1 files changed, 29 insertions, 61 deletions

diff --git a/src/PolarSSL++/SslContext.h b/src/mbedTLS++/SslContext.h
index 0588122ba..c51a9f149 100644
--- a/src/PolarSSL++/SslContext.h
+++ b/src/mbedTLS++/SslContext.h
@@ -1,4 +1,4 @@
-
+
 // SslContext.h
 
 // Declares the cSslContext class that holds everything a single SSL context needs to function
@@ -9,11 +9,8 @@
 
 #pragma once
 
-#include "polarssl/ssl.h"
+#include "mbedtls/ssl.h"
 #include "../ByteBuffer.h"
-#include "CryptoKey.h"
-#include "RsaPrivateKey.h"
-#include "X509Cert.h"
 
 
 
@@ -21,6 +18,7 @@
 
 // fwd:
 class cCtrDrbgContext;
+class cSslConfig;
 
 
 
@@ -43,45 +41,40 @@ public:
 	virtual ~cSslContext();
 
 	/** Initializes the context for use as a server or client.
-	Returns 0 on success, PolarSSL error on failure. */
-	int Initialize(bool a_IsClient, const std::shared_ptr<cCtrDrbgContext> & a_CtrDrbg = {});
+	a_Config must not be nullptr and the config must not be changed after this call.
+	Returns 0 on success, mbedTLS error on failure. */
+	int Initialize(std::shared_ptr<const cSslConfig> a_Config);
+
+	/** Initializes the context using the default config. */
+	int Initialize(bool a_IsClient);
 
 	/** Returns true if the object has been initialized properly. */
 	bool IsValid(void) const { return m_IsValid; }
 
-	/** Sets the certificate to use as our own. Must be used when representing a server, optional when client.
-	Must be called after Initialize(). */
-	void SetOwnCert(const cX509CertPtr & a_OwnCert, const cRsaPrivateKeyPtr & a_OwnCertPrivKey);
-
-	/** Sets the certificate to use as our own. Must be used when representing a server, optional when client.
-	Must be called after Initialize(). */
-	void SetOwnCert(const cX509CertPtr & a_OwnCert, const cCryptoKeyPtr & a_OwnCertPrivKey);
-
-	/** Sets a cert chain as the trusted cert store for this context. Must be called after Initialize().
-	Calling this will switch the context into strict cert verification mode.
-	a_ExpectedPeerName is the CommonName that we expect the SSL peer to have in its cert,
+	/** Sets the SSL peer name expected for this context. Must be called after Initialize().
+	\param a_ExpectedPeerName CommonName that we expect the SSL peer to have in its cert,
 	if it is different, the verification will fail. An empty string will disable the CN check. */
-	void SetCACerts(const cX509CertPtr & a_CACert, const AString & a_ExpectedPeerName);
+	void SetExpectedPeerName(const AString & a_ExpectedPeerName);
 
 	/** Writes data to be encrypted and sent to the SSL peer. Will perform SSL handshake, if needed.
-	Returns the number of bytes actually written, or PolarSSL error code.
-	If the return value is POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE, the owner should send any
+	Returns the number of bytes actually written, or mbedTLS error code.
+	If the return value is MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, the owner should send any
 	cached outgoing data to the SSL peer and write any incoming data received from the SSL peer and then call
 	this function again with the same parameters. Note that this may repeat a few times before the data is
 	actually written, mainly due to initial handshake. */
 	int WritePlain(const void * a_Data, size_t a_NumBytes);
 
 	/** Reads data decrypted from the SSL stream. Will perform SSL handshake, if needed.
-	Returns the number of bytes actually read, or PolarSSL error code.
-	If the return value is POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE, the owner should send any
+	Returns the number of bytes actually read, or mbedTLS error code.
+	If the return value is MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, the owner should send any
 	cached outgoing data to the SSL peer and write any incoming data received from the SSL peer and then call
 	this function again with the same parameters. Note that this may repeat a few times before the data is
 	actually read, mainly due to initial handshake. */
 	int ReadPlain(void * a_Data, size_t a_MaxBytes);
 
 	/** Performs the SSL handshake.
-	Returns zero on success, PoladSSL error code on failure.
-	If the return value is POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE, the owner should send any
+	Returns zero on success, mbedTLS error code on failure.
+	If the return value is MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, the owner should send any
 	cached outgoing data to the SSL peer and write any incoming data received from the SSL peer and then call
 	this function again. Note that this may repeat a few times before the handshake is completed. */
 	int Handshake(void);
@@ -90,64 +83,39 @@ public:
 	bool HasHandshaken(void) const { return m_HasHandshaken; }
 
 	/** Notifies the SSL peer that the connection is being closed.
-	Returns 0 on success, PolarSSL error code on failure. */
+	Returns 0 on success, mbedTLS error code on failure. */
 	int NotifyClose(void);
 
 protected:
-	/** True if the object has been initialized properly. */
-	bool m_IsValid;
-
-	/** The random generator to use */
-	std::shared_ptr<cCtrDrbgContext> m_CtrDrbg;
-
-	/** The SSL context that PolarSSL uses. */
-	ssl_context m_Ssl;
 
-	/** The certificate that we present to the peer. */
-	cX509CertPtr m_OwnCert;
+	/** Configuration of the SSL context. */
+	std::shared_ptr<const cSslConfig> m_Config;
 
-	/** Private key for m_OwnCert, if initialized from a cRsaPrivateKey. */
-	cRsaPrivateKeyPtr m_OwnCertPrivKey;
+	/** The SSL context that mbedTLS uses. */
+	mbedtls_ssl_context m_Ssl;
 
-	/** Private key for m_OwnCert, if initialized from a cCryptoKey. */
-	cCryptoKeyPtr m_OwnCertPrivKey2;
+	/** True if the object has been initialized properly. */
+	bool m_IsValid;
 
 	/** True if the SSL handshake has been completed. */
 	bool m_HasHandshaken;
 
-	/** A copy of the trusted CA root cert store that is passed to us in SetCACerts(), so that the pointer
-	stays valid even after the call, when PolarSSL finally uses it. */
-	cX509CertPtr m_CACerts;
-
-	/** Buffer for the expected peer name. We need to buffer it because the caller may free the string they
-	give us before PolarSSL consumes the raw pointer it gets to the CN. */
-	AString m_ExpectedPeerName;
-
-
-	/** The callback used by PolarSSL when it wants to read encrypted data. */
+	/** The callback used by mbedTLS when it wants to read encrypted data. */
 	static int ReceiveEncrypted(void * a_This, unsigned char * a_Buffer, size_t a_NumBytes)
 	{
 		return (reinterpret_cast<cSslContext *>(a_This))->ReceiveEncrypted(a_Buffer, a_NumBytes);
 	}
 
-	/** The callback used by PolarSSL when it wants to write encrypted data. */
+	/** The callback used by mbedTLS when it wants to write encrypted data. */
 	static int SendEncrypted(void * a_This, const unsigned char * a_Buffer, size_t a_NumBytes)
 	{
 		return (reinterpret_cast<cSslContext *>(a_This))->SendEncrypted(a_Buffer, a_NumBytes);
 	}
 
-	#ifdef _DEBUG
-		/** The callback used by PolarSSL to output debug messages */
-		static void SSLDebugMessage(void * a_UserParam, int a_Level, const char * a_Text);
-
-		/** The callback used by PolarSSL to log information on the cert chain */
-		static int SSLVerifyCert(void * a_This, x509_crt * a_Crt, int a_Depth, int * a_Flags);
-	#endif  // _DEBUG
-
-	/** Called when PolarSSL wants to read encrypted data. */
+	/** Called when mbedTLS wants to read encrypted data. */
 	virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) = 0;
 
-	/** Called when PolarSSL wants to write encrypted data. */
+	/** Called when mbedTLS wants to write encrypted data. */
 	virtual int SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) = 0;
 } ;