tls_context_mbedtls.cpp 7.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229
  1. /**************************************************************************/
  2. /* tls_context_mbedtls.cpp */
  3. /**************************************************************************/
  4. /* This file is part of: */
  5. /* GODOT ENGINE */
  6. /* https://godotengine.org */
  7. /**************************************************************************/
  8. /* Copyright (c) 2014-present Godot Engine contributors (see AUTHORS.md). */
  9. /* Copyright (c) 2007-2014 Juan Linietsky, Ariel Manzur. */
  10. /* */
  11. /* Permission is hereby granted, free of charge, to any person obtaining */
  12. /* a copy of this software and associated documentation files (the */
  13. /* "Software"), to deal in the Software without restriction, including */
  14. /* without limitation the rights to use, copy, modify, merge, publish, */
  15. /* distribute, sublicense, and/or sell copies of the Software, and to */
  16. /* permit persons to whom the Software is furnished to do so, subject to */
  17. /* the following conditions: */
  18. /* */
  19. /* The above copyright notice and this permission notice shall be */
  20. /* included in all copies or substantial portions of the Software. */
  21. /* */
  22. /* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */
  23. /* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */
  24. /* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. */
  25. /* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */
  26. /* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */
  27. /* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */
  28. /* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */
  29. /**************************************************************************/
  30. #include "tls_context_mbedtls.h"
  31. static void my_debug(void *ctx, int level,
  32. const char *file, int line,
  33. const char *str) {
  34. printf("%s:%04d: %s", file, line, str);
  35. fflush(stdout);
  36. }
  37. void TLSContextMbedTLS::print_mbedtls_error(int p_ret) {
  38. printf("mbedtls error: returned -0x%x\n\n", -p_ret);
  39. fflush(stdout);
  40. }
  41. /// CookieContextMbedTLS
  42. Error CookieContextMbedTLS::setup() {
  43. ERR_FAIL_COND_V_MSG(inited, ERR_ALREADY_IN_USE, "This cookie context is already in use");
  44. mbedtls_ctr_drbg_init(&ctr_drbg);
  45. mbedtls_entropy_init(&entropy);
  46. mbedtls_ssl_cookie_init(&cookie_ctx);
  47. inited = true;
  48. int ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, nullptr, 0);
  49. if (ret != 0) {
  50. clear(); // Never leave unusable resources around.
  51. ERR_FAIL_V_MSG(FAILED, "mbedtls_ctr_drbg_seed returned an error " + itos(ret));
  52. }
  53. ret = mbedtls_ssl_cookie_setup(&cookie_ctx, mbedtls_ctr_drbg_random, &ctr_drbg);
  54. if (ret != 0) {
  55. clear();
  56. ERR_FAIL_V_MSG(FAILED, "mbedtls_ssl_cookie_setup returned an error " + itos(ret));
  57. }
  58. return OK;
  59. }
  60. void CookieContextMbedTLS::clear() {
  61. if (!inited) {
  62. return;
  63. }
  64. mbedtls_ctr_drbg_free(&ctr_drbg);
  65. mbedtls_entropy_free(&entropy);
  66. mbedtls_ssl_cookie_free(&cookie_ctx);
  67. }
  68. CookieContextMbedTLS::CookieContextMbedTLS() {
  69. }
  70. CookieContextMbedTLS::~CookieContextMbedTLS() {
  71. clear();
  72. }
  73. /// TLSContextMbedTLS
  74. Error TLSContextMbedTLS::_setup(int p_endpoint, int p_transport, int p_authmode) {
  75. ERR_FAIL_COND_V_MSG(inited, ERR_ALREADY_IN_USE, "This SSL context is already active");
  76. mbedtls_ssl_init(&tls);
  77. mbedtls_ssl_config_init(&conf);
  78. mbedtls_ctr_drbg_init(&ctr_drbg);
  79. mbedtls_entropy_init(&entropy);
  80. inited = true;
  81. int ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, nullptr, 0);
  82. if (ret != 0) {
  83. clear(); // Never leave unusable resources around.
  84. ERR_FAIL_V_MSG(FAILED, "mbedtls_ctr_drbg_seed returned an error " + itos(ret));
  85. }
  86. ret = mbedtls_ssl_config_defaults(&conf, p_endpoint, p_transport, MBEDTLS_SSL_PRESET_DEFAULT);
  87. if (ret != 0) {
  88. clear();
  89. ERR_FAIL_V_MSG(FAILED, "mbedtls_ssl_config_defaults returned an error" + itos(ret));
  90. }
  91. mbedtls_ssl_conf_authmode(&conf, p_authmode);
  92. mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
  93. mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
  94. return OK;
  95. }
  96. Error TLSContextMbedTLS::init_server(int p_transport, Ref<TLSOptions> p_options, Ref<CookieContextMbedTLS> p_cookies) {
  97. ERR_FAIL_COND_V(p_options.is_null() || !p_options->is_server(), ERR_INVALID_PARAMETER);
  98. // Check key and certificate(s)
  99. pkey = p_options->get_private_key();
  100. certs = p_options->get_own_certificate();
  101. ERR_FAIL_COND_V(pkey.is_null() || certs.is_null(), ERR_INVALID_PARAMETER);
  102. Error err = _setup(MBEDTLS_SSL_IS_SERVER, p_transport, MBEDTLS_SSL_VERIFY_NONE); // TODO client auth.
  103. ERR_FAIL_COND_V(err != OK, err);
  104. // Locking key and certificate(s)
  105. pkey->lock();
  106. certs->lock();
  107. // Adding key and certificate
  108. int ret = mbedtls_ssl_conf_own_cert(&conf, &(certs->cert), &(pkey->pkey));
  109. if (ret != 0) {
  110. clear();
  111. ERR_FAIL_V_MSG(ERR_INVALID_PARAMETER, "Invalid cert/key combination " + itos(ret));
  112. }
  113. // Adding CA chain if available.
  114. if (certs->cert.next) {
  115. mbedtls_ssl_conf_ca_chain(&conf, certs->cert.next, nullptr);
  116. }
  117. // DTLS Cookies
  118. if (p_transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
  119. if (p_cookies.is_null() || !p_cookies->inited) {
  120. clear();
  121. ERR_FAIL_V(ERR_BUG);
  122. }
  123. cookies = p_cookies;
  124. mbedtls_ssl_conf_dtls_cookies(&conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &(cookies->cookie_ctx));
  125. }
  126. mbedtls_ssl_setup(&tls, &conf);
  127. return OK;
  128. }
  129. Error TLSContextMbedTLS::init_client(int p_transport, const String &p_hostname, Ref<TLSOptions> p_options) {
  130. ERR_FAIL_COND_V(p_options.is_null() || p_options->is_server(), ERR_INVALID_PARAMETER);
  131. int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
  132. bool unsafe = p_options->is_unsafe_client();
  133. if (unsafe && p_options->get_trusted_ca_chain().is_null()) {
  134. authmode = MBEDTLS_SSL_VERIFY_NONE;
  135. }
  136. Error err = _setup(MBEDTLS_SSL_IS_CLIENT, p_transport, authmode);
  137. ERR_FAIL_COND_V(err != OK, err);
  138. if (unsafe) {
  139. // No hostname verification for unsafe clients.
  140. mbedtls_ssl_set_hostname(&tls, nullptr);
  141. } else {
  142. String cn = p_options->get_common_name_override();
  143. if (cn.is_empty()) {
  144. cn = p_hostname;
  145. }
  146. mbedtls_ssl_set_hostname(&tls, cn.utf8().get_data());
  147. }
  148. X509CertificateMbedTLS *cas = nullptr;
  149. if (p_options->get_trusted_ca_chain().is_valid()) {
  150. // Locking CA certificates
  151. certs = p_options->get_trusted_ca_chain();
  152. certs->lock();
  153. cas = certs.ptr();
  154. } else {
  155. // Fall back to default certificates (no need to lock those).
  156. cas = CryptoMbedTLS::get_default_certificates();
  157. if (cas == nullptr) {
  158. clear();
  159. ERR_FAIL_V_MSG(ERR_UNCONFIGURED, "SSL module failed to initialize!");
  160. }
  161. }
  162. // Set valid CAs
  163. mbedtls_ssl_conf_ca_chain(&conf, &(cas->cert), nullptr);
  164. mbedtls_ssl_setup(&tls, &conf);
  165. return OK;
  166. }
  167. void TLSContextMbedTLS::clear() {
  168. if (!inited) {
  169. return;
  170. }
  171. mbedtls_ssl_free(&tls);
  172. mbedtls_ssl_config_free(&conf);
  173. mbedtls_ctr_drbg_free(&ctr_drbg);
  174. mbedtls_entropy_free(&entropy);
  175. // Unlock and key and certificates
  176. if (certs.is_valid()) {
  177. certs->unlock();
  178. }
  179. certs = Ref<X509Certificate>();
  180. if (pkey.is_valid()) {
  181. pkey->unlock();
  182. }
  183. pkey = Ref<CryptoKeyMbedTLS>();
  184. cookies = Ref<CookieContextMbedTLS>();
  185. inited = false;
  186. }
  187. mbedtls_ssl_context *TLSContextMbedTLS::get_context() {
  188. ERR_FAIL_COND_V(!inited, nullptr);
  189. return &tls;
  190. }
  191. TLSContextMbedTLS::TLSContextMbedTLS() {
  192. }
  193. TLSContextMbedTLS::~TLSContextMbedTLS() {
  194. clear();
  195. }