Load QUIC certificate from file, ref #628

ryzom · Mar 4, 2023 · 576a05e · 576a05e
1 parent 0b0df0f
commit 576a05e
Show file tree

Hide file tree

Showing 7 changed files with 202 additions and 62 deletions.
diff --git a/nel/include/nel/net/login_server.h b/nel/include/nel/net/login_server.h
@@ -86,6 +86,9 @@ class CLoginServer {
 	/// Call this method to retrieve the listen address
 	static const std::string &getListenAddress();
 
+	/// Call this method to retrieve the listen host
+	static const CInetHost &getListenHost();
+
 	/// Return true if we are in 'dev' mode
 	static bool acceptsInvalidCookie();
 

diff --git a/nel/src/net/login_server.cpp b/nel/src/net/login_server.cpp
@@ -50,6 +50,7 @@ static list<CPendingUser> PendingUsers;
 
 static CCallbackServer *Server = NULL;
 static string ListenAddr;
+static CInetHost ListenHost;
 
 static bool AcceptInvalidCookie = false;
 
@@ -293,11 +294,13 @@ void CLoginServer::setListenAddress(const string &la)
 	// check that listen address is valid
 	if (ListenAddr.empty())
 	{
+		ListenHost.clear();
 		nlerror("FATAL : listen address in invalid, it should be either set via ListenAddress variable or with -D argument");
 		nlstop;
 	}
 
 	nlinfo("LS: Listen Address that will be sent to the client is now '%s'", ListenAddr.c_str());
+	ListenHost = CInetHost(ListenAddr);
 }
 
 uint32 CLoginServer::getNbPendingUsers()
@@ -500,6 +503,12 @@ const std::string &CLoginServer::getListenAddress()
 	return ListenAddr;
 }
 
+
+/// Call this method to retrieve the listen address
+const CInetHost &CLoginServer::getListenHost()
+{
+	return ListenHost;
+}
 bool CLoginServer::acceptsInvalidCookie()
 {
 	return AcceptInvalidCookie;
@@ -577,6 +586,7 @@ NLMISC_CATEGORISED_DYNVARIABLE(nel, string, LSListenAddress, "the listen address
 		{
 			ListenAddr = *pointer;
 		}
+		ListenHost = CInetHost(ListenAddr);
 		nlinfo ("LS: Listen Address that will be send to client is '%s'", ListenAddr.c_str());
 	}
 }

diff --git a/ryzom/client/src/quic_connection.cpp b/ryzom/client/src/quic_connection.cpp
@@ -210,8 +210,12 @@ void CQuicConnectionImpl::connect()
 		return;
 	}
 
-	static const CStringView protocolName = "ryzomcore4";
-	static const QUIC_BUFFER alpn = { (uint32)protocolName.size(), (uint8 *)protocolName.data() };
+	// Protocol feature levels, corresponds to Ryzom Core release versions, keep datagram-only support to give users and server owners the option to keep bandwidth restricted
+	// 4.1: Only datagram support (restricted bandwidth, same behaviour as UDP)
+	// 4.2?: Add up to 4 unidirectional streams from the server to client to send long impulses (keep bandwidth from client restricted) (DB_INIT, STRING, STRING_MANAGER, MODULE_GATEWAY)
+	// 4.3?: Add a single bidirectional stream opened by the client for the scenario editor gateway (more efficient MODULE_GATEWAY replacement)
+	static const CStringView protocolName41 = "ryzomcore/4.1";
+	static const QUIC_BUFFER alpn = { (uint32)protocolName41.size(), (uint8 *)protocolName41.data() };
 
 	// Configuration, initialized in start, but destroyed on release only (may attempt more than once)
 	QUIC_STATUS status = QUIC_STATUS_SUCCESS;
@@ -510,7 +514,7 @@ _Function_class_(QUIC_CONNECTION_CALLBACK)
 		break;
 	}
 	case QUIC_CONNECTION_EVENT_DATAGRAM_RECEIVED:
-		nldebug("Datagram received");
+		// nldebug("Datagram received");
 		// YES PLEASE
 		m->datagramReceived(ev->DATAGRAM_RECEIVED.Buffer->Buffer, ev->DATAGRAM_RECEIVED.Buffer->Length);
 		status = QUIC_STATUS_SUCCESS;

diff --git a/ryzom/server/src/frontend_service/frontend_service.cpp b/ryzom/server/src/frontend_service/frontend_service.cpp
@@ -1231,8 +1231,8 @@ void CFrontEndService::init()
 		CLoginServer::init( "", cbDisconnectClient ); 
 
 //		// Init front end listening port
-		CInetHost listenAddr(CLoginServer::getListenAddress());
-		uint16 frontendPort = listenAddr.port();
+		CInetHost listenHost = CLoginServer::getListenHost();
+		uint16 frontendPort = listenHost.port();
 
 		if (frontendPort == 0)
 		{
@@ -1266,8 +1266,8 @@ void CFrontEndService::init()
 		nlinfo( "Initializing receiving subsystem..." );
 		_ReceiveSub.init( frontendPort, lastAcceptableFrontendPort, _DgramLength, &_History, &_SendSub.clientIdCont() );
 		frontendPort = _ReceiveSub.dataSock()->localAddr().port();
-		listenAddr.setPort( frontendPort );
-		CLoginServer::setListenAddress(PublishFSHostAsIP.get() ? listenAddr.address().asIPString() : listenAddr.toString());
+		listenHost.setPort( frontendPort );
+		CLoginServer::setListenAddress(PublishFSHostAsIP.get() ? listenHost.address().asIPString() : listenHost.toString());
 
 		StalledMode = false;
 		LastTickTime = 0;

diff --git a/ryzom/server/src/frontend_service/quic_selfsign.cpp b/ryzom/server/src/frontend_service/quic_selfsign.cpp
@@ -40,20 +40,12 @@
 
 #define CXPLAT_CERT_CREATION_EVENT_NAME L"RyzomCoreCertEvent"
 #define CXPLAT_CERT_CREATION_EVENT_WAIT 10000
-#define CXPLAT_CERTIFICATE_TEST_FRIENDLY_NAME L"RyzomCoreTestCert2"
+#define CXPLAT_CERTIFICATE_TEST_FRIENDLY_NAME L"Ryzom Core 4 Server Development Certificate"
 #define CXPLAT_CERTIFICATE_TEST_CLIENT_FRIENDLY_NAME L"RyzomCoreTestClientCert"
 #define CXPLAT_KEY_CONTAINER_NAME L"RyzomCoreSelfSignKey2"
 #define CXPLAT_KEY_SIZE 2048
 
-#define CXPLAT_TEST_CERT_VALID_SERVER_FRIENDLY_NAME L"RyzomCoreTestServer"
-#define CXPLAT_TEST_CERT_VALID_CLIENT_FRIENDLY_NAME L"RyzomCoreTestClient"
-#define CXPLAT_TEST_CERT_EXPIRED_SERVER_FRIENDLY_NAME L"RyzomCoreTestExpiredServer"
-#define CXPLAT_TEST_CERT_EXPIRED_CLIENT_FRIENDLY_NAME L"RyzomCoreTestExpiredClient"
-#define CXPLAT_TEST_CERT_VALID_SERVER_SUBJECT_NAME "RyzomCoreTestServer"
-#define CXPLAT_TEST_CERT_VALID_CLIENT_SUBJECT_NAME "RyzomCoreTestClient"
-#define CXPLAT_TEST_CERT_EXPIRED_SERVER_SUBJECT_NAME "RyzomCoreTestExpiredServer"
-#define CXPLAT_TEST_CERT_EXPIRED_CLIENT_SUBJECT_NAME "RyzomCoreTestExpiredClient"
-#define CXPLAT_TEST_CERT_SELF_SIGNED_CLIENT_SUBJECT_NAME "RyzomCoreClient"
+#define CXPLAT_TEST_CERT_SELF_SIGNED_CLIENT_SUBJECT_NAME L"RyzomCoreClient"
 #define CXPLAT_TEST_CERT_SELF_SIGNED_SERVER_SUBJECT_NAME "localhost"
 
 #define QuicTraceEvent(x, y, z, msg) nlwarning("%s", msg)
@@ -266,7 +258,16 @@ CreateSubjAltNameExtension(
     _Out_ PCERT_EXTENSION CertExtension)
 {
 	CERT_ALT_NAME_ENTRY AltName = { CERT_ALT_NAME_DNS_NAME };
-	AltName.pwszDNSName = L"localhost";
+	const NLNET::CInetHost &listenHost = NLNET::CLoginServer::getListenHost();
+	std::string localHostName = listenHost.hostname();
+	if (localHostName.empty() || NLNET::CIPv6Address(localHostName).isValid()) // IP address...
+	{
+		localHostName = NLNET::CInetHost::localHostName();
+		if (NLNET::CIPv6Address(localHostName).isValid()) // IP address...
+			localHostName = CXPLAT_TEST_CERT_SELF_SIGNED_SERVER_SUBJECT_NAME;
+	}
+	std::wstring dnsName = NLMISC::utf8ToWide(localHostName);
+	AltName.pwszDNSName = (LPWSTR)dnsName.c_str();
 	CERT_ALT_NAME_INFO NameInfo;
 	NameInfo.cAltEntry = 1;
 	NameInfo.rgAltEntry = &AltName;
@@ -819,7 +820,7 @@ void *
 CreateClientCertificate()
 {
 	PCCERT_CONTEXT CertContext;
-	if (FAILED(CreateSelfSignedCertificate(L"CN=MsQuicClient", TRUE, &CertContext)))
+	if (FAILED(CreateSelfSignedCertificate(L"CN=" CXPLAT_TEST_CERT_SELF_SIGNED_CLIENT_SUBJECT_NAME, TRUE, &CertContext)))
 	{
 		return NULL;
 	}
@@ -831,7 +832,16 @@ void *
 CreateServerCertificate()
 {
 	PCCERT_CONTEXT CertContext;
-	if (FAILED(CreateSelfSignedCertificate(L"CN=localhost", FALSE, &CertContext)))
+	const NLNET::CInetHost &listenHost = NLNET::CLoginServer::getListenHost();
+	std::string localHostName = listenHost.hostname();
+	if (localHostName.empty() || NLNET::CIPv6Address(localHostName).isValid()) // IP address...
+	{
+		localHostName = NLNET::CInetHost::localHostName();
+		if (NLNET::CIPv6Address(localHostName).isValid()) // IP address...
+			localHostName = CXPLAT_TEST_CERT_SELF_SIGNED_SERVER_SUBJECT_NAME;
+	}
+	std::wstring subjectName = L"CN=" + NLMISC::utf8ToWide(localHostName);
+	if (FAILED(CreateSelfSignedCertificate((LPCWSTR)subjectName.c_str(), FALSE, &CertContext)))
 	{
 		return NULL;
 	}