Rewrite StreamPeerSSL with SSLContext helper class

connect_to_stream now accepts optional parameter to specify which
certificates to trust.
Implement accept_stream (SSL server) with key/cert parameters to specify
the RSA key and X509 certificate resources.

5 files changed, 256 insertions, 80 deletions

diff --git a/modules/mbedtls/register_types.cpp b/modules/mbedtls/register_types.cpp
index 88f8155336..f7dc6c785f 100755
--- a/modules/mbedtls/register_types.cpp
+++ b/modules/mbedtls/register_types.cpp
@@ -31,7 +31,7 @@
 #include "register_types.h"
 
 #include "crypto_mbedtls.h"
-#include "stream_peer_mbed_tls.h"
+#include "stream_peer_mbedtls.h"
 
 void register_mbedtls_types() {
 
diff --git a/modules/mbedtls/ssl_context_mbedtls.cpp b/modules/mbedtls/ssl_context_mbedtls.cpp
new file mode 100644
index 0000000000..014a201f9c
--- /dev/null
+++ b/modules/mbedtls/ssl_context_mbedtls.cpp
@@ -0,0 +1,148 @@
+/*************************************************************************/
+/*  ssl_context_mbed_tls.cpp                                             */
+/*************************************************************************/
+/*                       This file is part of:                           */
+/*                           GODOT ENGINE                                */
+/*                      https://godotengine.org                          */
+/*************************************************************************/
+/* Copyright (c) 2007-2019 Juan Linietsky, Ariel Manzur.                 */
+/* Copyright (c) 2014-2019 Godot Engine contributors (cf. AUTHORS.md)    */
+/*                                                                       */
+/* Permission is hereby granted, free of charge, to any person obtaining */
+/* a copy of this software and associated documentation files (the       */
+/* "Software"), to deal in the Software without restriction, including   */
+/* without limitation the rights to use, copy, modify, merge, publish,   */
+/* distribute, sublicense, and/or sell copies of the Software, and to    */
+/* permit persons to whom the Software is furnished to do so, subject to */
+/* the following conditions:                                             */
+/*                                                                       */
+/* The above copyright notice and this permission notice shall be        */
+/* included in all copies or substantial portions of the Software.       */
+/*                                                                       */
+/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,       */
+/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF    */
+/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/
+/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY  */
+/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,  */
+/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE     */
+/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.                */
+/*************************************************************************/
+
+#include "ssl_context_mbedtls.h"
+
+static void my_debug(void *ctx, int level,
+		const char *file, int line,
+		const char *str) {
+
+	printf("%s:%04d: %s", file, line, str);
+	fflush(stdout);
+}
+
+Error SSLContextMbedTLS::_setup(int p_endpoint, int p_transport, int p_authmode) {
+	ERR_FAIL_COND_V_MSG(inited, ERR_ALREADY_IN_USE, "This SSL context is already active");
+
+	mbedtls_ssl_init(&ssl);
+	mbedtls_ssl_config_init(&conf);
+	mbedtls_ctr_drbg_init(&ctr_drbg);
+	mbedtls_entropy_init(&entropy);
+	inited = true;
+
+	int ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
+	if (ret != 0) {
+		clear(); // Never leave unusable resources around.
+		ERR_FAIL_V_MSG(FAILED, "mbedtls_ctr_drbg_seed returned an error" + itos(ret));
+	}
+
+	ret = mbedtls_ssl_config_defaults(&conf, p_endpoint, p_transport, MBEDTLS_SSL_PRESET_DEFAULT);
+	if (ret != 0) {
+		clear();
+		ERR_FAIL_V_MSG(FAILED, "mbedtls_ssl_config_defaults returned an error" + itos(ret));
+	}
+	mbedtls_ssl_conf_authmode(&conf, p_authmode);
+	mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
+	mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
+	return OK;
+}
+
+Error SSLContextMbedTLS::init_server(int p_transport, int p_authmode, Ref<CryptoKeyMbedTLS> p_pkey, Ref<X509CertificateMbedTLS> p_cert) {
+	ERR_FAIL_COND_V(!p_pkey.is_valid(), ERR_INVALID_PARAMETER);
+	ERR_FAIL_COND_V(!p_cert.is_valid(), ERR_INVALID_PARAMETER);
+
+	Error err = _setup(MBEDTLS_SSL_IS_SERVER, p_transport, p_authmode);
+	ERR_FAIL_COND_V(err != OK, err);
+
+	// Locking key and certificate(s)
+	pkey = p_pkey;
+	certs = p_cert;
+	if (pkey.is_valid())
+		pkey->lock();
+	if (certs.is_valid())
+		certs->lock();
+
+	// Adding key and certificate
+	int ret = mbedtls_ssl_conf_own_cert(&conf, &(certs->cert), &(pkey->pkey));
+	if (ret != 0) {
+		clear();
+		ERR_FAIL_V_MSG(ERR_INVALID_PARAMETER, "Invalid cert/key combination " + itos(ret));
+	}
+	// Adding CA chain if available.
+	if (certs->cert.next) {
+		mbedtls_ssl_conf_ca_chain(&conf, certs->cert.next, NULL);
+	}
+	mbedtls_ssl_setup(&ssl, &conf);
+	return OK;
+}
+
+Error SSLContextMbedTLS::init_client(int p_transport, int p_authmode, Ref<X509CertificateMbedTLS> p_valid_cas) {
+	X509CertificateMbedTLS *cas = NULL;
+
+	if (certs.is_valid()) {
+		// Locking CA certificates
+		certs = p_valid_cas;
+		certs->lock();
+		cas = certs.ptr();
+	} else {
+		// Fall back to default certificates (no need to lock those).
+		cas = CryptoMbedTLS::get_default_certificates();
+		ERR_FAIL_COND_V(cas == NULL, ERR_UNCONFIGURED);
+	}
+
+	Error err = _setup(MBEDTLS_SSL_IS_CLIENT, p_transport, p_authmode);
+	ERR_FAIL_COND_V(err != OK, err);
+
+	// Set valid CAs
+	mbedtls_ssl_conf_ca_chain(&conf, &(cas->cert), NULL);
+	mbedtls_ssl_setup(&ssl, &conf);
+	return OK;
+}
+
+void SSLContextMbedTLS::clear() {
+	if (!inited)
+		return;
+	mbedtls_ssl_free(&ssl);
+	mbedtls_ssl_config_free(&conf);
+	mbedtls_ctr_drbg_free(&ctr_drbg);
+	mbedtls_entropy_free(&entropy);
+
+	// Unlock and key and certificates
+	if (certs.is_valid())
+		certs->unlock();
+	certs = Ref<X509Certificate>();
+	if (pkey.is_valid())
+		pkey->unlock();
+	pkey = Ref<CryptoKeyMbedTLS>();
+	inited = false;
+}
+
+mbedtls_ssl_context *SSLContextMbedTLS::get_context() {
+	ERR_FAIL_COND_V(!inited, NULL);
+	return &ssl;
+}
+
+SSLContextMbedTLS::SSLContextMbedTLS() {
+	inited = false;
+}
+
+SSLContextMbedTLS::~SSLContextMbedTLS() {
+	clear();
+}
diff --git a/modules/mbedtls/ssl_context_mbedtls.h b/modules/mbedtls/ssl_context_mbedtls.h
new file mode 100644
index 0000000000..8a072fd6eb
--- /dev/null
+++ b/modules/mbedtls/ssl_context_mbedtls.h
@@ -0,0 +1,74 @@
+/*************************************************************************/
+/*  ssl_context_mbed_tls.h                                               */
+/*************************************************************************/
+/*                       This file is part of:                           */
+/*                           GODOT ENGINE                                */
+/*                      https://godotengine.org                          */
+/*************************************************************************/
+/* Copyright (c) 2007-2019 Juan Linietsky, Ariel Manzur.                 */
+/* Copyright (c) 2014-2019 Godot Engine contributors (cf. AUTHORS.md)    */
+/*                                                                       */
+/* Permission is hereby granted, free of charge, to any person obtaining */
+/* a copy of this software and associated documentation files (the       */
+/* "Software"), to deal in the Software without restriction, including   */
+/* without limitation the rights to use, copy, modify, merge, publish,   */
+/* distribute, sublicense, and/or sell copies of the Software, and to    */
+/* permit persons to whom the Software is furnished to do so, subject to */
+/* the following conditions:                                             */
+/*                                                                       */
+/* The above copyright notice and this permission notice shall be        */
+/* included in all copies or substantial portions of the Software.       */
+/*                                                                       */
+/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,       */
+/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF    */
+/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/
+/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY  */
+/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,  */
+/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE     */
+/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.                */
+/*************************************************************************/
+
+#ifndef SSL_CONTEXT_MBED_TLS_H
+#define SSL_CONTEXT_MBED_TLS_H
+
+#include "crypto_mbedtls.h"
+
+#include "core/os/file_access.h"
+#include "core/pool_vector.h"
+#include "core/reference.h"
+
+#include <mbedtls/config.h>
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/debug.h>
+#include <mbedtls/entropy.h>
+#include <mbedtls/net.h>
+#include <mbedtls/ssl.h>
+
+class SSLContextMbedTLS : public Reference {
+
+protected:
+	bool inited;
+
+	static PoolByteArray _read_file(String p_path);
+
+public:
+	Ref<X509CertificateMbedTLS> certs;
+	mbedtls_entropy_context entropy;
+	mbedtls_ctr_drbg_context ctr_drbg;
+	mbedtls_ssl_context ssl;
+	mbedtls_ssl_config conf;
+
+	Ref<CryptoKeyMbedTLS> pkey;
+
+	Error _setup(int p_endpoint, int p_transport, int p_authmode);
+	Error init_server(int p_transport, int p_authmode, Ref<CryptoKeyMbedTLS> p_pkey, Ref<X509CertificateMbedTLS> p_cert);
+	Error init_client(int p_transport, int p_authmode, Ref<X509CertificateMbedTLS> p_valid_cas);
+	void clear();
+
+	mbedtls_ssl_context *get_context();
+
+	SSLContextMbedTLS();
+	~SSLContextMbedTLS();
+};
+
+#endif // SSL_CONTEXT_MBED_TLS_H
diff --git a/modules/mbedtls/stream_peer_mbed_tls.cpp b/modules/mbedtls/stream_peer_mbedtls.cpp
index 4bb7557150..a9acfbef02 100755
--- a/modules/mbedtls/stream_peer_mbed_tls.cpp
+++ b/modules/mbedtls/stream_peer_mbedtls.cpp
@@ -28,19 +28,11 @@
 /* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.                */
 /*************************************************************************/
 
-#include "stream_peer_mbed_tls.h"
+#include "stream_peer_mbedtls.h"
 
 #include "core/io/stream_peer_tcp.h"
 #include "core/os/file_access.h"
 
-static void my_debug(void *ctx, int level,
-		const char *file, int line,
-		const char *str) {
-
-	printf("%s:%04d: %s", file, line, str);
-	fflush(stdout);
-}
-
 void _print_error(int ret) {
 	printf("mbedtls error: returned -0x%x\n\n", -ret);
 	fflush(stdout);
@@ -86,18 +78,14 @@ int StreamPeerMbedTLS::bio_recv(void *ctx, unsigned char *buf, size_t len) {
 
 void StreamPeerMbedTLS::_cleanup() {
 
-	mbedtls_ssl_free(&ssl);
-	mbedtls_ssl_config_free(&conf);
-	mbedtls_ctr_drbg_free(&ctr_drbg);
-	mbedtls_entropy_free(&entropy);
-
+	ssl_ctx->clear();
 	base = Ref<StreamPeer>();
 	status = STATUS_DISCONNECTED;
 }
 
 Error StreamPeerMbedTLS::_do_handshake() {
 	int ret = 0;
-	while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
+	while ((ret = mbedtls_ssl_handshake(ssl_ctx->get_context())) != 0) {
 		if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
 			// An error occurred.
 			ERR_PRINTS("TLS handshake error: " + itos(ret));
@@ -118,39 +106,17 @@ Error StreamPeerMbedTLS::_do_handshake() {
 	return OK;
 }
 
-Error StreamPeerMbedTLS::connect_to_stream(Ref<StreamPeer> p_base, bool p_validate_certs, const String &p_for_hostname) {
-
-	ERR_FAIL_COND_V(p_base.is_null(), ERR_INVALID_PARAMETER);
+Error StreamPeerMbedTLS::connect_to_stream(Ref<StreamPeer> p_base, bool p_validate_certs, const String &p_for_hostname, Ref<X509Certificate> p_ca_certs) {
 
 	base = p_base;
 	int ret = 0;
 	int authmode = p_validate_certs ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE;
 
-	mbedtls_ssl_init(&ssl);
-	mbedtls_ssl_config_init(&conf);
-	mbedtls_ctr_drbg_init(&ctr_drbg);
-	mbedtls_entropy_init(&entropy);
+	Error err = ssl_ctx->init_client(MBEDTLS_SSL_TRANSPORT_STREAM, authmode, p_ca_certs);
+	ERR_FAIL_COND_V(err != OK, err);
 
-	ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
-	if (ret != 0) {
-		ERR_PRINTS(" failed\n  ! mbedtls_ctr_drbg_seed returned an error" + itos(ret));
-		_cleanup();
-		return FAILED;
-	}
-
-	mbedtls_ssl_config_defaults(&conf,
-			MBEDTLS_SSL_IS_CLIENT,
-			MBEDTLS_SSL_TRANSPORT_STREAM,
-			MBEDTLS_SSL_PRESET_DEFAULT);
-
-	mbedtls_ssl_conf_authmode(&conf, authmode);
-	mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
-	mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
-	mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
-	mbedtls_ssl_setup(&ssl, &conf);
-	mbedtls_ssl_set_hostname(&ssl, p_for_hostname.utf8().get_data());
-
-	mbedtls_ssl_set_bio(&ssl, this, bio_send, bio_recv, NULL);
+	mbedtls_ssl_set_hostname(ssl_ctx->get_context(), p_for_hostname.utf8().get_data());
+	mbedtls_ssl_set_bio(ssl_ctx->get_context(), this, bio_send, bio_recv, NULL);
 
 	status = STATUS_HANDSHAKING;
 
@@ -162,11 +128,24 @@ Error StreamPeerMbedTLS::connect_to_stream(Ref<StreamPeer> p_base, bool p_valida
 	return OK;
 }
 
-Error StreamPeerMbedTLS::accept_stream(Ref<StreamPeer> p_base) {
+Error StreamPeerMbedTLS::accept_stream(Ref<StreamPeer> p_base, Ref<CryptoKey> p_key, Ref<X509Certificate> p_cert, Ref<X509Certificate> p_ca_chain) {
+
+	Error err = ssl_ctx->init_server(MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_VERIFY_NONE, p_key, p_cert);
+	ERR_FAIL_COND_V(err != OK, err);
+
+	base = p_base;
+
+	mbedtls_ssl_set_bio(ssl_ctx->get_context(), this, bio_send, bio_recv, NULL);
 
+	status = STATUS_HANDSHAKING;
+
+	if ((err = _do_handshake()) != OK) {
+		return FAILED;
+	}
+
+	status = STATUS_CONNECTED;
 	return OK;
 }
-
 Error StreamPeerMbedTLS::put_data(const uint8_t *p_data, int p_bytes) {
 
 	ERR_FAIL_COND_V(status != STATUS_CONNECTED, ERR_UNCONFIGURED);
@@ -197,7 +176,7 @@ Error StreamPeerMbedTLS::put_partial_data(const uint8_t *p_data, int p_bytes, in
 	if (p_bytes == 0)
 		return OK;
 
-	int ret = mbedtls_ssl_write(&ssl, p_data, p_bytes);
+	int ret = mbedtls_ssl_write(ssl_ctx->get_context(), p_data, p_bytes);
 	if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
 		// Non blocking IO
 		ret = 0;
@@ -243,7 +222,7 @@ Error StreamPeerMbedTLS::get_partial_data(uint8_t *p_buffer, int p_bytes, int &r
 
 	r_received = 0;
 
-	int ret = mbedtls_ssl_read(&ssl, p_buffer, p_bytes);
+	int ret = mbedtls_ssl_read(ssl_ctx->get_context(), p_buffer, p_bytes);
 	if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
 		ret = 0; // non blocking io
 	} else if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
@@ -273,7 +252,7 @@ void StreamPeerMbedTLS::poll() {
 	// We could pass NULL as second parameter, but some behaviour sanitizers doesn't seem to like that.
 	// Passing a 1 byte buffer to workaround it.
 	uint8_t byte;
-	int ret = mbedtls_ssl_read(&ssl, &byte, 0);
+	int ret = mbedtls_ssl_read(ssl_ctx->get_context(), &byte, 0);
 
 	if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
 		// Nothing to read/write (non blocking IO)
@@ -298,10 +277,11 @@ int StreamPeerMbedTLS::get_available_bytes() const {
 
 	ERR_FAIL_COND_V(status != STATUS_CONNECTED, 0);
 
-	return mbedtls_ssl_get_bytes_avail(&ssl);
+	return mbedtls_ssl_get_bytes_avail(&(ssl_ctx->ssl));
 }
 StreamPeerMbedTLS::StreamPeerMbedTLS() {
 
+	ssl_ctx.instance();
 	status = STATUS_DISCONNECTED;
 }
 
@@ -317,7 +297,7 @@ void StreamPeerMbedTLS::disconnect_from_stream() {
 	Ref<StreamPeerTCP> tcp = base;
 	if (tcp.is_valid() && tcp->get_status() == StreamPeerTCP::STATUS_CONNECTED) {
 		// We are still connected on the socket, try to send close notify.
-		mbedtls_ssl_close_notify(&ssl);
+		mbedtls_ssl_close_notify(ssl_ctx->get_context());
 	}
 
 	_cleanup();
@@ -333,28 +313,9 @@ StreamPeerSSL *StreamPeerMbedTLS::_create_func() {
 	return memnew(StreamPeerMbedTLS);
 }
 
-mbedtls_x509_crt StreamPeerMbedTLS::cacert;
-
-void StreamPeerMbedTLS::_load_certs(const PoolByteArray &p_array) {
-	int arr_len = p_array.size();
-	PoolByteArray::Read r = p_array.read();
-	int err = mbedtls_x509_crt_parse(&cacert, &r[0], arr_len);
-	if (err != 0) {
-		WARN_PRINTS("Error parsing some certificates: " + itos(err));
-	}
-}
-
 void StreamPeerMbedTLS::initialize_ssl() {
 
 	_create = _create_func;
-	load_certs_func = _load_certs;
-
-	mbedtls_x509_crt_init(&cacert);
-
-#ifdef DEBUG_ENABLED
-	mbedtls_debug_set_threshold(1);
-#endif
-
 	available = true;
 }
 
@@ -362,6 +323,4 @@ void StreamPeerMbedTLS::finalize_ssl() {
 
 	available = false;
 	_create = NULL;
-	load_certs_func = NULL;
-	mbedtls_x509_crt_free(&cacert);
 }
diff --git a/modules/mbedtls/stream_peer_mbed_tls.h b/modules/mbedtls/stream_peer_mbedtls.h
index ab87b779c1..179d1d37e1 100755
--- a/modules/mbedtls/stream_peer_mbed_tls.h
+++ b/modules/mbedtls/stream_peer_mbedtls.h
@@ -32,6 +32,7 @@
 #define STREAM_PEER_OPEN_SSL_H
 
 #include "core/io/stream_peer_ssl.h"
+#include "ssl_context_mbedtls.h"
 
 #include <mbedtls/config.h>
 #include <mbedtls/ctr_drbg.h>
@@ -50,19 +51,13 @@ private:
 	Ref<StreamPeer> base;
 
 	static StreamPeerSSL *_create_func();
-	static void _load_certs(const PoolByteArray &p_array);
 
 	static int bio_recv(void *ctx, unsigned char *buf, size_t len);
 	static int bio_send(void *ctx, const unsigned char *buf, size_t len);
 	void _cleanup();
 
 protected:
-	static mbedtls_x509_crt cacert;
-
-	mbedtls_entropy_context entropy;
-	mbedtls_ctr_drbg_context ctr_drbg;
-	mbedtls_ssl_context ssl;
-	mbedtls_ssl_config conf;
+	Ref<SSLContextMbedTLS> ssl_ctx;
 
 	static void _bind_methods();
 
@@ -70,8 +65,8 @@ protected:
 
 public:
 	virtual void poll();
-	virtual Error accept_stream(Ref<StreamPeer> p_base);
-	virtual Error connect_to_stream(Ref<StreamPeer> p_base, bool p_validate_certs = false, const String &p_for_hostname = String());
+	virtual Error accept_stream(Ref<StreamPeer> p_base, Ref<CryptoKey> p_key, Ref<X509Certificate> p_cert, Ref<X509Certificate> p_ca_chain = Ref<X509Certificate>());
+	virtual Error connect_to_stream(Ref<StreamPeer> p_base, bool p_validate_certs = false, const String &p_for_hostname = String(), Ref<X509Certificate> p_valid_cert = Ref<X509Certificate>());
 	virtual Status get_status() const;
 
 	virtual void disconnect_from_stream();