preparing for Mbedtls 3

abnoeh abnoeh at mail.com
Sun Jun 18 01:19:59 PDT 2023 

wpad-full complies and works (at least in basic wifi setting )


2023-06-18 오후 4:01에 abnoeh 이(가) 쓴 글:
> Mbedtls 2.28 is planed to EOL at 2024/12, (as they only keep LTS branch
> just for 3 years from 2.7 and 2.16 trees are.  so we have 1.5 years for
> prepare for it, and they support TLS 1.3
>
>
> I made this PR on github to openwrt/ustream-ssl can work on mbedtls 3.x
> version.
>
> it looksing a deprecated macro so detect it was compliing for v3 vs v2
>
> 3DES ciphers are removed in 3.0, but DES as crypto is still there.
>
> looks like hostapd doesn't need patch to compile- will trying it on
> mt7621 router if it breaks in runtime
>
> don't really know what's offical procedure for submit patch to that repo
>
> github PR: https://github.com/openwrt/ustream-ssl/pull/2
>
>
> git diff for the PR
>
> diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
> index 7fc7874..472dfa5 100644
> --- a/ustream-mbedtls.c
> +++ b/ustream-mbedtls.c
> @@ -110,9 +110,7 @@ static const int default_ciphersuites_client[] =
>         AES_CBC_CIPHERS(ECDHE_ECDSA),
>         AES_CBC_CIPHERS(ECDHE_RSA),
>         AES_CBC_CIPHERS(DHE_RSA),
> -       MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
>         AES_CIPHERS(RSA),
> -       MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
>         0
>  };
>
> @@ -171,7 +169,8 @@ static void ustream_ssl_update_own_cert(struct
> ustream_ssl_ctx *ctx)
>         if (!ctx->cert.version)
>                 return;
>
> -       if (!ctx->key.pk_info)
> +// mbedtls 3.x made pk_info unexposed so we check it has a type
> +       if (!mbedtls_pk_get_type(&ctx->key))
>                 return;
>
>         mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key);
> @@ -205,8 +204,12 @@ __hidden int __ustream_ssl_set_crt_file(struct
> ustream_ssl_ctx *ctx, const char
>  __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx,
> const char *file)
>  {
>         int ret;
> -
> +// because we striped version info from mbedtls, use a const that
> removed in mbedtls 3.X
> +#if defined(MBEDTLS_DHM_RFC5114_MODP_2048_P)
>         ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL);
> +#else
> +       ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random,
> NULL);
> +#endif
>         if (ret)
>                 return -1;
>
> diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h
> index e622e5e..7e7c699 100644
> --- a/ustream-mbedtls.h
> +++ b/ustream-mbedtls.h
> @@ -21,7 +21,6 @@
>
>  #include <mbedtls/net_sockets.h>
>  #include <mbedtls/ssl.h>
> -#include <mbedtls/certs.h>
>  #include <mbedtls/x509.h>
>  #include <mbedtls/rsa.h>
>  #include <mbedtls/error.h>
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list