1/**************************************************************************/
2/* tls_context_mbedtls.cpp */
3/**************************************************************************/
4/* This file is part of: */
5/* GODOT ENGINE */
6/* https://godotengine.org */
7/**************************************************************************/
8/* Copyright (c) 2014-present Godot Engine contributors (see AUTHORS.md). */
9/* Copyright (c) 2007-2014 Juan Linietsky, Ariel Manzur. */
10/* */
11/* Permission is hereby granted, free of charge, to any person obtaining */
12/* a copy of this software and associated documentation files (the */
13/* "Software"), to deal in the Software without restriction, including */
14/* without limitation the rights to use, copy, modify, merge, publish, */
15/* distribute, sublicense, and/or sell copies of the Software, and to */
16/* permit persons to whom the Software is furnished to do so, subject to */
17/* the following conditions: */
18/* */
19/* The above copyright notice and this permission notice shall be */
20/* included in all copies or substantial portions of the Software. */
21/* */
22/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */
23/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */
24/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. */
25/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */
26/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */
27/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */
28/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */
29/**************************************************************************/
30
31#include "tls_context_mbedtls.h"
32
33static void my_debug(void *ctx, int level,
34 const char *file, int line,
35 const char *str) {
36 printf("%s:%04d: %s", file, line, str);
37 fflush(stdout);
38}
39
40void TLSContextMbedTLS::print_mbedtls_error(int p_ret) {
41 printf("mbedtls error: returned -0x%x\n\n", -p_ret);
42 fflush(stdout);
43}
44
45/// CookieContextMbedTLS
46
47Error CookieContextMbedTLS::setup() {
48 ERR_FAIL_COND_V_MSG(inited, ERR_ALREADY_IN_USE, "This cookie context is already in use");
49
50 mbedtls_ctr_drbg_init(&ctr_drbg);
51 mbedtls_entropy_init(&entropy);
52 mbedtls_ssl_cookie_init(&cookie_ctx);
53 inited = true;
54
55 int ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, nullptr, 0);
56 if (ret != 0) {
57 clear(); // Never leave unusable resources around.
58 ERR_FAIL_V_MSG(FAILED, "mbedtls_ctr_drbg_seed returned an error " + itos(ret));
59 }
60
61 ret = mbedtls_ssl_cookie_setup(&cookie_ctx, mbedtls_ctr_drbg_random, &ctr_drbg);
62 if (ret != 0) {
63 clear();
64 ERR_FAIL_V_MSG(FAILED, "mbedtls_ssl_cookie_setup returned an error " + itos(ret));
65 }
66 return OK;
67}
68
69void CookieContextMbedTLS::clear() {
70 if (!inited) {
71 return;
72 }
73 mbedtls_ctr_drbg_free(&ctr_drbg);
74 mbedtls_entropy_free(&entropy);
75 mbedtls_ssl_cookie_free(&cookie_ctx);
76}
77
78CookieContextMbedTLS::CookieContextMbedTLS() {
79}
80
81CookieContextMbedTLS::~CookieContextMbedTLS() {
82 clear();
83}
84
85/// TLSContextMbedTLS
86
87Error TLSContextMbedTLS::_setup(int p_endpoint, int p_transport, int p_authmode) {
88 ERR_FAIL_COND_V_MSG(inited, ERR_ALREADY_IN_USE, "This SSL context is already active");
89
90 mbedtls_ssl_init(&tls);
91 mbedtls_ssl_config_init(&conf);
92 mbedtls_ctr_drbg_init(&ctr_drbg);
93 mbedtls_entropy_init(&entropy);
94 inited = true;
95
96 int ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, nullptr, 0);
97 if (ret != 0) {
98 clear(); // Never leave unusable resources around.
99 ERR_FAIL_V_MSG(FAILED, "mbedtls_ctr_drbg_seed returned an error " + itos(ret));
100 }
101
102 ret = mbedtls_ssl_config_defaults(&conf, p_endpoint, p_transport, MBEDTLS_SSL_PRESET_DEFAULT);
103 if (ret != 0) {
104 clear();
105 ERR_FAIL_V_MSG(FAILED, "mbedtls_ssl_config_defaults returned an error" + itos(ret));
106 }
107 mbedtls_ssl_conf_authmode(&conf, p_authmode);
108 mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
109 mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
110 return OK;
111}
112
113Error TLSContextMbedTLS::init_server(int p_transport, Ref<TLSOptions> p_options, Ref<CookieContextMbedTLS> p_cookies) {
114 ERR_FAIL_COND_V(p_options.is_null() || !p_options->is_server(), ERR_INVALID_PARAMETER);
115
116 // Check key and certificate(s)
117 pkey = p_options->get_private_key();
118 certs = p_options->get_own_certificate();
119 ERR_FAIL_COND_V(pkey.is_null() || certs.is_null(), ERR_INVALID_PARAMETER);
120
121 Error err = _setup(MBEDTLS_SSL_IS_SERVER, p_transport, MBEDTLS_SSL_VERIFY_NONE); // TODO client auth.
122 ERR_FAIL_COND_V(err != OK, err);
123
124 // Locking key and certificate(s)
125 pkey->lock();
126 certs->lock();
127
128 // Adding key and certificate
129 int ret = mbedtls_ssl_conf_own_cert(&conf, &(certs->cert), &(pkey->pkey));
130 if (ret != 0) {
131 clear();
132 ERR_FAIL_V_MSG(ERR_INVALID_PARAMETER, "Invalid cert/key combination " + itos(ret));
133 }
134 // Adding CA chain if available.
135 if (certs->cert.next) {
136 mbedtls_ssl_conf_ca_chain(&conf, certs->cert.next, nullptr);
137 }
138 // DTLS Cookies
139 if (p_transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
140 if (p_cookies.is_null() || !p_cookies->inited) {
141 clear();
142 ERR_FAIL_V(ERR_BUG);
143 }
144 cookies = p_cookies;
145 mbedtls_ssl_conf_dtls_cookies(&conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &(cookies->cookie_ctx));
146 }
147 mbedtls_ssl_setup(&tls, &conf);
148 return OK;
149}
150
151Error TLSContextMbedTLS::init_client(int p_transport, const String &p_hostname, Ref<TLSOptions> p_options) {
152 ERR_FAIL_COND_V(p_options.is_null() || p_options->is_server(), ERR_INVALID_PARAMETER);
153
154 int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
155 if (p_options->get_verify_mode() == TLSOptions::TLS_VERIFY_NONE) {
156 authmode = MBEDTLS_SSL_VERIFY_NONE;
157 }
158
159 Error err = _setup(MBEDTLS_SSL_IS_CLIENT, p_transport, authmode);
160 ERR_FAIL_COND_V(err != OK, err);
161
162 if (p_options->get_verify_mode() == TLSOptions::TLS_VERIFY_FULL) {
163 String cn = p_options->get_common_name();
164 if (cn.is_empty()) {
165 cn = p_hostname;
166 }
167 mbedtls_ssl_set_hostname(&tls, cn.utf8().get_data());
168 } else {
169 mbedtls_ssl_set_hostname(&tls, nullptr);
170 }
171
172 X509CertificateMbedTLS *cas = nullptr;
173
174 if (p_options->get_trusted_ca_chain().is_valid()) {
175 // Locking CA certificates
176 certs = p_options->get_trusted_ca_chain();
177 certs->lock();
178 cas = certs.ptr();
179 } else {
180 // Fall back to default certificates (no need to lock those).
181 cas = CryptoMbedTLS::get_default_certificates();
182 if (cas == nullptr) {
183 clear();
184 ERR_FAIL_V_MSG(ERR_UNCONFIGURED, "SSL module failed to initialize!");
185 }
186 }
187
188 // Set valid CAs
189 mbedtls_ssl_conf_ca_chain(&conf, &(cas->cert), nullptr);
190 mbedtls_ssl_setup(&tls, &conf);
191 return OK;
192}
193
194void TLSContextMbedTLS::clear() {
195 if (!inited) {
196 return;
197 }
198 mbedtls_ssl_free(&tls);
199 mbedtls_ssl_config_free(&conf);
200 mbedtls_ctr_drbg_free(&ctr_drbg);
201 mbedtls_entropy_free(&entropy);
202
203 // Unlock and key and certificates
204 if (certs.is_valid()) {
205 certs->unlock();
206 }
207 certs = Ref<X509Certificate>();
208 if (pkey.is_valid()) {
209 pkey->unlock();
210 }
211 pkey = Ref<CryptoKeyMbedTLS>();
212 cookies = Ref<CookieContextMbedTLS>();
213 inited = false;
214}
215
216mbedtls_ssl_context *TLSContextMbedTLS::get_context() {
217 ERR_FAIL_COND_V(!inited, nullptr);
218 return &tls;
219}
220
221TLSContextMbedTLS::TLSContextMbedTLS() {
222}
223
224TLSContextMbedTLS::~TLSContextMbedTLS() {
225 clear();
226}
227