From 84941bcc9f25cbe3fd3b2604080d0a1cfd8fbaa7 Mon Sep 17 00:00:00 2001 From: peterbell10 Date: Wed, 30 Aug 2017 15:00:06 +0100 Subject: Update mbedtls to 2.5.1 (#3964) * Renaming changes: * macro prefix "POLARSSL" -> "MBEDTLS" * functions now prefixed with "mbedtls_" * rename PolarSSL++ -> mbedTLS++ * rename polarssl submodule * Use mbedtls' AES-CFB8 implementation. * Add cSslConfig to wrap mbedtls_ssl_config * Update cTCPLink and cBlockingSslClientSocket to use cSslConfig * Use cSslConfig in cHTTPServer * Use cSslConfig for cMojangAPI::SecureRequest * CI Fixes * Set -fomit-frame-pointer on the right target --- src/Protocol/Authenticator.cpp | 2 +- src/Protocol/MojangAPI.cpp | 44 +++++++++++++++++++++++++++++++++--------- src/Protocol/Protocol_1_8.cpp | 2 +- src/Protocol/Protocol_1_8.h | 4 ++-- src/Protocol/Protocol_1_9.cpp | 2 +- src/Protocol/Protocol_1_9.h | 4 ++-- 6 files changed, 42 insertions(+), 16 deletions(-) (limited to 'src/Protocol') diff --git a/src/Protocol/Authenticator.cpp b/src/Protocol/Authenticator.cpp index d46127d34..445a3dff5 100644 --- a/src/Protocol/Authenticator.cpp +++ b/src/Protocol/Authenticator.cpp @@ -11,7 +11,7 @@ #include "../IniFile.h" #include "json/json.h" -#include "PolarSSL++/BlockingSslClientSocket.h" +#include "mbedTLS++/BlockingSslClientSocket.h" diff --git a/src/Protocol/MojangAPI.cpp b/src/Protocol/MojangAPI.cpp index 5a11356c1..0b14d1cac 100644 --- a/src/Protocol/MojangAPI.cpp +++ b/src/Protocol/MojangAPI.cpp @@ -1,4 +1,4 @@ - + // MojangAPI.cpp // Implements the cMojangAPI class representing the various API points provided by Mojang's webservices, and a cache for their results @@ -9,7 +9,8 @@ #include "SQLiteCpp/Statement.h" #include "../IniFile.h" #include "json/json.h" -#include "PolarSSL++/BlockingSslClientSocket.h" +#include "mbedTLS++/BlockingSslClientSocket.h" +#include "mbedTLS++/SslConfig.h" #include "../RankManager.h" #include "../OSSupport/IsThread.h" #include "../Root.h" @@ -39,9 +40,9 @@ const int MAX_PER_QUERY = 100; /** Returns the CA certificates that should be trusted for Mojang-related connections. */ -static const AString & GetCACerts(void) +static cX509CertPtr GetCACerts(void) { - static const AString Cert( + static const char CertString[] = // GeoTrust root CA cert // Currently used for signing *.mojang.com's cert // Exported from Mozilla Firefox's built-in CA repository @@ -140,9 +141,33 @@ static const AString & GetCACerts(void) "VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY\n" "WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=\n" "-----END CERTIFICATE-----\n" - ); + ; + + static auto X509Cert = [&]() + { + auto Cert = std::make_shared(); + VERIFY(0 == Cert->Parse(CertString, sizeof(CertString))); + return Cert; + }(); + + return X509Cert; +} - return Cert; + + + + +/** Returns the config to be used for secure requests. */ +static std::shared_ptr GetSslConfig() +{ + static const std::shared_ptr Config = []() + { + auto Conf = cSslConfig::MakeDefaultConfig(true); + Conf->SetCACerts(GetCACerts()); + Conf->SetAuthMode(eSslAuthMode::Required); + return Conf; + }(); + return Config; } @@ -432,7 +457,8 @@ bool cMojangAPI::SecureRequest(const AString & a_ServerName, const AString & a_R { // Connect the socket: cBlockingSslClientSocket Socket; - Socket.SetTrustedRootCertsFromString(GetCACerts(), a_ServerName); + Socket.SetSslConfig(GetSslConfig()); + Socket.SetExpectedPeerName(a_ServerName); if (!Socket.Connect(a_ServerName, 443)) { LOGWARNING("%s: Can't connect to %s: %s", __FUNCTION__, a_ServerName.c_str(), Socket.GetLastErrorText().c_str()); @@ -452,13 +478,13 @@ bool cMojangAPI::SecureRequest(const AString & a_ServerName, const AString & a_R { int ret = Socket.Receive(buf, sizeof(buf)); - if ((ret == POLARSSL_ERR_NET_WANT_READ) || (ret == POLARSSL_ERR_NET_WANT_WRITE)) + if ((ret == MBEDTLS_ERR_SSL_WANT_READ) || (ret == MBEDTLS_ERR_SSL_WANT_WRITE)) { // This value should never be returned, it is handled internally by cBlockingSslClientSocket LOGWARNING("%s: SSL reading failed internally", __FUNCTION__); return false; } - if (ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY) + if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { break; } diff --git a/src/Protocol/Protocol_1_8.cpp b/src/Protocol/Protocol_1_8.cpp index c77af1029..7f4b074ce 100644 --- a/src/Protocol/Protocol_1_8.cpp +++ b/src/Protocol/Protocol_1_8.cpp @@ -11,7 +11,7 @@ Implements the 1.8 protocol classes: #include "json/json.h" #include "Protocol_1_8.h" #include "ChunkDataSerializer.h" -#include "PolarSSL++/Sha1Checksum.h" +#include "mbedTLS++/Sha1Checksum.h" #include "Packetizer.h" #include "../ClientHandle.h" diff --git a/src/Protocol/Protocol_1_8.h b/src/Protocol/Protocol_1_8.h index b04e5c5f0..d3d0daf0a 100644 --- a/src/Protocol/Protocol_1_8.h +++ b/src/Protocol/Protocol_1_8.h @@ -29,8 +29,8 @@ Declares the 1.8 protocol classes: #pragma warning(pop) #endif -#include "PolarSSL++/AesCfb128Decryptor.h" -#include "PolarSSL++/AesCfb128Encryptor.h" +#include "mbedTLS++/AesCfb128Decryptor.h" +#include "mbedTLS++/AesCfb128Encryptor.h" diff --git a/src/Protocol/Protocol_1_9.cpp b/src/Protocol/Protocol_1_9.cpp index c6e007984..c440a94ca 100644 --- a/src/Protocol/Protocol_1_9.cpp +++ b/src/Protocol/Protocol_1_9.cpp @@ -17,7 +17,7 @@ Implements the 1.9 protocol classes: #include "json/json.h" #include "Protocol_1_9.h" #include "ChunkDataSerializer.h" -#include "PolarSSL++/Sha1Checksum.h" +#include "mbedTLS++/Sha1Checksum.h" #include "Packetizer.h" #include "../ClientHandle.h" diff --git a/src/Protocol/Protocol_1_9.h b/src/Protocol/Protocol_1_9.h index b4fdc7f67..3fbbe86da 100644 --- a/src/Protocol/Protocol_1_9.h +++ b/src/Protocol/Protocol_1_9.h @@ -35,8 +35,8 @@ Declares the 1.9 protocol classes: #pragma warning(pop) #endif -#include "PolarSSL++/AesCfb128Decryptor.h" -#include "PolarSSL++/AesCfb128Encryptor.h" +#include "mbedTLS++/AesCfb128Decryptor.h" +#include "mbedTLS++/AesCfb128Encryptor.h" -- cgit v1.2.3