AuroraSupport/AuroraRuntime
2
1
Fork 0
Code Issues 27 Pull Requests Releases Wiki Activity

[*] TLS init for later

Browse Source
This commit is contained in:
Reece Wilson 2022-08-31 18:46:50 +01:00
parent f1ac21a379
commit ad4b4aa4ae
5 changed files with 298 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Include/Aurora/IO/TLS/IPinCertificate.hpp
View File

@ -12,6 +12,7 @@ namespace Aurora::IO::TLS
struct NetError;
AUKN_INTERFACE(IPinCertificate,
AUI_METHOD(bool, CheckCertificate, (const Memory::MemoryViewRead &, derCertificate))
AUI_METHOD(bool, CheckCertificate, (const AuSPtr<ICertificateChain> &, pChain,
const Memory::MemoryViewRead &, derCertificate))
);
}

120
Include/Aurora/IO/TLS/ITLSContext.hpp
View File

@ -21,6 +21,87 @@ namespace Aurora::IO::Net
namespace Aurora::IO::TLS
{
struct TLSMetaDTLS
{
/**
* @brief
*/
AuByteBuffer serverTransportId {};
int iServerCookies { 0 };
/**
* @brief
*/
bool bServerNoRelay { true };
/**
* @brief
*/
int iServerBacMacLimit { 0 };
/**
* @brief
*/
int iMTUSize { 0 };
};
struct TLSMetaTCP
{
};
struct TLSServer
{
/**
* @brief
*/
bool bSessionCache { true };
/**
* @brief Forces server side pinning of clients
*/
bool bPinServerPeers { false };
/**
* @brief
*/
int iCacheMax { -1 };
/**
* @brief
*/
int iCacheTimeout { 0 };
/**
* @brief
*/
bool bEnableTickets { true };
/**
* @brief
*/
bool bTicketsRotate { false };
/**
* @brief
*/
int iTicketTimeout { 300 }; // 5m
/**
* @brief
*/
AuString alternativeTicketCipher;
};
struct TLSClient
{
/**
* @brief
*/
AuString sSNIServerName;
};
struct TLSMeta
{
/**
@ -28,11 +109,6 @@ namespace Aurora::IO::TLS
*/
AuUInt uOutPageSize {};
/**
* @brief
*/
AuString sSNIServerName;
/**
* @brief Switches between server/client mode
*/
@ -59,9 +135,24 @@ namespace Aurora::IO::TLS
AuList<AuUInt16> cipherSuites;
/**
* @brief Forces server side pinning of clients
* @brief
*/
bool bPinServerPeers { false };
TLSMetaDTLS dtls;
/**
* @brief
*/
TLSMetaTCP tcp;
/**
* @brief
*/
TLSServer server;
/**
* @brief
*/
TLSClient client;
};
struct ITLSContext
@ -79,13 +170,13 @@ namespace Aurora::IO::TLS
virtual AuSPtr<Protocol::IProtocolStack> ToWriteStack() = 0;
/**
* @brief
* @brief Returns the input buffered inbound interceptor
* @return
*/
virtual AuSPtr<Protocol::IProtocolInterceptorEx> GetRecvInterceptor() = 0;
/**
* @brief
* @brief Returns the to-send outbound interceptor
* @return
*/
virtual AuSPtr<Protocol::IProtocolInterceptorEx> GetSendInterceptor() = 0;
@ -122,6 +213,12 @@ namespace Aurora::IO::TLS
*/
virtual bool HasCompletedHandshake() = 0;
/**
* @brief
* @return
*/
virtual AuUInt16 GetCurrentCipherSuite() = 0;
/**
* @brief
* @return
@ -152,6 +249,11 @@ namespace Aurora::IO::TLS
virtual void Destroy() = 0;
};
/**
* @brief
* @param meta
* @return
*/
AUKN_SYM AuSPtr<ITLSContext> NewTLSContext(const TLSMeta &meta);
/**

13
Source/IO/TLS/TLS.hpp
View File

@ -15,6 +15,19 @@
#include <mbedtls/ssl.h>
#include <mbedtls/x509.h>
#include <mbedtls/error.h>
#include <mbedtls/timing.h> // TODO: deprecate me
#if defined(MBEDTLS_SSL_CACHE_C)
#include <mbedtls/ssl_cache.h>
#endif
#if defined(MBEDTLS_SSL_TICKET_C)
#include <mbedtls/ssl_ticket.h>
#endif
#if defined(MBEDTLS_SSL_COOKIE_C)
#include <mbedtls/ssl_cookie.h>
#endif
namespace Aurora::IO::TLS
{

161
Source/IO/TLS/TLSContext.cpp
View File

@ -122,7 +122,7 @@ namespace Aurora::IO::TLS
return true;
}
return this->meta_.pCertPin->CheckCertificate(read);
return this->meta_.pCertPin->CheckCertificate({}, read);
}
//
@ -158,7 +158,6 @@ namespace Aurora::IO::TLS
::mbedtls_ssl_init(&this->ssl);
::mbedtls_ssl_config_init(&this->conf);
::mbedtls_x509_crt_init(&this->cacert);
if ((iRet = ::mbedtls_ssl_config_defaults(&this->conf,
this->meta_.bIsClient ? MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER,
@ -169,7 +168,21 @@ namespace Aurora::IO::TLS
return false;
}
::mbedtls_ssl_conf_authmode(&this->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
if (this->meta_.bIsClient)
{
::mbedtls_ssl_conf_authmode(&this->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
}
else
{
if (this->meta_.server.bPinServerPeers)
{
::mbedtls_ssl_conf_authmode(&this->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
}
else
{
::mbedtls_ssl_conf_authmode(&this->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
}
}
::mbedtls_ssl_conf_ca_cb(&this->conf, [](void *p_ctx,
mbedtls_x509_crt const *child,
@ -192,16 +205,130 @@ namespace Aurora::IO::TLS
return false;
}
if (this->meta_.sSNIServerName.size())
if (this->meta_.bIsClient)
{
if ((iRet = ::mbedtls_ssl_set_hostname(&this->ssl, this->meta_.sSNIServerName.c_str())) != 0)
if (this->meta_.client.sSNIServerName.size())
{
SysPushErrorNet("{} ({})", TLSErrorToString(iRet), iRet);
return false;
if ((iRet = ::mbedtls_ssl_set_hostname(&this->ssl, this->meta_.client.sSNIServerName.c_str())) != 0)
{
SysPushErrorNet("{} ({})", TLSErrorToString(iRet), iRet);
return false;
}
}
}
::mbedtls_ssl_set_bio(&this->ssl, this, TLSContextSend, TLSContextRecv, nullptr);
if (!this->meta_.bIsClient)
{
if (this->meta_.server.bSessionCache)
{
#if defined(MBEDTLS_SSL_CACHE_C)
::mbedtls_ssl_cache_init(&this->cache_);
if (this->meta_.server.iCacheMax != -1)
{
::mbedtls_ssl_cache_set_max_entries(&this->cache_, this->meta_.server.iCacheMax);
}
if (this->meta_.server.iCacheTimeout)
{
::mbedtls_ssl_cache_set_timeout(&this->cache_, this->meta_.server.iCacheTimeout);
}
::mbedtls_ssl_conf_session_cache(&this->conf,
&this->cache_,
mbedtls_ssl_cache_get,
mbedtls_ssl_cache_set);
#endif
}
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
::mbedtls_ssl_ticket_init(&this->ticketCtx_);
#endif
if (this->meta_.transportProtocol == Net::ETransportProtocol::eProtocolUDP)
{
#if defined(MBEDTLS_SSL_COOKIE_C)
::mbedtls_ssl_cookie_init(&this->cookieCtx_);
#endif
#if defined(MBEDTLS_SSL_COOKIE_C)
if (this->meta_.dtls.iServerCookies > 0)
{
if ((iRet = ::mbedtls_ssl_cookie_setup(&this->cookieCtx_,
mbedtls_ctr_drbg_random,
&gCtrDrbg)) != 0)
{
SysPushErrorNet("{} ({})", TLSErrorToString(iRet), iRet);
return false;
}
::mbedtls_ssl_conf_dtls_cookies(&conf,
mbedtls_ssl_cookie_write,
mbedtls_ssl_cookie_check,
&this->cookieCtx_);
}
else
#endif
{
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
if (this->meta_.dtls.iServerCookies == 0)
{
::mbedtls_ssl_conf_dtls_cookies(&conf, NULL, NULL, NULL);
}
#endif
}
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
::mbedtls_ssl_conf_dtls_anti_replay(&this->conf,
this->meta_.dtls.iServerCookies ? MBEDTLS_SSL_ANTI_REPLAY_ENABLED : MBEDTLS_SSL_ANTI_REPLAY_DISABLED);
#endif
::mbedtls_ssl_conf_dtls_badmac_limit(&this->conf,
this->meta_.dtls.iServerBacMacLimit);
}
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
if (this->meta_.server.bEnableTickets)
{
if ((iRet = ::mbedtls_ssl_ticket_setup(&this->ticketCtx_,
mbedtls_ctr_drbg_random,
&gCtrDrbg,
MBEDTLS_CIPHER_AES_256_GCM,
this->meta_.server.iTicketTimeout)) != 0)
{
SysPushErrorNet("{} ({})", TLSErrorToString(iRet), iRet);
return false;
}
::mbedtls_ssl_conf_session_tickets_cb(&this->conf,
mbedtls_ssl_ticket_write,
mbedtls_ssl_ticket_parse,
&this->ticketCtx_);
}
#endif
}
if (this->meta_.transportProtocol == Net::ETransportProtocol::eProtocolUDP)
{
if (this->meta_.dtls.iMTUSize)
{
::mbedtls_ssl_set_mtu(&this->ssl,
this->meta_.dtls.iMTUSize);
}
::mbedtls_ssl_set_timer_cb(&this->ssl,
&this->timer_,
mbedtls_timing_set_delay,
mbedtls_timing_get_delay);
}
::mbedtls_ssl_set_bio(&this->ssl,
this,
TLSContextSend,
TLSContextRecv,
nullptr);
if (this->meta_.cipherSuites.size())
{
@ -243,7 +370,18 @@ namespace Aurora::IO::TLS
{
::mbedtls_ssl_free(&this->ssl);
::mbedtls_ssl_config_free(&this->conf);
::mbedtls_x509_crt_free(&this->cacert);
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
::mbedtls_ssl_ticket_free(&this->ticketCtx_);
#endif
#if defined(MBEDTLS_SSL_CACHE_C)
::mbedtls_ssl_cache_free(&this->cache_);
#endif
#if defined(MBEDTLS_SSL_COOKIE_C)
::mbedtls_ssl_cookie_free(&this->cookieCtx_);
#endif
this->Attach({});
}
@ -337,6 +475,11 @@ namespace Aurora::IO::TLS
}
}
AuUInt16 TLSContext::GetCurrentCipherSuite()
{
return ::mbedtls_ssl_get_ciphersuite_id_from_ssl(&this->ssl);
}
void TLSContext::StartClose()
{
}

27
Source/IO/TLS/TLSContext.hpp
View File

@ -6,14 +6,11 @@
Author: Reece
***/
#pragma once
#include "TLS.hpp"
#include "TLSProtocolRecv.hpp"
#include "TLSProtocolSend.hpp"
#include <mbedtls/ssl.h>
#include <mbedtls/entropy.h>
#include <mbedtls/ctr_drbg.h>
namespace Aurora::IO::Protocol
{
struct ProtocolStack;
@ -46,6 +43,8 @@ namespace Aurora::IO::TLS
virtual void StartHandshake() override;
virtual void StartClose() override;
virtual AuUInt16 GetCurrentCipherSuite() override;
virtual bool HasCompletedHandshake() override;
virtual bool HasEnded() override;
virtual bool HasFailed() override;
@ -63,15 +62,29 @@ namespace Aurora::IO::TLS
int iFatalError {};
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;
mbedtls_ssl_context ssl {};
mbedtls_ssl_config conf {};
int Read(void *pOut, AuUInt length);
int Write(const void *pIn, AuUInt length);
bool CheckCertificate(const AuMemoryViewRead &read);
private:
mbedtls_timing_delay_context timer_ {};
#if defined(MBEDTLS_SSL_COOKIE_C)
mbedtls_ssl_cookie_ctx cookieCtx_ {};
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_ticket_context ticketCtx_ {};
#endif
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_context cache_ {};
#endif
AuList<int> cipherSuites_;
TLSMeta meta_;
AuWPtr<Net::ISocket> wpSocket_;