Merge pull request #63 from steve-nzr/refactor/mojang-tls

fix: using sni with tls
cuberite · Apr 7, 2023 · 04c0392 · 04c0392
2 parents 32fcb7d + 2665629
commit 04c0392
Show file tree

Hide file tree

Showing 8 changed files with 15 additions and 32 deletions.
diff --git a/src/Bindings/LuaTCPLink.cpp b/src/Bindings/LuaTCPLink.cpp
@@ -192,7 +192,9 @@ AString cLuaTCPLink::StartTLSClient(
 				return Printf("Cannot parse client private key: -0x%x", res);
 			}
 		}
-		return link->StartTLSClient(ownCert, ownPrivKey);
+
+		// TODO : Provide a way to pass SNI from Lua too.
+		return link->StartTLSClient(ownCert, ownPrivKey, "");
 	}
 	return "";
 }

diff --git a/src/HTTP/UrlClient.cpp b/src/HTTP/UrlClient.cpp
@@ -299,7 +299,7 @@ class cHttpSchemeHandler:
 		m_Link = &a_Link;
 		if (m_IsTls)
 		{
-			m_Link->StartTLSClient(m_ParentRequest.GetOwnCert(), m_ParentRequest.GetOwnPrivKey());
+			m_Link->StartTLSClient(m_ParentRequest.GetOwnCert(), m_ParentRequest.GetOwnPrivKey(), m_ParentRequest.m_UrlHost);
 		}
 		else
 		{

diff --git a/src/OSSupport/Network.h b/src/OSSupport/Network.h
@@ -113,7 +113,8 @@ class cTCPLink
 	Returns empty string on success, non-empty error description on failure. */
 	virtual AString StartTLSClient(
 		cX509CertPtr a_OwnCert,
-		cCryptoKeyPtr a_OwnPrivKey
+		cCryptoKeyPtr a_OwnPrivKey,
+		const std::string_view hostname
 	) = 0;
 
 	/** Starts a TLS handshake as a server connection.

diff --git a/src/OSSupport/TCPLinkImpl.cpp b/src/OSSupport/TCPLinkImpl.cpp
@@ -237,7 +237,8 @@ void cTCPLinkImpl::Close(void)
 
 AString cTCPLinkImpl::StartTLSClient(
 	cX509CertPtr a_OwnCert,
-	cCryptoKeyPtr a_OwnPrivKey
+	cCryptoKeyPtr a_OwnPrivKey,
+	const std::string_view hostname
 )
 {
 	// Check preconditions:
@@ -263,6 +264,8 @@ AString cTCPLinkImpl::StartTLSClient(
 		m_TlsContext->Initialize(true);
 	}
 
+	m_TlsContext->SetExpectedPeerName(hostname);
+
 	m_TlsContext->SetSelf(cLinkTlsContextWPtr(m_TlsContext));
 
 	// Start the handshake:

diff --git a/src/OSSupport/TCPLinkImpl.h b/src/OSSupport/TCPLinkImpl.h
@@ -68,7 +68,8 @@ class cTCPLinkImpl:
 	virtual void Close(void) override;
 	virtual AString StartTLSClient(
 		cX509CertPtr a_OwnCert,
-		cCryptoKeyPtr a_OwnPrivKey
+		cCryptoKeyPtr a_OwnPrivKey,
+		const std::string_view hostname
 	) override;
 	virtual AString StartTLSServer(
 		cX509CertPtr a_OwnCert,

diff --git a/src/mbedTLS++/RootCA.h b/src/mbedTLS++/RootCA.h
@@ -34,30 +34,6 @@ static cX509CertPtr GetCACerts(void)
 		"CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n"
 		"-----END CERTIFICATE-----\n"
 
-		// DigiCert Global Root G2
-		"-----BEGIN CERTIFICATE-----\n"
-		"MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh\n"
-		"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
-		"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH\n"
-		"MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT\n"
-		"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n"
-		"b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG\n"
-		"9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI\n"
-		"2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx\n"
-		"1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ\n"
-		"q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz\n"
-		"tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ\n"
-		"vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP\n"
-		"BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV\n"
-		"5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY\n"
-		"1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4\n"
-		"NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG\n"
-		"Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91\n"
-		"8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe\n"
-		"pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl\n"
-		"MrY=\n"
-		"-----END CERTIFICATE-----\n"
-
 		// Amazon Root CA 1 (api.mojang.com)
 		// Downloaded from https://www.amazontrust.com/repository/
 		"-----BEGIN CERTIFICATE-----\n"

diff --git a/src/mbedTLS++/SslContext.cpp b/src/mbedTLS++/SslContext.cpp
@@ -82,10 +82,10 @@ int cSslContext::Initialize(bool a_IsClient)
 
 
 
-void cSslContext::SetExpectedPeerName(const AString & a_ExpectedPeerName)
+void cSslContext::SetExpectedPeerName(const std::string_view a_ExpectedPeerName)
 {
 	ASSERT(m_IsValid);  // Call Initialize() first
-	mbedtls_ssl_set_hostname(&m_Ssl, a_ExpectedPeerName.c_str());
+	mbedtls_ssl_set_hostname(&m_Ssl, a_ExpectedPeerName.data());
 }
 
 

diff --git a/src/mbedTLS++/SslContext.h b/src/mbedTLS++/SslContext.h
@@ -54,7 +54,7 @@ class cSslContext abstract
 	/** Sets the SSL peer name expected for this context. Must be called after Initialize().
 	\param a_ExpectedPeerName CommonName that we expect the SSL peer to have in its cert,
 	if it is different, the verification will fail. An empty string will disable the CN check. */
-	void SetExpectedPeerName(const AString & a_ExpectedPeerName);
+	void SetExpectedPeerName(const std::string_view a_ExpectedPeerName);
 
 	/** Writes data to be encrypted and sent to the SSL peer. Will perform SSL handshake, if needed.
 	Returns the number of bytes actually written, or mbedTLS error code.