[PATCH ustream-ssl 1/2] ustream-mbedtls: Add compatibility with Mbed TLS 3.0.0

Rosen Penev rosenp at gmail.com
Sun Nov 12 11:16:19 PST 2023 

On Sat, Nov 11, 2023 at 1:35 PM Hauke Mehrtens <hauke at hauke-m.de> wrote:
>
> This adds support for compiling the code against Mbed TLS 3.0.0.
> It still compiles against Mbed TLS 2.28.
>
> The following changes were needed:
>  * DES and 3DES was removed
>  * mbedtls_pk_context->pk_info is private, use mbedtls_pk_get_type()
>    to check if it was initialized
>  * mbedtls_pk_parse_keyfile() now gets a random callback
>  * mbedtls/certs.h contains test data and is not installed any more and
>    not needed.
>
> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
> ---
>  ustream-mbedtls.c | 12 +++++++++++-
>  ustream-mbedtls.h |  1 -
>  2 files changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
> index 7fc7874..1c70cac 100644
> --- a/ustream-mbedtls.c
> +++ b/ustream-mbedtls.c
> @@ -110,9 +110,15 @@ static const int default_ciphersuites_client[] =
>         AES_CBC_CIPHERS(ECDHE_ECDSA),
>         AES_CBC_CIPHERS(ECDHE_RSA),
>         AES_CBC_CIPHERS(DHE_RSA),
> +/* Removed in Mbed TLS 3.0.0 */
are these for Windows XP compatibility?
> +#ifdef MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>         MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> +#endif
>         AES_CIPHERS(RSA),
> +/* Removed in Mbed TLS 3.0.0 */
> +#ifdef MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
>         MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
> +#endif
>         0
>  };
>
> @@ -171,7 +177,7 @@ static void ustream_ssl_update_own_cert(struct ustream_ssl_ctx *ctx)
>         if (!ctx->cert.version)
>                 return;
>
> -       if (!ctx->key.pk_info)
> +       if (mbedtls_pk_get_type(&ctx->key) == MBEDTLS_PK_NONE)
>                 return;
>
>         mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key);
> @@ -206,7 +212,11 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
>  {
>         int ret;
>
> +#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
> +       ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random, NULL);
> +#else
>         ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL);
> +#endif
>         if (ret)
>                 return -1;
>
> diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h
> index e622e5e..7e7c699 100644
> --- a/ustream-mbedtls.h
> +++ b/ustream-mbedtls.h
> @@ -21,7 +21,6 @@
>
>  #include <mbedtls/net_sockets.h>
>  #include <mbedtls/ssl.h>
> -#include <mbedtls/certs.h>
>  #include <mbedtls/x509.h>
>  #include <mbedtls/rsa.h>
>  #include <mbedtls/error.h>
> --
> 2.39.2
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list