Update mbedtls to 2.5.1 (#3964)

* Renaming changes: * macro prefix "POLARSSL" -> "MBEDTLS" * functions now prefixed with "mbedtls_" * rename PolarSSL++ -> mbedTLS++ * rename polarssl submodule * Use mbedtls' AES-CFB8 implementation. * Add cSslConfig to wrap mbedtls_ssl_config * Update cTCPLink and cBlockingSslClientSocket to use cSslConfig * Use cSslConfig in cHTTPServer * Use cSslConfig for cMojangAPI::SecureRequest * CI Fixes * Set -fomit-frame-pointer on the right target
2017-08-30 15:00:06 +01:00
parent c6bc822054
commit 84941bcc9f
59 changed files with 952 additions and 699 deletions
--- a/src/Protocol/MojangAPI.cpp
+++ b/src/Protocol/MojangAPI.cpp
@@ -1,4 +1,4 @@
-
+
 // MojangAPI.cpp

 // Implements the cMojangAPI class representing the various API points provided by Mojang's webservices, and a cache for their results
@@ -9,7 +9,8 @@
 #include "SQLiteCpp/Statement.h"
 #include "../IniFile.h"
 #include "json/json.h"
-#include "PolarSSL++/BlockingSslClientSocket.h"
+#include "mbedTLS++/BlockingSslClientSocket.h"
+#include "mbedTLS++/SslConfig.h"
 #include "../RankManager.h"
 #include "../OSSupport/IsThread.h"
 #include "../Root.h"
@@ -39,9 +40,9 @@ const int MAX_PER_QUERY = 100;


 /** Returns the CA certificates that should be trusted for Mojang-related connections. */
-static const AString & GetCACerts(void)
+static cX509CertPtr GetCACerts(void)
 {
-	static const AString Cert(
+	static const char CertString[] =
 		// GeoTrust root CA cert
 		// Currently used for signing *.mojang.com's cert
 		// Exported from Mozilla Firefox's built-in CA repository
@@ -140,9 +141,33 @@ static const AString & GetCACerts(void)
 		"VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY\n"
 		"WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=\n"
 		"-----END CERTIFICATE-----\n"
-	);
+	;

-	return Cert;
+	static auto X509Cert = [&]()
+	{
+		auto Cert = std::make_shared<cX509Cert>();
+		VERIFY(0 == Cert->Parse(CertString, sizeof(CertString)));
+		return Cert;
+	}();
+
+	return X509Cert;
+}
+
+
+
+
+
+/** Returns the config to be used for secure requests. */
+static std::shared_ptr<const cSslConfig> GetSslConfig()
+{
+	static const std::shared_ptr<const cSslConfig> Config = []()
+	{
+		auto Conf = cSslConfig::MakeDefaultConfig(true);
+		Conf->SetCACerts(GetCACerts());
+		Conf->SetAuthMode(eSslAuthMode::Required);
+		return Conf;
+	}();
+	return Config;
 }


@@ -432,7 +457,8 @@ bool cMojangAPI::SecureRequest(const AString & a_ServerName, const AString & a_R
 {
 	// Connect the socket:
 	cBlockingSslClientSocket Socket;
-	Socket.SetTrustedRootCertsFromString(GetCACerts(), a_ServerName);
+	Socket.SetSslConfig(GetSslConfig());
+	Socket.SetExpectedPeerName(a_ServerName);
 	if (!Socket.Connect(a_ServerName, 443))
 	{
 		LOGWARNING("%s: Can't connect to %s: %s", __FUNCTION__, a_ServerName.c_str(), Socket.GetLastErrorText().c_str());
@@ -452,13 +478,13 @@ bool cMojangAPI::SecureRequest(const AString & a_ServerName, const AString & a_R
 	{
 		int ret = Socket.Receive(buf, sizeof(buf));

-		if ((ret == POLARSSL_ERR_NET_WANT_READ) || (ret == POLARSSL_ERR_NET_WANT_WRITE))
+		if ((ret == MBEDTLS_ERR_SSL_WANT_READ) || (ret == MBEDTLS_ERR_SSL_WANT_WRITE))
 		{
 			// This value should never be returned, it is handled internally by cBlockingSslClientSocket
 			LOGWARNING("%s: SSL reading failed internally", __FUNCTION__);
 			return false;
 		}
-		if (ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY)
+		if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY)
 		{
 			break;
 		}