StreamLayer, ChannelT >::StreamCore
Helper class that implements Botan::TLS::Callbacks.
This class is provided to the stream's native_handle (Botan::TLS::Channel) and implements the callback functions triggered by the native_handle.
- Parameters
-
receive_buffer reference to the buffer where decrypted data should be placed send_buffer reference to the buffer where encrypted data should be placed
Definition at line 580 of file asio_stream.h.
Constructor & Destructor Documentation
◆ StreamCore()
|
inline |
Definition at line 583 of file asio_stream.h.
◆ ~StreamCore()
|
virtualdefault |
Member Function Documentation
◆ tls_alert()
|
inlineoverridevirtual |
Mandatory callback: alert received Called when an alert is received from the peer If fatal, the connection is closing. If not fatal, the connection may still be closing (depending on the error and the peer).
- Parameters
-
alert the source of the alert
Implements Botan::TLS::Callbacks.
Definition at line 601 of file asio_stream.h.
References Botan::TLS::Alert::CLOSE_NOTIFY, Botan::TLS::Stream< StreamLayer, ChannelT >::set_shutdown_received(), and Botan::TLS::Alert::type().
◆ tls_decode_group_param()
|
virtualinherited |
Optional callback: decode TLS group ID
TLS uses a 16-bit field to identify ECC and DH groups. This callback handles the decoding. You only need to implement this if you are using a custom ECC or DH group (this is extremely uncommon).
Default implementation uses the standard (IETF-defined) mappings.
Definition at line 48 of file tls_callbacks.cpp.
References Botan::TLS::group_param_to_string().
Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), and Botan::TLS::Server_Key_Exchange::Server_Key_Exchange().
◆ tls_dh_agree()
|
virtualinherited |
Optional callback with default impl: client side DH agreement
Default implementation uses PK_Key_Agreement::derive_key(). Override to provide a different approach, e.g. using an external device.
- Parameters
-
modulus the modulus p of the discrete logarithm group generator the generator of the DH subgroup peer_public_value the public value of the peer policy the TLS policy associated with the session being established rng a random number generator
- Returns
- a pair consisting of the agreed raw secret and our public value
Definition at line 108 of file tls_callbacks.cpp.
References Botan::TLS::Policy::check_peer_key_acceptable(), Botan::BigInt::decode(), Botan::PK_Key_Agreement::derive_key(), Botan::TLS::Alert::ILLEGAL_PARAMETER, Botan::TLS::Alert::INSUFFICIENT_SECURITY, Botan::modulus, Botan::DH_PublicKey::public_value(), Botan::DH_PrivateKey::public_value(), Botan::CT::strip_leading_zeros(), Botan::DL_Group::verify_group(), and Y.
Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange().
◆ tls_ecdh_agree()
|
virtualinherited |
Optional callback with default impl: client side ECDH agreement
Default implementation uses PK_Key_Agreement::derive_key(). Override to provide a different approach, e.g. using an external device.
- Parameters
-
curve_name the name of the elliptic curve peer_public_value the public value of the peer policy the TLS policy associated with the session being established rng a random number generator compressed the compression preference for our public value
- Returns
- a pair consisting of the agreed raw secret and our public value
Definition at line 147 of file tls_callbacks.cpp.
References Botan::TLS::Policy::check_peer_key_acceptable(), Botan::PointGFp::COMPRESSED, Botan::PK_Key_Agreement::derive_key(), Botan::OID::from_string(), Botan::TLS::Alert::HANDSHAKE_FAILURE, Botan::EC_Group::OS2ECP(), Botan::Curve25519_PublicKey::public_value(), Botan::Curve25519_PrivateKey::public_value(), Botan::ECDH_PrivateKey::public_value(), and Botan::PointGFp::UNCOMPRESSED.
Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange().
◆ tls_emit_data() [1/2]
|
pure virtualinherited |
Mandatory callback: output function The channel will call this with data which needs to be sent to the peer (eg, over a socket or some other form of IPC). The array will be overwritten when the function returns so a copy must be made if the data cannot be sent immediately.
- Parameters
-
data the vector of data to send size the number of bytes to send
Implemented in Botan::TLS::Compat_Callbacks.
◆ tls_emit_data() [2/2]
|
inlineoverride |
Definition at line 587 of file asio_stream.h.
References Botan::TLS::Stream< StreamLayer, ChannelT >::m_send_buffer.
◆ tls_examine_extensions()
|
virtualinherited |
Optional callback: examine peer extensions.
Both client and server will call this callback with the Extensions object after receiving it from the peer. This allows examining the Extensions, for example to implement a custom extension. It also allows an application to require that a particular extension be implemented; throw an exception from this function to abort the handshake.
Default implementation does nothing.
- Parameters
-
extn the extensions which_side will be CLIENT if these are are the clients extensions (ie we are the server) or SERVER if these are the server extensions (we are the client).
Definition at line 44 of file tls_callbacks.cpp.
◆ tls_inspect_handshake_msg()
|
virtualinherited |
Optional callback: inspect handshake message Throw an exception to abort the handshake. Default simply ignores the message.
- Parameters
-
message the handshake message
Reimplemented in Botan::TLS::Compat_Callbacks.
Definition at line 25 of file tls_callbacks.cpp.
Referenced by Botan::TLS::Handshake_State::note_message().
◆ tls_log_debug()
|
inlinevirtualinherited |
Optional callback: debug logging. (not currently called)
- Parameters
-
what Some hopefully informative string
Definition at line 344 of file tls_callbacks.h.
References BOTAN_UNUSED.
◆ tls_log_debug_bin()
|
inlinevirtualinherited |
Optional callback: debug logging taking a buffer. (not currently called)
- Parameters
-
descr What this buffer is val the bytes val_len length of val
Definition at line 355 of file tls_callbacks.h.
References BOTAN_UNUSED.
◆ tls_log_error()
|
inlinevirtualinherited |
Optional callback: error logging. (not currently called)
- Parameters
-
err An error message related to this connection.
Definition at line 335 of file tls_callbacks.h.
References BOTAN_UNUSED.
◆ tls_modify_extensions()
|
virtualinherited |
Optional callback: examine/modify Extensions before sending.
Both client and server will call this callback on the Extensions object before serializing it in the client/server hellos. This allows an application to modify which extensions are sent during the handshake.
Default implementation does nothing.
- Parameters
-
extn the extensions which_side will be CLIENT or SERVER which is the current applications role in the exchange.
Definition at line 40 of file tls_callbacks.cpp.
Referenced by Botan::TLS::Client_Hello::Client_Hello(), and Botan::TLS::Server_Hello::Server_Hello().
◆ tls_peer_network_identity()
|
virtualinherited |
Optional callback: return peer network identity
There is no expected or specified format. The only expectation is this function will return a unique value. For example returning the peer host IP and port.
This is used to bind the DTLS cookie to a particular network identity. It is only called if the dtls-cookie-secret PSK is also defined.
Definition at line 35 of file tls_callbacks.cpp.
◆ tls_provide_cert_status()
|
inlinevirtualinherited |
Called by the TLS server whenever the client included the status_request extension (see RFC 6066, a.k.a OCSP stapling) in the ClientHello.
- Returns
- the encoded OCSP response to be sent to the client which indicates the revocation status of the server certificate. Return an empty vector to indicate that no response is available, and thus suppress the Certificate_Status message.
Definition at line 159 of file tls_callbacks.h.
References BOTAN_UNUSED.
◆ tls_record_received() [1/2]
|
pure virtualinherited |
Mandatory callback: process application data Called when application data record is received from the peer. Again the array is overwritten immediately after the function returns.
- Parameters
-
seq_no the underlying TLS/DTLS record sequence number data the vector containing the received record size the length of the received record, in bytes
Implemented in Botan::TLS::Compat_Callbacks.
◆ tls_record_received() [2/2]
|
inlineoverride |
Definition at line 594 of file asio_stream.h.
References Botan::TLS::Stream< StreamLayer, ChannelT >::m_receive_buffer.
◆ tls_server_choose_app_protocol()
|
virtualinherited |
Optional callback for server: choose ALPN protocol ALPN (RFC 7301) works by the client sending a list of application protocols it is willing to negotiate. The server then selects which protocol to use, which is not necessarily even on the list that the client sent.
- Parameters
-
client_protos the vector of protocols the client is willing to negotiate
- Returns
- the protocol selected by the server, which need not be on the list that the client sent; if this is the empty string, the server ignores the client ALPN extension. Default return value is empty string.
Reimplemented in Botan::TLS::Compat_Callbacks.
Definition at line 30 of file tls_callbacks.cpp.
◆ tls_session_activated()
|
inlinevirtualinherited |
Optional callback: session activated Called when a session is active and can be written to
Definition at line 97 of file tls_callbacks.h.
Referenced by Botan::TLS::Channel::activate_session().
◆ tls_session_established()
|
inlineoverridevirtual |
Mandatory callback: session established Called when a session is established. Throw an exception to abort the connection.
- Parameters
-
session the session descriptor
- Returns
- return false to prevent the session from being cached, return true to cache the session in the configured session manager
Implements Botan::TLS::Callbacks.
Definition at line 616 of file asio_stream.h.
◆ tls_sign_message()
|
virtualinherited |
Optional callback with default impl: sign a message
Default implementation uses PK_Signer::sign_message(). Override to provide a different approach, e.g. using an external device.
- Parameters
-
key the private key of the signer rng a random number generator emsa the encoding method to be applied to the message format the signature format msg the input data for the signature
- Returns
- the signature
Definition at line 84 of file tls_callbacks.cpp.
References Botan::PK_Signer::sign_message().
Referenced by Botan::TLS::Certificate_Verify::Certificate_Verify(), and Botan::TLS::Server_Key_Exchange::Server_Key_Exchange().
◆ tls_verify_cert_chain()
|
inlineoverridevirtual |
Optional callback with default impl: verify cert chain
Default implementation performs a standard PKIX validation and initiates network OCSP request for end-entity cert. Override to provide different behavior.
Check the certificate chain is valid up to a trusted root, and optionally (if hostname != "") that the hostname given is consistent with the leaf certificate.
This function should throw an exception derived from std::exception with an informative what() result if the certificate chain cannot be verified.
- Parameters
-
cert_chain specifies a certificate chain leading to a trusted root CA certificate. ocsp_responses the server may have provided some trusted_roots the list of trusted certificates usage what this cert chain is being used for Usage_Type::TLS_SERVER_AUTH for server chains, Usage_Type::TLS_CLIENT_AUTH for client chains, Usage_Type::UNSPECIFIED for other uses hostname when authenticating a server, this is the hostname the client requested (eg via SNI). When authenticating a client, this is the server name the client is authenticating to. Empty in other cases or if no hostname was used. policy the TLS policy associated with the session being authenticated using the certificate chain
Reimplemented from Botan::TLS::Callbacks.
Definition at line 622 of file asio_stream.h.
References Botan::TLS::Context::get_verify_callback(), Botan::TLS::Context::has_verify_callback(), Botan::TLS::Stream< StreamLayer, ChannelT >::m_context, and Botan::TLS::Callbacks::tls_verify_cert_chain().
◆ tls_verify_cert_chain_ocsp_timeout()
|
inlineoverridevirtual |
Called by default tls_verify_cert_chain to get the timeout to use for OCSP requests. Return 0 to disable online OCSP checks.
This function should not be "const" since the implementation might need to perform some side effecting operation to compute the result.
Reimplemented from Botan::TLS::Callbacks.
Definition at line 611 of file asio_stream.h.
◆ tls_verify_message()
|
virtualinherited |
Optional callback with default impl: verify a message signature
Default implementation uses PK_Verifier::verify_message(). Override to provide a different approach, e.g. using an external device.
- Parameters
-
key the public key of the signer emsa the encoding method to be applied to the message format the signature format msg the input data for the signature sig the signature to be checked
- Returns
- true if the signature is valid, false otherwise
Definition at line 96 of file tls_callbacks.cpp.
References Botan::PK_Verifier::verify_message().
Referenced by Botan::TLS::Certificate_Verify::verify(), and Botan::TLS::Server_Key_Exchange::verify().
The documentation for this class was generated from the following file:
- src/lib/tls/asio/asio_stream.h
