1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 04:17:35 +00:00

Userland: Convert TLS::TLSv12 to a Core::Stream::Socket

This commit converts TLS::TLSv12 to a Core::Stream object, and in the
process allows TLS to now wrap other Core::Stream::Socket objects.
As a large part of LibHTTP and LibGemini depend on LibTLS's interface,
this also converts those to support Core::Stream, which leads to a
simplification of LibHTTP (as there's no need to care about the
underlying socket type anymore).
Note that RequestServer now controls the TLS socket options, which is a
better place anyway, as RS is the first receiver of the user-requested
options (though this is currently not particularly useful).
This commit is contained in:
Ali Mohammad Pur 2022-02-02 19:21:55 +03:30 committed by Andreas Kling
parent 7a95c451a3
commit aafc451016
47 changed files with 841 additions and 1157 deletions

View file

@ -183,6 +183,7 @@ void TLSv12::set_root_certificates(Vector<Certificate> certificates)
// FIXME: Figure out what we should do when our root certs are invalid.
}
m_context.root_certificates = move(certificates);
dbgln_if(TLS_DEBUG, "{}: Set {} root certificates", this, m_context.root_certificates.size());
}
bool Context::verify_chain() const
@ -223,7 +224,7 @@ bool Context::verify_chain() const
auto ref = chain.get(it.value);
if (!ref.has_value()) {
dbgln("Certificate for {} is not signed by anyone we trust ({})", it.key, it.value);
dbgln("{}: Certificate for {} is not signed by anyone we trust ({})", this, it.key, it.value);
return false;
}
@ -301,50 +302,43 @@ void TLSv12::pseudorandom_function(Bytes output, ReadonlyBytes secret, const u8*
}
}
TLSv12::TLSv12(Core::Object* parent, Options options)
: Core::Socket(Core::Socket::Type::TCP, parent)
TLSv12::TLSv12(StreamVariantType stream, Options options)
: m_stream(move(stream))
{
m_context.options = move(options);
m_context.is_server = false;
m_context.tls_buffer = {};
#ifdef SOCK_NONBLOCK
int fd = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0);
#else
int fd = socket(AF_INET, SOCK_STREAM, 0);
int option = 1;
ioctl(fd, FIONBIO, &option);
#endif
if (fd < 0) {
set_error(errno);
} else {
set_fd(fd);
set_mode(Core::OpenMode::ReadWrite);
set_error(0);
}
set_root_certificates(m_context.options.root_certificates.has_value()
? *m_context.options.root_certificates
: DefaultRootCACertificates::the().certificates());
setup_connection();
}
bool TLSv12::add_client_key(ReadonlyBytes certificate_pem_buffer, ReadonlyBytes rsa_key) // FIXME: This should not be bound to RSA
Vector<Certificate> TLSv12::parse_pem_certificate(ReadonlyBytes certificate_pem_buffer, ReadonlyBytes rsa_key) // FIXME: This should not be bound to RSA
{
if (certificate_pem_buffer.is_empty() || rsa_key.is_empty()) {
return true;
return {};
}
auto decoded_certificate = Crypto::decode_pem(certificate_pem_buffer);
if (decoded_certificate.is_empty()) {
dbgln("Certificate not PEM");
return false;
return {};
}
auto maybe_certificate = Certificate::parse_asn1(decoded_certificate);
if (!maybe_certificate.has_value()) {
dbgln("Invalid certificate");
return false;
return {};
}
Crypto::PK::RSA rsa(rsa_key);
auto certificate = maybe_certificate.release_value();
certificate.private_key = rsa.private_key();
return add_client_key(certificate);
return { move(certificate) };
}
Singleton<DefaultRootCACertificates> DefaultRootCACertificates::s_the;
@ -364,5 +358,6 @@ DefaultRootCACertificates::DefaultRootCACertificates()
cert.not_after = Crypto::ASN1::parse_generalized_time(config->read_entry(entity, "not_after", "")).value_or(next_year);
m_ca_certificates.append(move(cert));
}
dbgln("Loaded {} CA Certificates", m_ca_certificates.size());
}
}