seedlingattempt/godot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[NET] Refactor TLS configuration.

Browse Source 
Use a TLSOptions configuration object which is created via static
functions.

- "TLSOptions.client": uses the standard CA and common name verification.
- "TLSOptions.client_unsafe": uses optional CA verification (i.e. if specified)
- "TLSOptions.server": is the standard server configuration (chain + key)

This will allow us to expand the TLS configuration options to include
e.g. mutual authentication without bloating the classes that uses
StreamPeerTLS and PacketPeerDTLS as underlying peers.
This commit is contained in:
Fabio Alessandrelli
2023-01-20 01:51:35 +01:00
parent 2afa175195
commit adba870534
47 changed files with 338 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
core/crypto/crypto.cpp
View File

@ -65,6 +65,45 @@ void X509Certificate::_bind_methods() {
ClassDB::bind_method(D_METHOD("load", "path"), &X509Certificate::load);
}
/// TLSOptions
Ref<TLSOptions> TLSOptions::client(Ref<X509Certificate> p_trusted_chain, const String &p_common_name_override) {
Ref<TLSOptions> opts;
opts.instantiate();
opts->trusted_ca_chain = p_trusted_chain;
opts->common_name = p_common_name_override;
opts->verify_mode = TLS_VERIFY_FULL;
return opts;
}
Ref<TLSOptions> TLSOptions::client_unsafe(Ref<X509Certificate> p_trusted_chain) {
Ref<TLSOptions> opts;
opts.instantiate();
opts->trusted_ca_chain = p_trusted_chain;
if (p_trusted_chain.is_null()) {
opts->verify_mode = TLS_VERIFY_NONE;
} else {
opts->verify_mode = TLS_VERIFY_CERT;
}
return opts;
}
Ref<TLSOptions> TLSOptions::server(Ref<CryptoKey> p_own_key, Ref<X509Certificate> p_own_certificate) {
Ref<TLSOptions> opts;
opts.instantiate();
opts->server_mode = true;
opts->own_certificate = p_own_certificate;
opts->private_key = p_own_key;
opts->verify_mode = TLS_VERIFY_NONE;
return opts;
}
void TLSOptions::_bind_methods() {
ClassDB::bind_static_method("TLSOptions", D_METHOD("client", "trusted_chain", "common_name_override"), &TLSOptions::client, DEFVAL(Ref<X509Certificate>()), DEFVAL(String()));
ClassDB::bind_static_method("TLSOptions", D_METHOD("client_unsafe", "trusted_chain"), &TLSOptions::client_unsafe, DEFVAL(Ref<X509Certificate>()));
ClassDB::bind_static_method("TLSOptions", D_METHOD("server", "key", "certificate"), &TLSOptions::server);
}
/// HMACContext
void HMACContext::_bind_methods() {

34
core/crypto/crypto.h
View File

@ -67,6 +67,40 @@ public:
virtual Error save(String p_path) = 0;
};
class TLSOptions : public RefCounted {
GDCLASS(TLSOptions, RefCounted);
public:
enum TLSVerifyMode {
TLS_VERIFY_NONE = 0,
TLS_VERIFY_CERT = 1,
TLS_VERIFY_FULL = 2,
};
private:
bool server_mode = false;
String common_name;
TLSVerifyMode verify_mode = TLS_VERIFY_FULL;
Ref<X509Certificate> trusted_ca_chain;
Ref<X509Certificate> own_certificate;
Ref<CryptoKey> private_key;
protected:
static void _bind_methods();
public:
static Ref<TLSOptions> client(Ref<X509Certificate> p_trusted_chain = Ref<X509Certificate>(), const String &p_common_name_override = String());
static Ref<TLSOptions> client_unsafe(Ref<X509Certificate> p_trusted_chain);
static Ref<TLSOptions> server(Ref<CryptoKey> p_own_key, Ref<X509Certificate> p_own_certificate);
TLSVerifyMode get_verify_mode() const { return verify_mode; }
String get_common_name() const { return common_name; }
Ref<X509Certificate> get_trusted_ca_chain() const { return trusted_ca_chain; }
Ref<X509Certificate> get_own_certificate() const { return own_certificate; }
Ref<CryptoKey> get_private_key() const { return private_key; }
bool is_server() const { return server_mode; }
};
class HMACContext : public RefCounted {
GDCLASS(HMACContext, RefCounted);