diff mbox series

preparing for Mbedtls 3

Message ID 976594fc-292a-58ea-2175-696a7540eeee@mail.com
State Not Applicable
Delegated to: Petr Štetiar
Headers show
Series preparing for Mbedtls 3 | expand

Commit Message

abnoeh June 18, 2023, 7:01 a.m. UTC 
Mbedtls 2.28 is planed to EOL at 2024/12, (as they only keep LTS branch
just for 3 years from 2.7 and 2.16 trees are.  so we have 1.5 years for
prepare for it, and they support TLS 1.3


I made this PR on github to openwrt/ustream-ssl can work on mbedtls 3.x
version.

it looksing a deprecated macro so detect it was compliing for v3 vs v2

3DES ciphers are removed in 3.0, but DES as crypto is still there.

looks like hostapd doesn't need patch to compile- will trying it on
mt7621 router if it breaks in runtime

don't really know what's offical procedure for submit patch to that repo

github PR: https://github.com/openwrt/ustream-ssl/pull/2


git diff for the PR

Comments

abnoeh June 18, 2023, 8:19 a.m. UTC | #1 
wpad-full complies and works (at least in basic wifi setting )


2023-06-18 오후 4:01에 abnoeh 이(가) 쓴 글:
> Mbedtls 2.28 is planed to EOL at 2024/12, (as they only keep LTS branch
> just for 3 years from 2.7 and 2.16 trees are.  so we have 1.5 years for
> prepare for it, and they support TLS 1.3
>
>
> I made this PR on github to openwrt/ustream-ssl can work on mbedtls 3.x
> version.
>
> it looksing a deprecated macro so detect it was compliing for v3 vs v2
>
> 3DES ciphers are removed in 3.0, but DES as crypto is still there.
>
> looks like hostapd doesn't need patch to compile- will trying it on
> mt7621 router if it breaks in runtime
>
> don't really know what's offical procedure for submit patch to that repo
>
> github PR: https://github.com/openwrt/ustream-ssl/pull/2
>
>
> git diff for the PR
>
> diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
> index 7fc7874..472dfa5 100644
> --- a/ustream-mbedtls.c
> +++ b/ustream-mbedtls.c
> @@ -110,9 +110,7 @@ static const int default_ciphersuites_client[] =
>         AES_CBC_CIPHERS(ECDHE_ECDSA),
>         AES_CBC_CIPHERS(ECDHE_RSA),
>         AES_CBC_CIPHERS(DHE_RSA),
> -       MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
>         AES_CIPHERS(RSA),
> -       MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
>         0
>  };
>
> @@ -171,7 +169,8 @@ static void ustream_ssl_update_own_cert(struct
> ustream_ssl_ctx *ctx)
>         if (!ctx->cert.version)
>                 return;
>
> -       if (!ctx->key.pk_info)
> +// mbedtls 3.x made pk_info unexposed so we check it has a type
> +       if (!mbedtls_pk_get_type(&ctx->key))
>                 return;
>
>         mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key);
> @@ -205,8 +204,12 @@ __hidden int __ustream_ssl_set_crt_file(struct
> ustream_ssl_ctx *ctx, const char
>  __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx,
> const char *file)
>  {
>         int ret;
> -
> +// because we striped version info from mbedtls, use a const that
> removed in mbedtls 3.X
> +#if defined(MBEDTLS_DHM_RFC5114_MODP_2048_P)
>         ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL);
> +#else
> +       ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random,
> NULL);
> +#endif
>         if (ret)
>                 return -1;
>
> diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h
> index e622e5e..7e7c699 100644
> --- a/ustream-mbedtls.h
> +++ b/ustream-mbedtls.h
> @@ -21,7 +21,6 @@
>
>  #include <mbedtls/net_sockets.h>
>  #include <mbedtls/ssl.h>
> -#include <mbedtls/certs.h>
>  #include <mbedtls/x509.h>
>  #include <mbedtls/rsa.h>
>  #include <mbedtls/error.h>
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
diff mbox series

Patch

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 7fc7874..472dfa5 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -110,9 +110,7 @@  static const int default_ciphersuites_client[] =
         AES_CBC_CIPHERS(ECDHE_ECDSA),
         AES_CBC_CIPHERS(ECDHE_RSA),
         AES_CBC_CIPHERS(DHE_RSA),
-       MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
         AES_CIPHERS(RSA),
-       MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
         0
  };

@@ -171,7 +169,8 @@  static void ustream_ssl_update_own_cert(struct
ustream_ssl_ctx *ctx)
         if (!ctx->cert.version)
                 return;

-       if (!ctx->key.pk_info)
+// mbedtls 3.x made pk_info unexposed so we check it has a type
+       if (!mbedtls_pk_get_type(&ctx->key))
                 return;

         mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key);
@@ -205,8 +204,12 @@  __hidden int __ustream_ssl_set_crt_file(struct
ustream_ssl_ctx *ctx, const char
  __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx,
const char *file)
  {
         int ret;
-
+// because we striped version info from mbedtls, use a const that
removed in mbedtls 3.X
+#if defined(MBEDTLS_DHM_RFC5114_MODP_2048_P)
         ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL);
+#else
+       ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random,
NULL);
+#endif
         if (ret)
                 return -1;

diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h
index e622e5e..7e7c699 100644
--- a/ustream-mbedtls.h
+++ b/ustream-mbedtls.h
@@ -21,7 +21,6 @@ 

  #include <mbedtls/net_sockets.h>
  #include <mbedtls/ssl.h>
-#include <mbedtls/certs.h>
  #include <mbedtls/x509.h>
  #include <mbedtls/rsa.h>
  #include <mbedtls/error.h>