Refactor code that sets identity and certificates.

zpostfacto · zpostfacto · commit a1ec9538af70 · 2022-06-08T10:51:11.000-07:00
This is to enable cacfhing of certificates and relay tickets to a durable
cache, especially on consoles.

- InternalClearIdentity is virtual, this will give the SDR class a chance
  to nuke any existing tickets when we reset our identity.
- Added InternalOnGotIdentity
- Refactored SetCertificate and added some flags so that we can control
  how it interacts with the cache.  Things can get a bit tangled because
  in some sitautions the certificate is how we learn what our identity
  is.

P4:7307221
diff --git a/src/steamnetworkingsockets/clientlib/csteamnetworkingsockets.cpp b/src/steamnetworkingsockets/clientlib/csteamnetworkingsockets.cpp
@@ -442,6 +442,11 @@ void CSteamNetworkingSockets::InternalClearIdentity()
 	m_bEverGotCert = false;
 }
 
+void CSteamNetworkingSockets::InternalOnGotIdentity( int nIdentitySetFlags )
+{
+	// No base class action
+}
+
 CSteamNetworkingSockets::~CSteamNetworkingSockets()
 {
 	SteamNetworkingGlobalLock::AssertHeldByCurrentThread();
@@ -676,6 +681,15 @@ bool CSteamNetworkingSockets::GetCertificateRequest( int *pcbBlob, void *pBlob,
 
 bool CSteamNetworkingSockets::SetCertificate( const void *pCertificate, int cbCertificate, SteamNetworkingErrMsg &errMsg )
 {
+	SteamNetworkingGlobalLock scopeLock( "SetCertificate" );
+	int nIdentitySetFlags = 0; // Allowing any reading/writing to the durable cache as appropriate
+	return InternalSetCertificate( pCertificate, cbCertificate, errMsg, nIdentitySetFlags );
+}
+
+bool CSteamNetworkingSockets::InternalSetCertificate( const void *pCertificate, int cbCertificate, SteamNetworkingErrMsg &errMsg, int nIdentitySetFlags )
+{
+ 	SteamNetworkingGlobalLock::AssertHeldByCurrentThread( "InternalSetCertificate" );
+
 	// Crack the blob
 	CMsgSteamDatagramCertificateSigned msgCertSigned;
 	if ( !msgCertSigned.ParseFromArray( pCertificate, cbCertificate ) )
@@ -684,8 +698,6 @@ bool CSteamNetworkingSockets::SetCertificate( const void *pCertificate, int cbCe
 		return false;
 	}
 
-	SteamNetworkingGlobalLock scopeLock( "SetCertificate" );
-
 	// Crack the cert, and check the signature.  If *we* aren't even willing
 	// to trust it, assume that our peers won't either
 	CMsgSteamDatagramCertificate msgCert;
@@ -706,13 +718,27 @@ bool CSteamNetworkingSockets::SetCertificate( const void *pCertificate, int cbCe
 		return false;
 	}
 
+	// If we already have an identity, it must match the cert
+	bool bSetIdentity = false;
+	if ( m_identity.IsInvalid() || m_identity.IsLocalHost() )
+	{
+		bSetIdentity = true;
+	}
+	else if ( !( m_identity == certIdentity ) )
+	{
+		V_sprintf_safe( errMsg, "Cert is for identity '%s'.  We are '%s'", SteamNetworkingIdentityRender( certIdentity ).c_str(), SteamNetworkingIdentityRender( m_identity ).c_str() );
+		return false;
+	}
+
 	// We currently only support one key type
 	if ( msgCert.key_type() != CMsgSteamDatagramCertificate_EKeyType_ED25519 || msgCert.key_data().size() != 32 )
 	{
 		V_strcpy_safe( errMsg, "Cert has invalid public key" );
 		return false;
 	}
 
+	// FIXME - should we check if we already have a newer, equivalent cert?
+
 	// Does cert contain a private key?
 	if ( msgCertSigned.has_private_key_data() )
 	{
@@ -767,23 +793,23 @@ bool CSteamNetworkingSockets::SetCertificate( const void *pCertificate, int cbCe
 
 	// If we don't know our identity, then set it now.  Otherwise,
 	// it better match.
-	if ( m_identity.IsInvalid() || m_identity.IsLocalHost() )
+	if ( bSetIdentity )
 	{
 		m_identity = certIdentity;
 		SpewMsg( "Local identity established from certificate.  We are '%s'\n", SteamNetworkingIdentityRender( m_identity ).c_str() );
 	}
-	else if ( !( m_identity == certIdentity ) )
-	{
-		V_sprintf_safe( errMsg, "Cert is for identity '%s'.  We are '%s'", SteamNetworkingIdentityRender( certIdentity ).c_str(), SteamNetworkingIdentityRender( m_identity ).c_str() );
-		return false;
-	}
 
 	// Save it off
 	m_msgSignedCert = std::move( msgCertSigned );
 	m_msgCert = std::move( msgCert );
 	// If shouldn't already be expired.
 	AssertMsg( GetSecondsUntilCertExpiry() > 0, "Cert already invalid / expired?" );
 
+	// If we just got our identity, let derived classes take action.  But our caller is
+	// setting a specific cert, so don't try to load any other cert from the cache
+	if ( bSetIdentity )
+		InternalOnGotIdentity( nIdentitySetFlags | k_nIdentitySetFlag_NoLoadCert );
+
 	// We've got a valid cert
 	SetCertStatus( k_ESteamNetworkingAvailability_Current, "OK" );
 
@@ -801,7 +827,14 @@ void CSteamNetworkingSockets::ResetIdentity( const SteamNetworkingIdentity *pIde
 	KillConnections();
 	InternalClearIdentity();
 	if ( pIdentity )
+	{
 		m_identity = *pIdentity;
+		if ( m_identity.IsInvalid() || m_identity.IsLocalHost() )
+		{
+			int nIdentitySetFlags = k_nIdentitySetFlag_NoSave; // Allow us to check the durable cache for any credentials, but we know we are empty, so don't save anything
+			InternalOnGotIdentity( nIdentitySetFlags );
+		}
+	}
 }
 
 ESteamNetworkingAvailability CSteamNetworkingSockets::InitAuthentication()
diff --git a/src/steamnetworkingsockets/clientlib/csteamnetworkingsockets.h b/src/steamnetworkingsockets/clientlib/csteamnetworkingsockets.h
@@ -112,7 +112,7 @@ class CSteamNetworkingSockets : public IClientNetworkingSockets
 	virtual int GetP2P_Transport_ICE_Enable( const SteamNetworkingIdentity &identityRemote, int *pOutUserFlags );
 
 	virtual bool GetCertificateRequest( int *pcbBlob, void *pBlob, SteamNetworkingErrMsg &errMsg ) override;
-	virtual bool SetCertificate( const void *pCertificate, int cbCertificate, SteamNetworkingErrMsg &errMsg ) override;
+	virtual bool SetCertificate( const void *pCertificate, int cbCertificate, SteamNetworkingErrMsg &errMsg ) override final; // Final.  Override InternalSetCertificate to customize
 	virtual void ResetIdentity( const SteamNetworkingIdentity *pIdentity ) override;
 
 	virtual HSteamListenSocket CreateListenSocketP2PFakeIP( int idxFakePort, int nOptions, const SteamNetworkingConfigValue_t *pOptions ) override;
@@ -239,7 +239,20 @@ class CSteamNetworkingSockets : public IClientNetworkingSockets
 	/// Figure out the current authentication status.  And if it has changed, send out callbacks
 	virtual void DeduceAuthenticationStatus();
 
-	void InternalClearIdentity();
+	// Flags that specify what actions to take wrt to any durable cache, when we are assigned an identity or certificate.
+	static constexpr int k_nIdentitySetFlag_NoLoadCert = (1<<0);
+	static constexpr int k_nIdentitySetFlag_NoLoadTickets = (1<<1);
+	static constexpr int k_nIdentitySetFlag_NoLoad = k_nIdentitySetFlag_NoLoadCert | k_nIdentitySetFlag_NoLoadTickets;
+	static constexpr int k_nIdentitySetFlag_NoSave = (1<<2);
+	static constexpr int k_nIdentitySetFlag_NoCacheAccess = -1;
+
+	/// Called when we get a valid identity
+	virtual void InternalOnGotIdentity( int nIdentitySetFlags );
+
+	/// Set certificate and/or private key
+	virtual bool InternalSetCertificate( const void *pCertificate, int cbCertificate, SteamNetworkingErrMsg &errMsg, int nIdentitySetFlags );
+
+	virtual void InternalClearIdentity();
 	void KillConnections();
 
 	SteamNetworkingIdentity m_identity;
