From 3a73c3f260503d1b655d5caea01e66cad3b57707 Mon Sep 17 00:00:00 2001 From: Fabio Alessandrelli Date: Sat, 15 Feb 2020 21:34:00 +0100 Subject: [PATCH] Add documentation for new DTLS features. --- doc/classes/DTLSServer.xml | 90 +++++++++++++++++ doc/classes/PacketPeerDTLS.xml | 66 +++++++++++++ doc/classes/PacketPeerUDP.xml | 19 ++++ doc/classes/UDPServer.xml | 98 +++++++++++++++++++ .../doc_classes/NetworkedMultiplayerENet.xml | 25 +++++ 5 files changed, 298 insertions(+) create mode 100644 doc/classes/DTLSServer.xml create mode 100644 doc/classes/PacketPeerDTLS.xml create mode 100644 doc/classes/UDPServer.xml diff --git a/doc/classes/DTLSServer.xml b/doc/classes/DTLSServer.xml new file mode 100644 index 00000000000..32cd668fe5e --- /dev/null +++ b/doc/classes/DTLSServer.xml @@ -0,0 +1,90 @@ + + + + Helper class to implement a DTLS server. + + + This class is used to store the state of a DTLS server. Upon [method setup] it converts connected [PacketPeerUDP] to [PacketPeerDTLS] accepting them via [method take_connection] as DTLS clients. Under the hood, this class is used to store the DTLS state and cookies of the server. The reason of why the state and cookies are needed is outside of the scope of this documentation. + Below a small example of how to use it: + [codeblock] + # server.gd + extends Node + + var dtls := DTLSServer.new() + var server := UDPServer.new() + var peers = [] + + func _ready(): + server.listen(4242) + var key = load("key.key") # Your private key. + var cert = load("cert.crt") # Your X509 certificate. + dtls.setup(key, cert) + + func _process(delta): + while server.is_connection_available(): + var peer : PacketPeerUDP = server.take_connection() + var dtls_peer : PacketPeerDTLS = dtls.take_connection(peer) + if dtls_peer.get_status() != PacketPeerDTLS.STATUS_HANDSHAKING: + continue # It is normal that 50% of the connections fails due to cookie exchange. + print("Peer connected!") + peers.append(dtls_peer) + for p in peers: + p.poll() # Must poll to update the state. + if p.get_status() == PacketPeerDTLS.STATUS_CONNECTED: + while p.get_available_packet_count() > 0: + print("Received message from client: %s" % p.get_packet().get_string_from_utf8()) + p.put_packet("Hello DTLS client".to_utf8()) + [/codeblock] + [codeblock] + # client.gd + extends Node + + var dtls := PacketPeerDTLS.new() + var udp := PacketPeerUDP.new() + var connected = false + + func _ready(): + udp.connect_to_host("127.0.0.1", 4242) + dtls.connect_to_peer(udp, false) # Use true in production for certificate validation! + + func _process(delta): + dtls.poll() + if dtls.get_status() == PacketPeerDTLS.STATUS_CONNECTED: + if !connected: + # Try to contact server + dtls.put_packet("The answer is... 42!".to_utf8()) + while dtls.get_available_packet_count() > 0: + print("Connected: %s" % dtls.get_packet().get_string_from_utf8()) + connected = true + [/codeblock] + + + + + + + + + + + + + + + Setup the DTLS server to use the given [code]private_key[/code] and provide the given [code]certificate[/code] to clients. You can pass the optional [code]chain[/code] parameter to provide additional CA chain information along with the certificate. + + + + + + + + + Try to initiate the DTLS handshake with the given [code]udp_peer[/code] which must be already connected (see [method PacketPeerUDP.connect_to_host]). + [b]Note[/b]: You must check that the state of the return PacketPeerUDP is [constant PacketPeerDTLS.STATUS_HANDSHAKING], as it is normal that 50% of the new connections will be invalid due to cookie exchange. + + + + + + diff --git a/doc/classes/PacketPeerDTLS.xml b/doc/classes/PacketPeerDTLS.xml new file mode 100644 index 00000000000..108506859de --- /dev/null +++ b/doc/classes/PacketPeerDTLS.xml @@ -0,0 +1,66 @@ + + + + DTLS packet peer. + + + This class represents a DTLS peer connection. It can be used to connect to a DTLS server, and is returned by [method DTLSServer.take_connection]. + + + + + + + + + + + + + + + + + Connects a [code]peer[/code] beginning the DTLS handshake using the underlying [PacketPeerUDP] which must be connected (see [method PacketPeerUDP.connect_to_host]). If [code]validate_certs[/code] is [code]true[/code], [PacketPeerDTLS] will validate that the certificate presented by the remote peer and match it with the [code]for_hostname[/code] argument. You can specify a custom [X509Certificate] to use for validation via the [code]valid_certificate[/code] argument. + + + + + + + Disconnects this peer, terminating the DTLS session. + + + + + + + Returns the status of the connection. See [enum Status] for values. + + + + + + + Poll the connection to check for incoming packets. Call this frequently to update the status and keep the connection working. + + + + + + A status representing a [PacketPeerDTLS] that is disconnected. + + + A status representing a [PacketPeerDTLS] that is currently performing the handshake with a remote peer. + + + A status representing a [PacketPeerDTLS] that is connected to a remote peer. + + + A status representing a [PacketPeerDTLS] in a generic error state. + + + An error status that shows a mismatch in the DTLS certificate domain presented by the host and the domain requested for validation. + + + diff --git a/doc/classes/PacketPeerUDP.xml b/doc/classes/PacketPeerUDP.xml index eb7e3cf018f..c34878ac61c 100644 --- a/doc/classes/PacketPeerUDP.xml +++ b/doc/classes/PacketPeerUDP.xml @@ -16,6 +16,18 @@ Closes the UDP socket the [PacketPeerUDP] is currently listening on. + + + + + + + + + Calling this method connects this UDP peer to the given [code]host[/code]/[code]port[/code] pair. UDP is in reality connectionless, so this option only means that incoming packets from different addresses are automatically discarded, and that outgoing packets are always sent to the connected address (future calls to [method set_dest_address] are not allowed). This method does not send any data to the remote peer, to do that, use [method PacketPeer.put_var] or [method PacketPeer.put_packet] as usual. See also [UDPServer]. + Note: Connecting to the remote peer does not help to protect from malicious attacks like IP spoofing, etc. Think about using an encryption technique like SSL or DTLS if you feel like your application is transfering sensitive information. + + @@ -30,6 +42,13 @@ Returns the port of the remote peer that sent the last packet(that was received with [method PacketPeer.get_packet] or [method PacketPeer.get_var]). + + + + + Returns [code]true[/code] if the UDP socket is open and has been connected to a remote address. See [method connect_to_host]. + + diff --git a/doc/classes/UDPServer.xml b/doc/classes/UDPServer.xml new file mode 100644 index 00000000000..71a9422689d --- /dev/null +++ b/doc/classes/UDPServer.xml @@ -0,0 +1,98 @@ + + + + Helper class to implement a UDP server. + + + A simple server that opens a UDP socket and returns connected [PacketPeerUDP] upon receiving new packets. See also [method PacketPeerUDP.connect_to_host]. + Below a small example of how it can be used: + [codeblock] + # server.gd + extends Node + + var server := UDPServer.new() + var peers = [] + + func _ready(): + server.listen(4242) + + func _process(delta): + if server.is_connection_available(): + var peer : PacketPeerUDP = server.take_connection() + var pkt = peer.get_packet() + print("Accepted peer: %s:%s" % [peer.get_packet_ip(), peer.get_packet_port()]) + print("Received data: %s" % [pkt.get_string_from_utf8()]) + # Reply so it knows we received the message. + peer.put_packet(pkt) + # Keep a reference so we can keep contacting the remote peer. + peers.append(peer) + + for i in range(0, peers.size()): + pass # Do something with the connected peers. + + [/codeblock] + [codeblock] + # client.gd + extends Node + + var udp := PacketPeerUDP.new() + var connected = false + + func _ready(): + udp.connect_to_host("127.0.0.1", 4242) + + func _process(delta): + if !connected: + # Try to contact server + udp.put_packet("The answer is... 42!".to_utf8()) + if udp.get_available_packet_count() > 0: + print("Connected: %s" % udp.get_packet().get_string_from_utf8()) + connected = true + [/codeblock] + + + + + + + + + Returns [code]true[/code] if a packet with a new address/port combination is received on the socket. + + + + + + + Returns [code]true[/code] if the socket is open and listening on a port. + + + + + + + + + + + Starts the server by opening a UDP socket listening on the given port. You can optionally specify a [code]bind_address[/code] to only listen for packets sent to that address. See also [method PacketPeerUDP.listen]. + + + + + + + Stops the server, closing the UDP socket if open. Will not disconnect any connected [PacketPeerUDP]. + + + + + + + Returns a [PacketPeerUDP] connected to the address/port combination of the first packet in queue. Will return [code]null[/code] if no packet is in queue. See also [method PacketPeerUDP.connect_to_host]. + + + + + + diff --git a/modules/enet/doc_classes/NetworkedMultiplayerENet.xml b/modules/enet/doc_classes/NetworkedMultiplayerENet.xml index 1ba0ee659fc..f90b38e0637 100644 --- a/modules/enet/doc_classes/NetworkedMultiplayerENet.xml +++ b/modules/enet/doc_classes/NetworkedMultiplayerENet.xml @@ -104,6 +104,24 @@ The IP used when creating a server. This is set to the wildcard [code]"*"[/code] by default, which binds to all available interfaces. The given IP needs to be in IPv4 or IPv6 address format, for example: [code]"192.168.1.1"[/code]. + + + + + + + Configure the [X509Certificate] to use when [member use_dtls] is [code]true[/code]. For servers, you must also setup the [CryptoKey] via [method set_dtls_key]. + + + + + + + + + Configure the [CryptoKey] to use when [member use_dtls] is [code]true[/code]. Remember to also call [method set_dtls_certificate] to setup your [X509Certificate]. + + @@ -115,6 +133,9 @@ The compression method used for network packets. These have different tradeoffs of compression speed versus bandwidth, you may need to test which one works best for your use case if you use compression at all. + + Enable or disable certiticate verification when [member use_dtls] [code]true[/code]. + Enable or disable the server feature that notifies clients of other peers' connection/disconnection, and relays messages between them. When this option is [code]false[/code], clients won't be automatically notified of other peers and won't be able to send them packets through the server. @@ -123,6 +144,10 @@ Set the default channel to be used to transfer data. By default, this value is [code]-1[/code] which means that ENet will only use 2 channels, one for reliable and one for unreliable packets. Channel [code]0[/code] is reserved, and cannot be used. Setting this member to any value between [code]0[/code] and [member channel_count] (excluded) will force ENet to use that channel for sending data. + + When enabled, the client or server created by this peer, will use [PacketPeerDTLS] instead of raw UDP sockets for communicating with the remote peer. This will make the communication encrypted with DTLS at the cost of higher resource usage and potentially larger packet size. + Note: When creating a DTLS server, make sure you setup the key/certificate pair via [method set_dtls_key] and [method set_dtls_certificate]. For DTLS clients, have a look at the [member dtls_verify] option, and configure the certificate accordingly via [method set_dtls_certificate]. +