Rewrite StreamPeerSSL with SSLContext helper class
connect_to_stream now accepts optional parameter to specify which certificates to trust. Implement accept_stream (SSL server) with key/cert parameters to specify the RSA key and X509 certificate resources.
This commit is contained in:
parent
dd8107caa4
commit
ce5a3f56a6
9 changed files with 271 additions and 166 deletions
|
@ -30,10 +30,7 @@
|
|||
|
||||
#include "stream_peer_ssl.h"
|
||||
|
||||
#include "core/io/certs_compressed.gen.h"
|
||||
#include "core/io/compression.h"
|
||||
#include "core/os/file_access.h"
|
||||
#include "core/project_settings.h"
|
||||
#include "core/engine.h"
|
||||
|
||||
StreamPeerSSL *(*StreamPeerSSL::_create)() = NULL;
|
||||
|
||||
|
@ -44,22 +41,8 @@ StreamPeerSSL *StreamPeerSSL::create() {
|
|||
return NULL;
|
||||
}
|
||||
|
||||
StreamPeerSSL::LoadCertsFromMemory StreamPeerSSL::load_certs_func = NULL;
|
||||
bool StreamPeerSSL::available = false;
|
||||
|
||||
void StreamPeerSSL::load_certs_from_memory(const PoolByteArray &p_memory) {
|
||||
if (load_certs_func)
|
||||
load_certs_func(p_memory);
|
||||
}
|
||||
|
||||
void StreamPeerSSL::load_certs_from_file(String p_path) {
|
||||
if (p_path != "") {
|
||||
PoolByteArray certs = get_cert_file_as_array(p_path);
|
||||
if (certs.size() > 0)
|
||||
load_certs_func(certs);
|
||||
}
|
||||
}
|
||||
|
||||
bool StreamPeerSSL::is_available() {
|
||||
return available;
|
||||
}
|
||||
|
@ -72,56 +55,11 @@ bool StreamPeerSSL::is_blocking_handshake_enabled() const {
|
|||
return blocking_handshake;
|
||||
}
|
||||
|
||||
PoolByteArray StreamPeerSSL::get_cert_file_as_array(String p_path) {
|
||||
|
||||
PoolByteArray out;
|
||||
FileAccess *f = FileAccess::open(p_path, FileAccess::READ);
|
||||
if (f) {
|
||||
int flen = f->get_len();
|
||||
out.resize(flen + 1);
|
||||
PoolByteArray::Write w = out.write();
|
||||
f->get_buffer(w.ptr(), flen);
|
||||
w[flen] = 0; // Make sure it ends with string terminator
|
||||
memdelete(f);
|
||||
#ifdef DEBUG_ENABLED
|
||||
print_verbose(vformat("Loaded certs from '%s'.", p_path));
|
||||
#endif
|
||||
}
|
||||
|
||||
return out;
|
||||
}
|
||||
|
||||
PoolByteArray StreamPeerSSL::get_project_cert_array() {
|
||||
|
||||
PoolByteArray out;
|
||||
String certs_path = GLOBAL_DEF("network/ssl/certificates", "");
|
||||
ProjectSettings::get_singleton()->set_custom_property_info("network/ssl/certificates", PropertyInfo(Variant::STRING, "network/ssl/certificates", PROPERTY_HINT_FILE, "*.crt"));
|
||||
|
||||
if (certs_path != "") {
|
||||
// Use certs defined in project settings.
|
||||
return get_cert_file_as_array(certs_path);
|
||||
}
|
||||
#ifdef BUILTIN_CERTS_ENABLED
|
||||
else {
|
||||
// Use builtin certs only if user did not override it in project settings.
|
||||
out.resize(_certs_uncompressed_size + 1);
|
||||
PoolByteArray::Write w = out.write();
|
||||
Compression::decompress(w.ptr(), _certs_uncompressed_size, _certs_compressed, _certs_compressed_size, Compression::MODE_DEFLATE);
|
||||
w[_certs_uncompressed_size] = 0; // Make sure it ends with string terminator
|
||||
#ifdef DEBUG_ENABLED
|
||||
print_verbose("Loaded builtin certs");
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
return out;
|
||||
}
|
||||
|
||||
void StreamPeerSSL::_bind_methods() {
|
||||
|
||||
ClassDB::bind_method(D_METHOD("poll"), &StreamPeerSSL::poll);
|
||||
ClassDB::bind_method(D_METHOD("accept_stream", "base"), &StreamPeerSSL::accept_stream);
|
||||
ClassDB::bind_method(D_METHOD("connect_to_stream", "stream", "validate_certs", "for_hostname"), &StreamPeerSSL::connect_to_stream, DEFVAL(false), DEFVAL(String()));
|
||||
ClassDB::bind_method(D_METHOD("accept_stream", "stream", "private_key", "certificate", "chain"), &StreamPeerSSL::accept_stream, DEFVAL(Ref<X509Certificate>()));
|
||||
ClassDB::bind_method(D_METHOD("connect_to_stream", "stream", "validate_certs", "for_hostname", "valid_certificate"), &StreamPeerSSL::connect_to_stream, DEFVAL(false), DEFVAL(String()), DEFVAL(Ref<X509Certificate>()));
|
||||
ClassDB::bind_method(D_METHOD("get_status"), &StreamPeerSSL::get_status);
|
||||
ClassDB::bind_method(D_METHOD("disconnect_from_stream"), &StreamPeerSSL::disconnect_from_stream);
|
||||
ClassDB::bind_method(D_METHOD("set_blocking_handshake_enabled", "enabled"), &StreamPeerSSL::set_blocking_handshake_enabled);
|
||||
|
|
|
@ -31,19 +31,16 @@
|
|||
#ifndef STREAM_PEER_SSL_H
|
||||
#define STREAM_PEER_SSL_H
|
||||
|
||||
#include "core/crypto/crypto.h"
|
||||
#include "core/io/stream_peer.h"
|
||||
|
||||
class StreamPeerSSL : public StreamPeer {
|
||||
GDCLASS(StreamPeerSSL, StreamPeer);
|
||||
|
||||
public:
|
||||
typedef void (*LoadCertsFromMemory)(const PoolByteArray &p_certs);
|
||||
|
||||
protected:
|
||||
static StreamPeerSSL *(*_create)();
|
||||
static void _bind_methods();
|
||||
|
||||
static LoadCertsFromMemory load_certs_func;
|
||||
static bool available;
|
||||
|
||||
bool blocking_handshake;
|
||||
|
@ -61,18 +58,14 @@ public:
|
|||
bool is_blocking_handshake_enabled() const;
|
||||
|
||||
virtual void poll() = 0;
|
||||
virtual Error accept_stream(Ref<StreamPeer> p_base) = 0;
|
||||
virtual Error connect_to_stream(Ref<StreamPeer> p_base, bool p_validate_certs = false, const String &p_for_hostname = String()) = 0;
|
||||
virtual Error accept_stream(Ref<StreamPeer> p_base, Ref<CryptoKey> p_key, Ref<X509Certificate> p_cert, Ref<X509Certificate> p_ca_chain = Ref<X509Certificate>()) = 0;
|
||||
virtual Error connect_to_stream(Ref<StreamPeer> p_base, bool p_validate_certs = false, const String &p_for_hostname = String(), Ref<X509Certificate> p_valid_cert = Ref<X509Certificate>()) = 0;
|
||||
virtual Status get_status() const = 0;
|
||||
|
||||
virtual void disconnect_from_stream() = 0;
|
||||
|
||||
static StreamPeerSSL *create();
|
||||
|
||||
static PoolByteArray get_cert_file_as_array(String p_path);
|
||||
static PoolByteArray get_project_cert_array();
|
||||
static void load_certs_from_file(String p_path);
|
||||
static void load_certs_from_memory(const PoolByteArray &p_memory);
|
||||
static bool is_available();
|
||||
|
||||
StreamPeerSSL();
|
||||
|
|
|
@ -1022,7 +1022,8 @@ void EditorSettings::setup_network() {
|
|||
add_property_hint(PropertyInfo(Variant::INT, "network/debug/remote_port", PROPERTY_HINT_RANGE, "1,65535,1"));
|
||||
|
||||
// Editor SSL certificates override
|
||||
_initial_set("network/ssl/editor_ssl_certificates", _SYSTEM_CERTS_PATH);
|
||||
String certs = has_setting("network/ssl/editor_ssl_certificates") ? get("network/ssl/editor_ssl_certificates") : _SYSTEM_CERTS_PATH;
|
||||
_initial_set("network/ssl/editor_ssl_certificates", certs);
|
||||
add_property_hint(PropertyInfo(Variant::STRING, "network/ssl/editor_ssl_certificates", PROPERTY_HINT_GLOBAL_FILE, "*.crt,*.pem"));
|
||||
}
|
||||
|
||||
|
|
|
@ -30,6 +30,7 @@
|
|||
|
||||
#include "main.h"
|
||||
|
||||
#include "core/crypto/crypto.h"
|
||||
#include "core/input_map.h"
|
||||
#include "core/io/file_access_network.h"
|
||||
#include "core/io/file_access_pack.h"
|
||||
|
@ -37,8 +38,6 @@
|
|||
#include "core/io/image_loader.h"
|
||||
#include "core/io/ip.h"
|
||||
#include "core/io/resource_loader.h"
|
||||
#include "core/io/stream_peer_ssl.h"
|
||||
#include "core/io/stream_peer_tcp.h"
|
||||
#include "core/message_queue.h"
|
||||
#include "core/os/dir_access.h"
|
||||
#include "core/os/os.h"
|
||||
|
@ -1741,7 +1740,7 @@ bool Main::start() {
|
|||
if (!project_manager && !editor) { // game
|
||||
|
||||
// Load SSL Certificates from Project Settings (or builtin).
|
||||
StreamPeerSSL::load_certs_from_memory(StreamPeerSSL::get_project_cert_array());
|
||||
Crypto::load_default_certificates(GLOBAL_DEF("network/ssl/certificates", ""));
|
||||
|
||||
if (game_path != "") {
|
||||
Node *scene = NULL;
|
||||
|
@ -1793,17 +1792,15 @@ bool Main::start() {
|
|||
}
|
||||
|
||||
if (project_manager || editor) {
|
||||
// Load SSL Certificates from Editor Settings (or builtin).
|
||||
String certs = EditorSettings::get_singleton()->get_setting("network/ssl/editor_ssl_certificates").operator String();
|
||||
if (certs != "")
|
||||
StreamPeerSSL::load_certs_from_file(certs);
|
||||
else
|
||||
StreamPeerSSL::load_certs_from_memory(StreamPeerSSL::get_project_cert_array());
|
||||
|
||||
// Hide console window if requested (Windows-only).
|
||||
bool hide_console = EditorSettings::get_singleton()->get_setting("interface/editor/hide_console_window");
|
||||
OS::get_singleton()->set_console_visible(!hide_console);
|
||||
}
|
||||
|
||||
if (project_manager || editor) {
|
||||
// Load SSL Certificates from Editor Settings (or builtin)
|
||||
Crypto::load_default_certificates(EditorSettings::get_singleton()->get_setting("network/ssl/editor_ssl_certificates").operator String());
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
|
|
|
@ -31,7 +31,7 @@
|
|||
#include "register_types.h"
|
||||
|
||||
#include "crypto_mbedtls.h"
|
||||
#include "stream_peer_mbed_tls.h"
|
||||
#include "stream_peer_mbedtls.h"
|
||||
|
||||
void register_mbedtls_types() {
|
||||
|
||||
|
|
148
modules/mbedtls/ssl_context_mbedtls.cpp
Normal file
148
modules/mbedtls/ssl_context_mbedtls.cpp
Normal file
|
@ -0,0 +1,148 @@
|
|||
/*************************************************************************/
|
||||
/* ssl_context_mbed_tls.cpp */
|
||||
/*************************************************************************/
|
||||
/* This file is part of: */
|
||||
/* GODOT ENGINE */
|
||||
/* https://godotengine.org */
|
||||
/*************************************************************************/
|
||||
/* Copyright (c) 2007-2019 Juan Linietsky, Ariel Manzur. */
|
||||
/* Copyright (c) 2014-2019 Godot Engine contributors (cf. AUTHORS.md) */
|
||||
/* */
|
||||
/* Permission is hereby granted, free of charge, to any person obtaining */
|
||||
/* a copy of this software and associated documentation files (the */
|
||||
/* "Software"), to deal in the Software without restriction, including */
|
||||
/* without limitation the rights to use, copy, modify, merge, publish, */
|
||||
/* distribute, sublicense, and/or sell copies of the Software, and to */
|
||||
/* permit persons to whom the Software is furnished to do so, subject to */
|
||||
/* the following conditions: */
|
||||
/* */
|
||||
/* The above copyright notice and this permission notice shall be */
|
||||
/* included in all copies or substantial portions of the Software. */
|
||||
/* */
|
||||
/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */
|
||||
/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */
|
||||
/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/
|
||||
/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */
|
||||
/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */
|
||||
/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */
|
||||
/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */
|
||||
/*************************************************************************/
|
||||
|
||||
#include "ssl_context_mbedtls.h"
|
||||
|
||||
static void my_debug(void *ctx, int level,
|
||||
const char *file, int line,
|
||||
const char *str) {
|
||||
|
||||
printf("%s:%04d: %s", file, line, str);
|
||||
fflush(stdout);
|
||||
}
|
||||
|
||||
Error SSLContextMbedTLS::_setup(int p_endpoint, int p_transport, int p_authmode) {
|
||||
ERR_FAIL_COND_V_MSG(inited, ERR_ALREADY_IN_USE, "This SSL context is already active");
|
||||
|
||||
mbedtls_ssl_init(&ssl);
|
||||
mbedtls_ssl_config_init(&conf);
|
||||
mbedtls_ctr_drbg_init(&ctr_drbg);
|
||||
mbedtls_entropy_init(&entropy);
|
||||
inited = true;
|
||||
|
||||
int ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
|
||||
if (ret != 0) {
|
||||
clear(); // Never leave unusable resources around.
|
||||
ERR_FAIL_V_MSG(FAILED, "mbedtls_ctr_drbg_seed returned an error" + itos(ret));
|
||||
}
|
||||
|
||||
ret = mbedtls_ssl_config_defaults(&conf, p_endpoint, p_transport, MBEDTLS_SSL_PRESET_DEFAULT);
|
||||
if (ret != 0) {
|
||||
clear();
|
||||
ERR_FAIL_V_MSG(FAILED, "mbedtls_ssl_config_defaults returned an error" + itos(ret));
|
||||
}
|
||||
mbedtls_ssl_conf_authmode(&conf, p_authmode);
|
||||
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
|
||||
mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
|
||||
return OK;
|
||||
}
|
||||
|
||||
Error SSLContextMbedTLS::init_server(int p_transport, int p_authmode, Ref<CryptoKeyMbedTLS> p_pkey, Ref<X509CertificateMbedTLS> p_cert) {
|
||||
ERR_FAIL_COND_V(!p_pkey.is_valid(), ERR_INVALID_PARAMETER);
|
||||
ERR_FAIL_COND_V(!p_cert.is_valid(), ERR_INVALID_PARAMETER);
|
||||
|
||||
Error err = _setup(MBEDTLS_SSL_IS_SERVER, p_transport, p_authmode);
|
||||
ERR_FAIL_COND_V(err != OK, err);
|
||||
|
||||
// Locking key and certificate(s)
|
||||
pkey = p_pkey;
|
||||
certs = p_cert;
|
||||
if (pkey.is_valid())
|
||||
pkey->lock();
|
||||
if (certs.is_valid())
|
||||
certs->lock();
|
||||
|
||||
// Adding key and certificate
|
||||
int ret = mbedtls_ssl_conf_own_cert(&conf, &(certs->cert), &(pkey->pkey));
|
||||
if (ret != 0) {
|
||||
clear();
|
||||
ERR_FAIL_V_MSG(ERR_INVALID_PARAMETER, "Invalid cert/key combination " + itos(ret));
|
||||
}
|
||||
// Adding CA chain if available.
|
||||
if (certs->cert.next) {
|
||||
mbedtls_ssl_conf_ca_chain(&conf, certs->cert.next, NULL);
|
||||
}
|
||||
mbedtls_ssl_setup(&ssl, &conf);
|
||||
return OK;
|
||||
}
|
||||
|
||||
Error SSLContextMbedTLS::init_client(int p_transport, int p_authmode, Ref<X509CertificateMbedTLS> p_valid_cas) {
|
||||
X509CertificateMbedTLS *cas = NULL;
|
||||
|
||||
if (certs.is_valid()) {
|
||||
// Locking CA certificates
|
||||
certs = p_valid_cas;
|
||||
certs->lock();
|
||||
cas = certs.ptr();
|
||||
} else {
|
||||
// Fall back to default certificates (no need to lock those).
|
||||
cas = CryptoMbedTLS::get_default_certificates();
|
||||
ERR_FAIL_COND_V(cas == NULL, ERR_UNCONFIGURED);
|
||||
}
|
||||
|
||||
Error err = _setup(MBEDTLS_SSL_IS_CLIENT, p_transport, p_authmode);
|
||||
ERR_FAIL_COND_V(err != OK, err);
|
||||
|
||||
// Set valid CAs
|
||||
mbedtls_ssl_conf_ca_chain(&conf, &(cas->cert), NULL);
|
||||
mbedtls_ssl_setup(&ssl, &conf);
|
||||
return OK;
|
||||
}
|
||||
|
||||
void SSLContextMbedTLS::clear() {
|
||||
if (!inited)
|
||||
return;
|
||||
mbedtls_ssl_free(&ssl);
|
||||
mbedtls_ssl_config_free(&conf);
|
||||
mbedtls_ctr_drbg_free(&ctr_drbg);
|
||||
mbedtls_entropy_free(&entropy);
|
||||
|
||||
// Unlock and key and certificates
|
||||
if (certs.is_valid())
|
||||
certs->unlock();
|
||||
certs = Ref<X509Certificate>();
|
||||
if (pkey.is_valid())
|
||||
pkey->unlock();
|
||||
pkey = Ref<CryptoKeyMbedTLS>();
|
||||
inited = false;
|
||||
}
|
||||
|
||||
mbedtls_ssl_context *SSLContextMbedTLS::get_context() {
|
||||
ERR_FAIL_COND_V(!inited, NULL);
|
||||
return &ssl;
|
||||
}
|
||||
|
||||
SSLContextMbedTLS::SSLContextMbedTLS() {
|
||||
inited = false;
|
||||
}
|
||||
|
||||
SSLContextMbedTLS::~SSLContextMbedTLS() {
|
||||
clear();
|
||||
}
|
74
modules/mbedtls/ssl_context_mbedtls.h
Normal file
74
modules/mbedtls/ssl_context_mbedtls.h
Normal file
|
@ -0,0 +1,74 @@
|
|||
/*************************************************************************/
|
||||
/* ssl_context_mbed_tls.h */
|
||||
/*************************************************************************/
|
||||
/* This file is part of: */
|
||||
/* GODOT ENGINE */
|
||||
/* https://godotengine.org */
|
||||
/*************************************************************************/
|
||||
/* Copyright (c) 2007-2019 Juan Linietsky, Ariel Manzur. */
|
||||
/* Copyright (c) 2014-2019 Godot Engine contributors (cf. AUTHORS.md) */
|
||||
/* */
|
||||
/* Permission is hereby granted, free of charge, to any person obtaining */
|
||||
/* a copy of this software and associated documentation files (the */
|
||||
/* "Software"), to deal in the Software without restriction, including */
|
||||
/* without limitation the rights to use, copy, modify, merge, publish, */
|
||||
/* distribute, sublicense, and/or sell copies of the Software, and to */
|
||||
/* permit persons to whom the Software is furnished to do so, subject to */
|
||||
/* the following conditions: */
|
||||
/* */
|
||||
/* The above copyright notice and this permission notice shall be */
|
||||
/* included in all copies or substantial portions of the Software. */
|
||||
/* */
|
||||
/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */
|
||||
/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */
|
||||
/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/
|
||||
/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */
|
||||
/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */
|
||||
/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */
|
||||
/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */
|
||||
/*************************************************************************/
|
||||
|
||||
#ifndef SSL_CONTEXT_MBED_TLS_H
|
||||
#define SSL_CONTEXT_MBED_TLS_H
|
||||
|
||||
#include "crypto_mbedtls.h"
|
||||
|
||||
#include "core/os/file_access.h"
|
||||
#include "core/pool_vector.h"
|
||||
#include "core/reference.h"
|
||||
|
||||
#include <mbedtls/config.h>
|
||||
#include <mbedtls/ctr_drbg.h>
|
||||
#include <mbedtls/debug.h>
|
||||
#include <mbedtls/entropy.h>
|
||||
#include <mbedtls/net.h>
|
||||
#include <mbedtls/ssl.h>
|
||||
|
||||
class SSLContextMbedTLS : public Reference {
|
||||
|
||||
protected:
|
||||
bool inited;
|
||||
|
||||
static PoolByteArray _read_file(String p_path);
|
||||
|
||||
public:
|
||||
Ref<X509CertificateMbedTLS> certs;
|
||||
mbedtls_entropy_context entropy;
|
||||
mbedtls_ctr_drbg_context ctr_drbg;
|
||||
mbedtls_ssl_context ssl;
|
||||
mbedtls_ssl_config conf;
|
||||
|
||||
Ref<CryptoKeyMbedTLS> pkey;
|
||||
|
||||
Error _setup(int p_endpoint, int p_transport, int p_authmode);
|
||||
Error init_server(int p_transport, int p_authmode, Ref<CryptoKeyMbedTLS> p_pkey, Ref<X509CertificateMbedTLS> p_cert);
|
||||
Error init_client(int p_transport, int p_authmode, Ref<X509CertificateMbedTLS> p_valid_cas);
|
||||
void clear();
|
||||
|
||||
mbedtls_ssl_context *get_context();
|
||||
|
||||
SSLContextMbedTLS();
|
||||
~SSLContextMbedTLS();
|
||||
};
|
||||
|
||||
#endif // SSL_CONTEXT_MBED_TLS_H
|
|
@ -28,19 +28,11 @@
|
|||
/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */
|
||||
/*************************************************************************/
|
||||
|
||||
#include "stream_peer_mbed_tls.h"
|
||||
#include "stream_peer_mbedtls.h"
|
||||
|
||||
#include "core/io/stream_peer_tcp.h"
|
||||
#include "core/os/file_access.h"
|
||||
|
||||
static void my_debug(void *ctx, int level,
|
||||
const char *file, int line,
|
||||
const char *str) {
|
||||
|
||||
printf("%s:%04d: %s", file, line, str);
|
||||
fflush(stdout);
|
||||
}
|
||||
|
||||
void _print_error(int ret) {
|
||||
printf("mbedtls error: returned -0x%x\n\n", -ret);
|
||||
fflush(stdout);
|
||||
|
@ -86,18 +78,14 @@ int StreamPeerMbedTLS::bio_recv(void *ctx, unsigned char *buf, size_t len) {
|
|||
|
||||
void StreamPeerMbedTLS::_cleanup() {
|
||||
|
||||
mbedtls_ssl_free(&ssl);
|
||||
mbedtls_ssl_config_free(&conf);
|
||||
mbedtls_ctr_drbg_free(&ctr_drbg);
|
||||
mbedtls_entropy_free(&entropy);
|
||||
|
||||
ssl_ctx->clear();
|
||||
base = Ref<StreamPeer>();
|
||||
status = STATUS_DISCONNECTED;
|
||||
}
|
||||
|
||||
Error StreamPeerMbedTLS::_do_handshake() {
|
||||
int ret = 0;
|
||||
while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
|
||||
while ((ret = mbedtls_ssl_handshake(ssl_ctx->get_context())) != 0) {
|
||||
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
|
||||
// An error occurred.
|
||||
ERR_PRINTS("TLS handshake error: " + itos(ret));
|
||||
|
@ -118,39 +106,17 @@ Error StreamPeerMbedTLS::_do_handshake() {
|
|||
return OK;
|
||||
}
|
||||
|
||||
Error StreamPeerMbedTLS::connect_to_stream(Ref<StreamPeer> p_base, bool p_validate_certs, const String &p_for_hostname) {
|
||||
|
||||
ERR_FAIL_COND_V(p_base.is_null(), ERR_INVALID_PARAMETER);
|
||||
Error StreamPeerMbedTLS::connect_to_stream(Ref<StreamPeer> p_base, bool p_validate_certs, const String &p_for_hostname, Ref<X509Certificate> p_ca_certs) {
|
||||
|
||||
base = p_base;
|
||||
int ret = 0;
|
||||
int authmode = p_validate_certs ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE;
|
||||
|
||||
mbedtls_ssl_init(&ssl);
|
||||
mbedtls_ssl_config_init(&conf);
|
||||
mbedtls_ctr_drbg_init(&ctr_drbg);
|
||||
mbedtls_entropy_init(&entropy);
|
||||
Error err = ssl_ctx->init_client(MBEDTLS_SSL_TRANSPORT_STREAM, authmode, p_ca_certs);
|
||||
ERR_FAIL_COND_V(err != OK, err);
|
||||
|
||||
ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
|
||||
if (ret != 0) {
|
||||
ERR_PRINTS(" failed\n ! mbedtls_ctr_drbg_seed returned an error" + itos(ret));
|
||||
_cleanup();
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
mbedtls_ssl_config_defaults(&conf,
|
||||
MBEDTLS_SSL_IS_CLIENT,
|
||||
MBEDTLS_SSL_TRANSPORT_STREAM,
|
||||
MBEDTLS_SSL_PRESET_DEFAULT);
|
||||
|
||||
mbedtls_ssl_conf_authmode(&conf, authmode);
|
||||
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
|
||||
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
|
||||
mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
|
||||
mbedtls_ssl_setup(&ssl, &conf);
|
||||
mbedtls_ssl_set_hostname(&ssl, p_for_hostname.utf8().get_data());
|
||||
|
||||
mbedtls_ssl_set_bio(&ssl, this, bio_send, bio_recv, NULL);
|
||||
mbedtls_ssl_set_hostname(ssl_ctx->get_context(), p_for_hostname.utf8().get_data());
|
||||
mbedtls_ssl_set_bio(ssl_ctx->get_context(), this, bio_send, bio_recv, NULL);
|
||||
|
||||
status = STATUS_HANDSHAKING;
|
||||
|
||||
|
@ -162,11 +128,24 @@ Error StreamPeerMbedTLS::connect_to_stream(Ref<StreamPeer> p_base, bool p_valida
|
|||
return OK;
|
||||
}
|
||||
|
||||
Error StreamPeerMbedTLS::accept_stream(Ref<StreamPeer> p_base) {
|
||||
Error StreamPeerMbedTLS::accept_stream(Ref<StreamPeer> p_base, Ref<CryptoKey> p_key, Ref<X509Certificate> p_cert, Ref<X509Certificate> p_ca_chain) {
|
||||
|
||||
Error err = ssl_ctx->init_server(MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_VERIFY_NONE, p_key, p_cert);
|
||||
ERR_FAIL_COND_V(err != OK, err);
|
||||
|
||||
base = p_base;
|
||||
|
||||
mbedtls_ssl_set_bio(ssl_ctx->get_context(), this, bio_send, bio_recv, NULL);
|
||||
|
||||
status = STATUS_HANDSHAKING;
|
||||
|
||||
if ((err = _do_handshake()) != OK) {
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
status = STATUS_CONNECTED;
|
||||
return OK;
|
||||
}
|
||||
|
||||
Error StreamPeerMbedTLS::put_data(const uint8_t *p_data, int p_bytes) {
|
||||
|
||||
ERR_FAIL_COND_V(status != STATUS_CONNECTED, ERR_UNCONFIGURED);
|
||||
|
@ -197,7 +176,7 @@ Error StreamPeerMbedTLS::put_partial_data(const uint8_t *p_data, int p_bytes, in
|
|||
if (p_bytes == 0)
|
||||
return OK;
|
||||
|
||||
int ret = mbedtls_ssl_write(&ssl, p_data, p_bytes);
|
||||
int ret = mbedtls_ssl_write(ssl_ctx->get_context(), p_data, p_bytes);
|
||||
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
|
||||
// Non blocking IO
|
||||
ret = 0;
|
||||
|
@ -243,7 +222,7 @@ Error StreamPeerMbedTLS::get_partial_data(uint8_t *p_buffer, int p_bytes, int &r
|
|||
|
||||
r_received = 0;
|
||||
|
||||
int ret = mbedtls_ssl_read(&ssl, p_buffer, p_bytes);
|
||||
int ret = mbedtls_ssl_read(ssl_ctx->get_context(), p_buffer, p_bytes);
|
||||
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
|
||||
ret = 0; // non blocking io
|
||||
} else if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
||||
|
@ -273,7 +252,7 @@ void StreamPeerMbedTLS::poll() {
|
|||
// We could pass NULL as second parameter, but some behaviour sanitizers doesn't seem to like that.
|
||||
// Passing a 1 byte buffer to workaround it.
|
||||
uint8_t byte;
|
||||
int ret = mbedtls_ssl_read(&ssl, &byte, 0);
|
||||
int ret = mbedtls_ssl_read(ssl_ctx->get_context(), &byte, 0);
|
||||
|
||||
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
|
||||
// Nothing to read/write (non blocking IO)
|
||||
|
@ -298,10 +277,11 @@ int StreamPeerMbedTLS::get_available_bytes() const {
|
|||
|
||||
ERR_FAIL_COND_V(status != STATUS_CONNECTED, 0);
|
||||
|
||||
return mbedtls_ssl_get_bytes_avail(&ssl);
|
||||
return mbedtls_ssl_get_bytes_avail(&(ssl_ctx->ssl));
|
||||
}
|
||||
StreamPeerMbedTLS::StreamPeerMbedTLS() {
|
||||
|
||||
ssl_ctx.instance();
|
||||
status = STATUS_DISCONNECTED;
|
||||
}
|
||||
|
||||
|
@ -317,7 +297,7 @@ void StreamPeerMbedTLS::disconnect_from_stream() {
|
|||
Ref<StreamPeerTCP> tcp = base;
|
||||
if (tcp.is_valid() && tcp->get_status() == StreamPeerTCP::STATUS_CONNECTED) {
|
||||
// We are still connected on the socket, try to send close notify.
|
||||
mbedtls_ssl_close_notify(&ssl);
|
||||
mbedtls_ssl_close_notify(ssl_ctx->get_context());
|
||||
}
|
||||
|
||||
_cleanup();
|
||||
|
@ -333,28 +313,9 @@ StreamPeerSSL *StreamPeerMbedTLS::_create_func() {
|
|||
return memnew(StreamPeerMbedTLS);
|
||||
}
|
||||
|
||||
mbedtls_x509_crt StreamPeerMbedTLS::cacert;
|
||||
|
||||
void StreamPeerMbedTLS::_load_certs(const PoolByteArray &p_array) {
|
||||
int arr_len = p_array.size();
|
||||
PoolByteArray::Read r = p_array.read();
|
||||
int err = mbedtls_x509_crt_parse(&cacert, &r[0], arr_len);
|
||||
if (err != 0) {
|
||||
WARN_PRINTS("Error parsing some certificates: " + itos(err));
|
||||
}
|
||||
}
|
||||
|
||||
void StreamPeerMbedTLS::initialize_ssl() {
|
||||
|
||||
_create = _create_func;
|
||||
load_certs_func = _load_certs;
|
||||
|
||||
mbedtls_x509_crt_init(&cacert);
|
||||
|
||||
#ifdef DEBUG_ENABLED
|
||||
mbedtls_debug_set_threshold(1);
|
||||
#endif
|
||||
|
||||
available = true;
|
||||
}
|
||||
|
||||
|
@ -362,6 +323,4 @@ void StreamPeerMbedTLS::finalize_ssl() {
|
|||
|
||||
available = false;
|
||||
_create = NULL;
|
||||
load_certs_func = NULL;
|
||||
mbedtls_x509_crt_free(&cacert);
|
||||
}
|
|
@ -32,6 +32,7 @@
|
|||
#define STREAM_PEER_OPEN_SSL_H
|
||||
|
||||
#include "core/io/stream_peer_ssl.h"
|
||||
#include "ssl_context_mbedtls.h"
|
||||
|
||||
#include <mbedtls/config.h>
|
||||
#include <mbedtls/ctr_drbg.h>
|
||||
|
@ -50,19 +51,13 @@ private:
|
|||
Ref<StreamPeer> base;
|
||||
|
||||
static StreamPeerSSL *_create_func();
|
||||
static void _load_certs(const PoolByteArray &p_array);
|
||||
|
||||
static int bio_recv(void *ctx, unsigned char *buf, size_t len);
|
||||
static int bio_send(void *ctx, const unsigned char *buf, size_t len);
|
||||
void _cleanup();
|
||||
|
||||
protected:
|
||||
static mbedtls_x509_crt cacert;
|
||||
|
||||
mbedtls_entropy_context entropy;
|
||||
mbedtls_ctr_drbg_context ctr_drbg;
|
||||
mbedtls_ssl_context ssl;
|
||||
mbedtls_ssl_config conf;
|
||||
Ref<SSLContextMbedTLS> ssl_ctx;
|
||||
|
||||
static void _bind_methods();
|
||||
|
||||
|
@ -70,8 +65,8 @@ protected:
|
|||
|
||||
public:
|
||||
virtual void poll();
|
||||
virtual Error accept_stream(Ref<StreamPeer> p_base);
|
||||
virtual Error connect_to_stream(Ref<StreamPeer> p_base, bool p_validate_certs = false, const String &p_for_hostname = String());
|
||||
virtual Error accept_stream(Ref<StreamPeer> p_base, Ref<CryptoKey> p_key, Ref<X509Certificate> p_cert, Ref<X509Certificate> p_ca_chain = Ref<X509Certificate>());
|
||||
virtual Error connect_to_stream(Ref<StreamPeer> p_base, bool p_validate_certs = false, const String &p_for_hostname = String(), Ref<X509Certificate> p_valid_cert = Ref<X509Certificate>());
|
||||
virtual Status get_status() const;
|
||||
|
||||
virtual void disconnect_from_stream();
|
Loading…
Reference in a new issue