| Message ID | 20231111213243.3338889-1-hauke@hauke-m.de |
|---|---|
| State | Accepted |
| Delegated to: | Hauke Mehrtens |
| Headers | show |
| Series | [ustream-ssl,1/2] ustream-mbedtls: Add compatibility with Mbed TLS 3.0.0 | expand |
On Sat, Nov 11, 2023 at 1:35 PM Hauke Mehrtens <hauke@hauke-m.de> wrote: > > This adds support for compiling the code against Mbed TLS 3.0.0. > It still compiles against Mbed TLS 2.28. > > The following changes were needed: > * DES and 3DES was removed > * mbedtls_pk_context->pk_info is private, use mbedtls_pk_get_type() > to check if it was initialized > * mbedtls_pk_parse_keyfile() now gets a random callback > * mbedtls/certs.h contains test data and is not installed any more and > not needed. > > Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> > --- > ustream-mbedtls.c | 12 +++++++++++- > ustream-mbedtls.h | 1 - > 2 files changed, 11 insertions(+), 2 deletions(-) > > diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c > index 7fc7874..1c70cac 100644 > --- a/ustream-mbedtls.c > +++ b/ustream-mbedtls.c > @@ -110,9 +110,15 @@ static const int default_ciphersuites_client[] = > AES_CBC_CIPHERS(ECDHE_ECDSA), > AES_CBC_CIPHERS(ECDHE_RSA), > AES_CBC_CIPHERS(DHE_RSA), > +/* Removed in Mbed TLS 3.0.0 */ are these for Windows XP compatibility? > +#ifdef MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA > MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > +#endif > AES_CIPHERS(RSA), > +/* Removed in Mbed TLS 3.0.0 */ > +#ifdef MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA > MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, > +#endif > 0 > }; > > @@ -171,7 +177,7 @@ static void ustream_ssl_update_own_cert(struct ustream_ssl_ctx *ctx) > if (!ctx->cert.version) > return; > > - if (!ctx->key.pk_info) > + if (mbedtls_pk_get_type(&ctx->key) == MBEDTLS_PK_NONE) > return; > > mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key); > @@ -206,7 +212,11 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char > { > int ret; > > +#if (MBEDTLS_VERSION_NUMBER >= 0x03000000) > + ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random, NULL); > +#else > ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL); > +#endif > if (ret) > return -1; > > diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h > index e622e5e..7e7c699 100644 > --- a/ustream-mbedtls.h > +++ b/ustream-mbedtls.h > @@ -21,7 +21,6 @@ > > #include <mbedtls/net_sockets.h> > #include <mbedtls/ssl.h> > -#include <mbedtls/certs.h> > #include <mbedtls/x509.h> > #include <mbedtls/rsa.h> > #include <mbedtls/error.h> > -- > 2.39.2 > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
On 11/12/23 20:16, Rosen Penev wrote: > On Sat, Nov 11, 2023 at 1:35 PM Hauke Mehrtens <hauke@hauke-m.de> wrote: >> >> This adds support for compiling the code against Mbed TLS 3.0.0. >> It still compiles against Mbed TLS 2.28. >> >> The following changes were needed: >> * DES and 3DES was removed >> * mbedtls_pk_context->pk_info is private, use mbedtls_pk_get_type() >> to check if it was initialized >> * mbedtls_pk_parse_keyfile() now gets a random callback >> * mbedtls/certs.h contains test data and is not installed any more and >> not needed. >> >> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> >> --- >> ustream-mbedtls.c | 12 +++++++++++- >> ustream-mbedtls.h | 1 - >> 2 files changed, 11 insertions(+), 2 deletions(-) >> >> diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c >> index 7fc7874..1c70cac 100644 >> --- a/ustream-mbedtls.c >> +++ b/ustream-mbedtls.c >> @@ -110,9 +110,15 @@ static const int default_ciphersuites_client[] = >> AES_CBC_CIPHERS(ECDHE_ECDSA), >> AES_CBC_CIPHERS(ECDHE_RSA), >> AES_CBC_CIPHERS(DHE_RSA), >> +/* Removed in Mbed TLS 3.0.0 */ > are these for Windows XP compatibility? No, This is for the TLS client. I assume this is for some legacy embedded webserver. Mbed TLS 3.0.0 also removes support for TLS 1.0 and 1.1, it only support TLS 1.2 and 1.3, this could cause some problems with older equipment and legacy WPA enterprise clients. Hauke
diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index 7fc7874..1c70cac 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -110,9 +110,15 @@ static const int default_ciphersuites_client[] = AES_CBC_CIPHERS(ECDHE_ECDSA), AES_CBC_CIPHERS(ECDHE_RSA), AES_CBC_CIPHERS(DHE_RSA), +/* Removed in Mbed TLS 3.0.0 */ +#ifdef MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, +#endif AES_CIPHERS(RSA), +/* Removed in Mbed TLS 3.0.0 */ +#ifdef MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, +#endif 0 }; @@ -171,7 +177,7 @@ static void ustream_ssl_update_own_cert(struct ustream_ssl_ctx *ctx) if (!ctx->cert.version) return; - if (!ctx->key.pk_info) + if (mbedtls_pk_get_type(&ctx->key) == MBEDTLS_PK_NONE) return; mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key); @@ -206,7 +212,11 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char { int ret; +#if (MBEDTLS_VERSION_NUMBER >= 0x03000000) + ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random, NULL); +#else ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL); +#endif if (ret) return -1; diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h index e622e5e..7e7c699 100644 --- a/ustream-mbedtls.h +++ b/ustream-mbedtls.h @@ -21,7 +21,6 @@ #include <mbedtls/net_sockets.h> #include <mbedtls/ssl.h> -#include <mbedtls/certs.h> #include <mbedtls/x509.h> #include <mbedtls/rsa.h> #include <mbedtls/error.h>
This adds support for compiling the code against Mbed TLS 3.0.0. It still compiles against Mbed TLS 2.28. The following changes were needed: * DES and 3DES was removed * mbedtls_pk_context->pk_info is private, use mbedtls_pk_get_type() to check if it was initialized * mbedtls_pk_parse_keyfile() now gets a random callback * mbedtls/certs.h contains test data and is not installed any more and not needed. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> --- ustream-mbedtls.c | 12 +++++++++++- ustream-mbedtls.h | 1 - 2 files changed, 11 insertions(+), 2 deletions(-)