1
/**************************************************************************/
2
/*  tls_context_mbedtls.cpp                                               */
3
/**************************************************************************/
4
/*                         This file is part of:                          */
5
/*                             GODOT ENGINE                               */
6
/*                        https://godotengine.org                         */
7
/**************************************************************************/
8
/* Copyright (c) 2014-present Godot Engine contributors (see AUTHORS.md). */
9
/* Copyright (c) 2007-2014 Juan Linietsky, Ariel Manzur.                  */
10
/*                                                                        */
11
/* Permission is hereby granted, free of charge, to any person obtaining  */
12
/* a copy of this software and associated documentation files (the        */
13
/* "Software"), to deal in the Software without restriction, including    */
14
/* without limitation the rights to use, copy, modify, merge, publish,    */
15
/* distribute, sublicense, and/or sell copies of the Software, and to     */
16
/* permit persons to whom the Software is furnished to do so, subject to  */
17
/* the following conditions:                                              */
18
/*                                                                        */
19
/* The above copyright notice and this permission notice shall be         */
20
/* included in all copies or substantial portions of the Software.        */
21
/*                                                                        */
22
/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,        */
23
/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF     */
24
/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. */
25
/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY   */
26
/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,   */
27
/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE      */
28
/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.                 */
29
/**************************************************************************/
30

31
#include "tls_context_mbedtls.h"
32

33
#include "core/config/project_settings.h"
34

35
#ifdef TOOLS_ENABLED
36
#include "editor/settings/editor_settings.h"
37
#endif // TOOLS_ENABLED
38

39
static void my_debug(void *ctx, int level,
40
		const char *file, int line,
41
		const char *str) {
42
	printf("%s:%04d: %s", file, line, str);
43
	fflush(stdout);
44
}
45

46
void TLSContextMbedTLS::print_mbedtls_error(int p_ret) {
47
	printf("mbedtls error: returned -0x%x\n\n", -p_ret);
48
	fflush(stdout);
49
}
50

51
/// CookieContextMbedTLS
52

53
Error CookieContextMbedTLS::setup() {
54
	ERR_FAIL_COND_V_MSG(inited, ERR_ALREADY_IN_USE, "This cookie context is already in use");
55

56
	mbedtls_ctr_drbg_init(&ctr_drbg);
57
	mbedtls_entropy_init(&entropy);
58
	mbedtls_ssl_cookie_init(&cookie_ctx);
59
	inited = true;
60

61
	int ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, nullptr, 0);
62
	if (ret != 0) {
63
		clear(); // Never leave unusable resources around.
64
		ERR_FAIL_V_MSG(FAILED, "mbedtls_ctr_drbg_seed returned an error " + itos(ret));
65
	}
66

67
	ret = mbedtls_ssl_cookie_setup(&cookie_ctx, mbedtls_ctr_drbg_random, &ctr_drbg);
68
	if (ret != 0) {
69
		clear();
70
		ERR_FAIL_V_MSG(FAILED, "mbedtls_ssl_cookie_setup returned an error " + itos(ret));
71
	}
72
	return OK;
73
}
74

75
void CookieContextMbedTLS::clear() {
76
	if (!inited) {
77
		return;
78
	}
79
	mbedtls_ctr_drbg_free(&ctr_drbg);
80
	mbedtls_entropy_free(&entropy);
81
	mbedtls_ssl_cookie_free(&cookie_ctx);
82
}
83

84
CookieContextMbedTLS::CookieContextMbedTLS() {
85
}
86

87
CookieContextMbedTLS::~CookieContextMbedTLS() {
88
	clear();
89
}
90

91
/// TLSContextMbedTLS
92

93
Error TLSContextMbedTLS::_setup(int p_endpoint, int p_transport, int p_authmode) {
94
	ERR_FAIL_COND_V_MSG(inited, ERR_ALREADY_IN_USE, "This SSL context is already active");
95

96
	mbedtls_ssl_init(&tls);
97
	mbedtls_ssl_config_init(&conf);
98
	mbedtls_ctr_drbg_init(&ctr_drbg);
99
	mbedtls_entropy_init(&entropy);
100
	inited = true;
101

102
	int ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, nullptr, 0);
103
	if (ret != 0) {
104
		clear(); // Never leave unusable resources around.
105
		ERR_FAIL_V_MSG(FAILED, "mbedtls_ctr_drbg_seed returned an error " + itos(ret));
106
	}
107

108
	ret = mbedtls_ssl_config_defaults(&conf, p_endpoint, p_transport, MBEDTLS_SSL_PRESET_DEFAULT);
109
	if (ret != 0) {
110
		clear();
111
		ERR_FAIL_V_MSG(FAILED, "mbedtls_ssl_config_defaults returned an error" + itos(ret));
112
	}
113
	mbedtls_ssl_conf_authmode(&conf, p_authmode);
114
	mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
115
	mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
116
	return OK;
117
}
118

119
Error TLSContextMbedTLS::init_server(int p_transport, Ref<TLSOptions> p_options, Ref<CookieContextMbedTLS> p_cookies) {
120
	ERR_FAIL_COND_V(p_options.is_null() || !p_options->is_server(), ERR_INVALID_PARAMETER);
121

122
	// Check key and certificate(s)
123
	pkey = p_options->get_private_key();
124
	certs = p_options->get_own_certificate();
125
	ERR_FAIL_COND_V(pkey.is_null() || certs.is_null(), ERR_INVALID_PARAMETER);
126

127
	Error err = _setup(MBEDTLS_SSL_IS_SERVER, p_transport, MBEDTLS_SSL_VERIFY_NONE); // TODO client auth.
128
	ERR_FAIL_COND_V(err != OK, err);
129

130
	// Locking key and certificate(s)
131
	pkey->lock();
132
	certs->lock();
133

134
	// Adding key and certificate
135
	int ret = mbedtls_ssl_conf_own_cert(&conf, &(certs->cert), &(pkey->pkey));
136
	if (ret != 0) {
137
		clear();
138
		ERR_FAIL_V_MSG(ERR_INVALID_PARAMETER, "Invalid cert/key combination " + itos(ret));
139
	}
140
	// Adding CA chain if available.
141
	if (certs->cert.next) {
142
		mbedtls_ssl_conf_ca_chain(&conf, certs->cert.next, nullptr);
143
	}
144
	// DTLS Cookies
145
	if (p_transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
146
		if (p_cookies.is_null() || !p_cookies->inited) {
147
			clear();
148
			ERR_FAIL_V(ERR_BUG);
149
		}
150
		cookies = p_cookies;
151
		mbedtls_ssl_conf_dtls_cookies(&conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &(cookies->cookie_ctx));
152
	}
153

154
#if MBEDTLS_VERSION_MAJOR >= 3
155
#ifdef TOOLS_ENABLED
156
	if (EditorSettings::get_singleton()) {
157
		if (!EditorSettings::get_singleton()->get_setting("network/tls/enable_tls_v1.3").operator bool()) {
158
			mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
159
		}
160
	} else
161
#endif
162
	{
163
		if (!GLOBAL_GET("network/tls/enable_tls_v1.3").operator bool()) {
164
			mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
165
		}
166
	}
167
#endif
168

169
	mbedtls_ssl_setup(&tls, &conf);
170
	return OK;
171
}
172

173
Error TLSContextMbedTLS::init_client(int p_transport, const String &p_hostname, Ref<TLSOptions> p_options) {
174
	ERR_FAIL_COND_V(p_options.is_null() || p_options->is_server(), ERR_INVALID_PARAMETER);
175

176
	int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
177
	bool unsafe = p_options->is_unsafe_client();
178
	if (unsafe && p_options->get_trusted_ca_chain().is_null()) {
179
		authmode = MBEDTLS_SSL_VERIFY_NONE;
180
	}
181

182
	Error err = _setup(MBEDTLS_SSL_IS_CLIENT, p_transport, authmode);
183
	ERR_FAIL_COND_V(err != OK, err);
184

185
	if (unsafe) {
186
		// No hostname verification for unsafe clients.
187
		mbedtls_ssl_set_hostname(&tls, nullptr);
188
	} else {
189
		String cn = p_options->get_common_name_override();
190
		if (cn.is_empty()) {
191
			cn = p_hostname;
192
		}
193
		mbedtls_ssl_set_hostname(&tls, cn.utf8().get_data());
194
	}
195

196
	X509CertificateMbedTLS *cas = nullptr;
197

198
	if (p_options->get_trusted_ca_chain().is_valid()) {
199
		// Locking CA certificates
200
		certs = p_options->get_trusted_ca_chain();
201
		certs->lock();
202
		cas = certs.ptr();
203
	} else {
204
		// Fall back to default certificates (no need to lock those).
205
		cas = CryptoMbedTLS::get_default_certificates();
206
		if (cas == nullptr) {
207
			clear();
208
			ERR_FAIL_V_MSG(ERR_UNCONFIGURED, "SSL module failed to initialize!");
209
		}
210
	}
211

212
#if MBEDTLS_VERSION_MAJOR >= 3
213
#ifdef TOOLS_ENABLED
214
	if (EditorSettings::get_singleton()) {
215
		if (!EditorSettings::get_singleton()->get_setting("network/tls/enable_tls_v1.3").operator bool()) {
216
			mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
217
		}
218
	} else
219
#endif
220
	{
221
		if (!GLOBAL_GET("network/tls/enable_tls_v1.3").operator bool()) {
222
			mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
223
		}
224
	}
225
#endif
226

227
	// Set valid CAs
228
	mbedtls_ssl_conf_ca_chain(&conf, &(cas->cert), nullptr);
229
	mbedtls_ssl_setup(&tls, &conf);
230
	return OK;
231
}
232

233
void TLSContextMbedTLS::clear() {
234
	if (!inited) {
235
		return;
236
	}
237
	mbedtls_ssl_free(&tls);
238
	mbedtls_ssl_config_free(&conf);
239
	mbedtls_ctr_drbg_free(&ctr_drbg);
240
	mbedtls_entropy_free(&entropy);
241

242
	// Unlock and key and certificates
243
	if (certs.is_valid()) {
244
		certs->unlock();
245
	}
246
	certs = Ref<X509Certificate>();
247
	if (pkey.is_valid()) {
248
		pkey->unlock();
249
	}
250
	pkey = Ref<CryptoKeyMbedTLS>();
251
	cookies = Ref<CookieContextMbedTLS>();
252
	inited = false;
253
}
254

255
mbedtls_ssl_context *TLSContextMbedTLS::get_context() {
256
	ERR_FAIL_COND_V(!inited, nullptr);
257
	return &tls;
258
}
259

260
TLSContextMbedTLS::TLSContextMbedTLS() {
261
}
262

263
TLSContextMbedTLS::~TLSContextMbedTLS() {
264
	clear();
265
}
266

267