preparing for Mbedtls 3

abnoeh abnoeh at mail.com
Sun Jun 18 00:01:18 PDT 2023 

Mbedtls 2.28 is planed to EOL at 2024/12, (as they only keep LTS branch
just for 3 years from 2.7 and 2.16 trees are.  so we have 1.5 years for
prepare for it, and they support TLS 1.3


I made this PR on github to openwrt/ustream-ssl can work on mbedtls 3.x
version.

it looksing a deprecated macro so detect it was compliing for v3 vs v2

3DES ciphers are removed in 3.0, but DES as crypto is still there.

looks like hostapd doesn't need patch to compile- will trying it on
mt7621 router if it breaks in runtime

don't really know what's offical procedure for submit patch to that repo

github PR: https://github.com/openwrt/ustream-ssl/pull/2


git diff for the PR

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 7fc7874..472dfa5 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -110,9 +110,7 @@ static const int default_ciphersuites_client[] =
         AES_CBC_CIPHERS(ECDHE_ECDSA),
         AES_CBC_CIPHERS(ECDHE_RSA),
         AES_CBC_CIPHERS(DHE_RSA),
-       MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
         AES_CIPHERS(RSA),
-       MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
         0
  };

@@ -171,7 +169,8 @@ static void ustream_ssl_update_own_cert(struct
ustream_ssl_ctx *ctx)
         if (!ctx->cert.version)
                 return;

-       if (!ctx->key.pk_info)
+// mbedtls 3.x made pk_info unexposed so we check it has a type
+       if (!mbedtls_pk_get_type(&ctx->key))
                 return;

         mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key);
@@ -205,8 +204,12 @@ __hidden int __ustream_ssl_set_crt_file(struct
ustream_ssl_ctx *ctx, const char
  __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx,
const char *file)
  {
         int ret;
-
+// because we striped version info from mbedtls, use a const that
removed in mbedtls 3.X
+#if defined(MBEDTLS_DHM_RFC5114_MODP_2048_P)
         ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL);
+#else
+       ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random,
NULL);
+#endif
         if (ret)
                 return -1;

diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h
index e622e5e..7e7c699 100644
--- a/ustream-mbedtls.h
+++ b/ustream-mbedtls.h
@@ -21,7 +21,6 @@

  #include <mbedtls/net_sockets.h>
  #include <mbedtls/ssl.h>
-#include <mbedtls/certs.h>
  #include <mbedtls/x509.h>
  #include <mbedtls/rsa.h>
  #include <mbedtls/error.h>

More information about the openwrt-devel mailing list