summaryrefslogtreecommitdiff
path: root/modules/mbedtls/tls_context_mbedtls.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'modules/mbedtls/tls_context_mbedtls.cpp')
-rw-r--r--modules/mbedtls/tls_context_mbedtls.cpp47
1 files changed, 31 insertions, 16 deletions
diff --git a/modules/mbedtls/tls_context_mbedtls.cpp b/modules/mbedtls/tls_context_mbedtls.cpp
index a01137f262..aab082f488 100644
--- a/modules/mbedtls/tls_context_mbedtls.cpp
+++ b/modules/mbedtls/tls_context_mbedtls.cpp
@@ -110,22 +110,20 @@ Error TLSContextMbedTLS::_setup(int p_endpoint, int p_transport, int p_authmode)
return OK;
}
-Error TLSContextMbedTLS::init_server(int p_transport, int p_authmode, Ref<CryptoKeyMbedTLS> p_pkey, Ref<X509CertificateMbedTLS> p_cert, Ref<CookieContextMbedTLS> p_cookies) {
- ERR_FAIL_COND_V(!p_pkey.is_valid(), ERR_INVALID_PARAMETER);
- ERR_FAIL_COND_V(!p_cert.is_valid(), ERR_INVALID_PARAMETER);
+Error TLSContextMbedTLS::init_server(int p_transport, Ref<TLSOptions> p_options, Ref<CookieContextMbedTLS> p_cookies) {
+ ERR_FAIL_COND_V(p_options.is_null() || !p_options->is_server(), ERR_INVALID_PARAMETER);
- Error err = _setup(MBEDTLS_SSL_IS_SERVER, p_transport, p_authmode);
+ // Check key and certificate(s)
+ pkey = p_options->get_private_key();
+ certs = p_options->get_own_certificate();
+ ERR_FAIL_COND_V(pkey.is_null() || certs.is_null(), ERR_INVALID_PARAMETER);
+
+ Error err = _setup(MBEDTLS_SSL_IS_SERVER, p_transport, MBEDTLS_SSL_VERIFY_NONE); // TODO client auth.
ERR_FAIL_COND_V(err != OK, err);
// Locking key and certificate(s)
- pkey = p_pkey;
- certs = p_cert;
- if (pkey.is_valid()) {
- pkey->lock();
- }
- if (certs.is_valid()) {
- certs->lock();
- }
+ pkey->lock();
+ certs->lock();
// Adding key and certificate
int ret = mbedtls_ssl_conf_own_cert(&conf, &(certs->cert), &(pkey->pkey));
@@ -150,15 +148,32 @@ Error TLSContextMbedTLS::init_server(int p_transport, int p_authmode, Ref<Crypto
return OK;
}
-Error TLSContextMbedTLS::init_client(int p_transport, int p_authmode, Ref<X509CertificateMbedTLS> p_valid_cas) {
- Error err = _setup(MBEDTLS_SSL_IS_CLIENT, p_transport, p_authmode);
+Error TLSContextMbedTLS::init_client(int p_transport, const String &p_hostname, Ref<TLSOptions> p_options) {
+ ERR_FAIL_COND_V(p_options.is_null() || p_options->is_server(), ERR_INVALID_PARAMETER);
+
+ int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+ if (p_options->get_verify_mode() == TLSOptions::TLS_VERIFY_NONE) {
+ authmode = MBEDTLS_SSL_VERIFY_NONE;
+ }
+
+ Error err = _setup(MBEDTLS_SSL_IS_CLIENT, p_transport, authmode);
ERR_FAIL_COND_V(err != OK, err);
+ if (p_options->get_verify_mode() == TLSOptions::TLS_VERIFY_FULL) {
+ String cn = p_options->get_common_name();
+ if (cn.is_empty()) {
+ cn = p_hostname;
+ }
+ mbedtls_ssl_set_hostname(&tls, cn.utf8().get_data());
+ } else {
+ mbedtls_ssl_set_hostname(&tls, nullptr);
+ }
+
X509CertificateMbedTLS *cas = nullptr;
- if (p_valid_cas.is_valid()) {
+ if (p_options->get_trusted_ca_chain().is_valid()) {
// Locking CA certificates
- certs = p_valid_cas;
+ certs = p_options->get_trusted_ca_chain();
certs->lock();
cas = certs.ptr();
} else {
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-11 13:35:15 +0000