[PATCH ustream-ssl 1/2] ustream-mbedtls: Add compatibility with Mbed TLS 3.0.0

Hauke Mehrtens hauke at hauke-m.de
Sat Nov 11 13:32:42 PST 2023 

This adds support for compiling the code against Mbed TLS 3.0.0.
It still compiles against Mbed TLS 2.28.

The following changes were needed:
 * DES and 3DES was removed
 * mbedtls_pk_context->pk_info is private, use mbedtls_pk_get_type()
   to check if it was initialized
 * mbedtls_pk_parse_keyfile() now gets a random callback
 * mbedtls/certs.h contains test data and is not installed any more and
   not needed.

Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
 ustream-mbedtls.c | 12 +++++++++++-
 ustream-mbedtls.h |  1 -
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 7fc7874..1c70cac 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -110,9 +110,15 @@ static const int default_ciphersuites_client[] =
 	AES_CBC_CIPHERS(ECDHE_ECDSA),
 	AES_CBC_CIPHERS(ECDHE_RSA),
 	AES_CBC_CIPHERS(DHE_RSA),
+/* Removed in Mbed TLS 3.0.0 */
+#ifdef MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 	MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+#endif
 	AES_CIPHERS(RSA),
+/* Removed in Mbed TLS 3.0.0 */
+#ifdef MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
 	MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+#endif
 	0
 };
 
@@ -171,7 +177,7 @@ static void ustream_ssl_update_own_cert(struct ustream_ssl_ctx *ctx)
 	if (!ctx->cert.version)
 		return;
 
-	if (!ctx->key.pk_info)
+	if (mbedtls_pk_get_type(&ctx->key) == MBEDTLS_PK_NONE)
 		return;
 
 	mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key);
@@ -206,7 +212,11 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
 {
 	int ret;
 
+#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
+	ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random, NULL);
+#else
 	ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL);
+#endif
 	if (ret)
 		return -1;
 
diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h
index e622e5e..7e7c699 100644
--- a/ustream-mbedtls.h
+++ b/ustream-mbedtls.h
@@ -21,7 +21,6 @@
 
 #include <mbedtls/net_sockets.h>
 #include <mbedtls/ssl.h>
-#include <mbedtls/certs.h>
 #include <mbedtls/x509.h>
 #include <mbedtls/rsa.h>
 #include <mbedtls/error.h>
-- 
2.39.2

More information about the openwrt-devel mailing list