From patchwork Tue Oct 17 17:05:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3395 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:ea3:b0:f2:62eb:61c1 with SMTP id mk35csp4552036dyb; Tue, 17 Oct 2023 10:07:10 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFsecZf1FczwfdAjEksTinvfIurtqkvXrLkIP5yODltp2Il8Cwh+XeAYvtf7x7y2KC5ozhJ X-Received: by 2002:a17:902:e80c:b0:1c4:1e65:1e5e with SMTP id u12-20020a170902e80c00b001c41e651e5emr3031206plg.0.1697562429925; Tue, 17 Oct 2023 10:07:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697562429; cv=none; d=google.com; s=arc-20160816; b=cspf4VHSSt1iVpQuFayGspGr4TOflZ+FMOpQV+OZEDphRMXTppELsHnq48Rt6EpYGp ffZ6HcQOvD01oxgEvqRHS4wfOwxBsvwVx75u6hJepXZ64ndPNKTBVkS9MjfpBsDg5fQi M0JHx8OmqbGYaL1cpnzCx7pAJ49KGqDEj1I118ON55k0eheCbACJHqtiC5idHqJEz3Y9 iJd7C20Qm3/rxacpxkoqCIeDAoaKaVifv0oBz/+mgl1pGT/gqijgz8qQeHpZgKcC+5HD ylLcP8hpnf+b880iBD/2IOrJo1KddxOkbfhfRuI7XZHCtgqM/bMjEMsMvLUjD4AlNL3l Y8KA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=c8MFpV5rKqoP4cnHVhVKNPK/uoBVzF1TvEhtMKGgpFU=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=FPulpYyJVkFjDjfWX6xC9xFpB+bA6NsOlYzC8XCNPC9j4D+CDlil9xvpqYEZJJzp/W y/yMf1QIvTZsoDHwO/LwaRlM1QHjOjaZZb6y7ywmGA13ivCJB25I09LmAI7+fXasdEBo JhDIq89bilkPs25XFGDhVFlLbwRwW6WPoq/sMFKEGBKTe4xP3sqXvtWIxdPcZOofZPpb s9KaBX9dVU0Nbr0glJxm/xgtMbbT4ldqBy0NcpDN1n3Et26rDHyOvTIIYLOwmcK7nYDE JDhhSKr/qpdTn/zz0g6StaH0MiXj2Irh3YLk32ZSC3wsDAhswa0M4boA9bSMApnlRoP5 GZWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=XowYCW4q; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CfDkFoi6; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=gn+UCAkG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id t17-20020a1709028c9100b001bb8e3f3475si2047665plo.52.2023.10.17.10.07.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Oct 2023 10:07:09 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=XowYCW4q; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CfDkFoi6; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=gn+UCAkG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qsnWI-0007VA-C1; Tue, 17 Oct 2023 17:06:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qsnWH-0007V0-1m for openvpn-devel@lists.sourceforge.net; Tue, 17 Oct 2023 17:06:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=6S6HCU9EPOKrzA+kgpSZk4mioHsVzdxBb3WeSNCe5Xc=; b=XowYCW4qfyB57Evua/KcaKY3xY w6ZKztGExTBumtr/jOkUZ+g3ATHrZtHI+HDLHaXVepYfciGGwx6YoQwvF4yv3qhAuFYTw4ozRiuS/ tTHFMh+jejo5LduQlFXHzuc3lY4MFZ9pfsI10S+9OykzJqhOqgjU4Puk238Vzp0Ai+j8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=6S6HCU9EPOKrzA+kgpSZk4mioHsVzdxBb3WeSNCe5Xc=; b=C fDkFoi6YpQf9vYXVVjT6d9cc2Z7hG75PE9rNTSPDeTQERoCURVxcrjv8CxIWNbya5D++eIIRUrw9+ uWfXiL8zd6gaNDRZw7OizsvaU/qi0UlO23rSCD6nTv9TeWGRHsHXQnMLPaziBPRRcYDpOqYzBQO4y BUQMBRmtTUXciBl4=; Received: from mail-lf1-f47.google.com ([209.85.167.47]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1qsnWB-0000EK-Ln for openvpn-devel@lists.sourceforge.net; Tue, 17 Oct 2023 17:06:11 +0000 Received: by mail-lf1-f47.google.com with SMTP id 2adb3069b0e04-504a7f9204eso7757348e87.3 for ; Tue, 17 Oct 2023 10:06:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1697562361; x=1698167161; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=6S6HCU9EPOKrzA+kgpSZk4mioHsVzdxBb3WeSNCe5Xc=; b=gn+UCAkGFbZu9WRQ1B01URlQgz+4xg8Se41D5QCEuBU1w0o9dJQIA0rX1lMApU4Dw+ EQYQYyyOT8XucJFkgsQoNrYIDm7QxLv5B00L6vegXD5mcObjcsCv88DZLzG5JvbfpMAF 7m1c1+Zpsl5JIWG3B97CgsrEtWpWP+OB+gYd2+lE8SEaqOe9ClFyO0BaiJPA/eY3wzsw gyjeBkJ9l/1bgcmtng/tf1ZOHGxR/Gf5eTxT1gOC1iAmZEBJSTa2fCvt6ExjSyxbsoVn GpzpN5Y/l3sAlkMFoJRr6I9zNu3/IF2roYw7Yr94Gu0Lnkb6oCWdl/g/FSoFNBFx7L7S DwlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697562361; x=1698167161; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=6S6HCU9EPOKrzA+kgpSZk4mioHsVzdxBb3WeSNCe5Xc=; b=JupcuapHhxplfi/1oa3HnXJENLd7r0e4sJth7zpw0PTYpU7K0xFyANTQBauhD5oMDy wI2M7zwKPbJpu8DDoGLYSmgKMyxwYIIYYhd8Vvkignb+QBF0x1uKDbt7tUTqGIsOJVjD Pfqxh4J6NXDYdydkWnLB+aFwEGdGJk4EpAmW3PX+C48+7eQgrfvNxxLZUvioEg6FKV5Y YiH1SE1h1BxjkfvmmI9UGLHwj41HF0btKhu9awC8gHAiD8DslLim4PDJ8AxrNNyyuHNp BHGLgyWn6mQnFNa7lLBpLLWRNuWbGuJflj8GxBX5A6jrtemvA95smPJItuT9yGP1METH ku2g== X-Gm-Message-State: AOJu0Yx3BKKXsMGndN4g7FyxHccEAuadQP0fwNHlUPatK5aOdh0Zkq3u JPSHFdUDOJs1n+G4+iLrC+p9tQ8I4E2Uy8J/WLQ= X-Received: by 2002:a19:914c:0:b0:507:a671:3231 with SMTP id y12-20020a19914c000000b00507a6713231mr2008085lfj.52.1697562360882; Tue, 17 Oct 2023 10:06:00 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id d8-20020a5d5388000000b0032da8fb0d05sm162945wrv.110.2023.10.17.10.06.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 10:06:00 -0700 (PDT) From: "MaxF (Code Review)" X-Google-Original-From: "MaxF (Code Review)" X-Gerrit-PatchSet: 1 Date: Tue, 17 Oct 2023 17:05:59 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I143ca14c27c0c378b5e6b4184e80890d2c0e225e X-Gerrit-Change-Number: 371 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 20aef1abe583d361ac25e06af063acdb79e9a4ea References: Message-ID: <6bd2af685d5f2fa8282de05ca43ebcdd81d798f5-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.167.47 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.167.47 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1qsnWB-0000EK-Ln Subject: [Openvpn-devel] [M] Change in openvpn[master]: Add compatibility functions for mbedtls 2.X.Y X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: max@max-fillinger.net, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1780023222499324495?= X-GMAIL-MSGID: =?utf-8?q?1780023222499324495?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/371?usp=email to review the following change. Change subject: Add compatibility functions for mbedtls 2.X.Y ...................................................................... Add compatibility functions for mbedtls 2.X.Y Change-Id: I143ca14c27c0c378b5e6b4184e80890d2c0e225e Signed-off-by: Max Fillinger --- M configure.ac M src/openvpn/crypto_mbedtls.c A src/openvpn/mbedtls_compat.h M src/openvpn/ssl_mbedtls.c M src/openvpn/ssl_verify_mbedtls.c 5 files changed, 211 insertions(+), 36 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/71/371/1 diff --git a/configure.ac b/configure.ac index 2072e8c..6658485 100644 --- a/configure.ac +++ b/configure.ac @@ -1025,6 +1025,12 @@ [AC_MSG_ERROR([mbed TLS version >= 2.16.12 or >= 3.2.1 required])] ) + AC_CHECK_HEADER( + psa/crypto.h, + [AC_DEFINE([MBEDTLS_HAVE_PSA_CRYPTO_H], [1], [yes])], + [AC_DEFINE([MBEDTLS_HAVE_PSA_CRYPTO_H], [0], [no])] + ) + AC_CHECK_FUNCS( [ \ mbedtls_cipher_write_tag \ diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index e85e4de..f244863 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -41,6 +41,7 @@ #include "integer.h" #include "crypto_backend.h" #include "otime.h" +#include "mbedtls_compat.h" #include "misc.h" #include diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h new file mode 100644 index 0000000..eac647d --- /dev/null +++ b/src/openvpn/mbedtls_compat.h @@ -0,0 +1,151 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2023 Fox Crypto B.V. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/** + * @file mbedtls compatibility stub + * + * This file provide compatibility stubs for the mbedtls libraries + * prior to version 3. This version made most fields in structs private + * and requires accessor functions to be used. For earlier versions, we + * implement the accessor functions here. + */ + +#ifndef MBEDTLS_COMPAT_H_ +#define MBEDTLS_COMPAT_H_ + +#include "errlevel.h" + +#include +#include +#include +#include +#include +#include +#include + +#if MBEDTLS_HAVE_PSA_CRYPTO_H + #include +#endif + +static inline void +mbedtls_compat_psa_crypto_init(void) +{ +#if MBEDTLS_HAVE_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) + if (psa_crypto_init() != PSA_SUCCESS) + { + msg(M_FATAL, "mbedtls: psa_crypto_init() failed"); + } +#else + return; +#endif /* MBEDTLS_HAVE_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */ +} + +static inline int +mbedtls_compat_pk_parse_key(mbedtls_pk_context *ctx, + const unsigned char *key, size_t keylen, + const unsigned char *pwd, size_t pwdlen, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) +{ +#if MBEDTLS_VERSION_NUMBER < 0x03020100 + return mbedtls_pk_parse_key(ctx, key, keylen, pwd, pwdlen); +#else + return mbedtls_pk_parse_key(ctx, key, keylen, pwd, pwdlen, f_rng, p_rng); +#endif +} + +static inline int +mbedtls_compat_pk_parse_keyfile(mbedtls_pk_context *ctx, + const char *path, const char *password, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) +{ +#if MBEDTLS_VERSION_NUMBER < 0x03020100 + return mbedtls_pk_parse_keyfile(ctx, path, password); +#else + return mbedtls_pk_parse_keyfile(ctx, path, password, f_rng, p_rng); +#endif +} + +#if MBEDTLS_VERSION_NUMBER < 0x03020100 +static inline unsigned int +mbedtls_cipher_info_get_block_size(const mbedtls_cipher_info_t *cipher) +{ + return cipher->block_size; +} + +static inline unsigned int +mbedtls_cipher_info_get_iv_size(const mbedtls_cipher_info_t *cipher) +{ + return cipher->iv_size; +} + +static inline unsigned int +mbedtls_cipher_info_get_key_bitlen(const mbedtls_cipher_info_t *cipher) +{ + return cipher->key_bitlen; +} + +static inline mbedtls_cipher_mode_t +mbedtls_cipher_info_get_mode(const mbedtls_cipher_info_t *cipher) +{ + return cipher->mode; +} + +static inline const char * +mbedtls_cipher_info_get_name(const mbedtls_cipher_info_t *cipher) +{ + return cipher->name; +} + +static inline mbedtls_cipher_type_t +mbedtls_cipher_info_get_type(const mbedtls_cipher_info_t *cipher) +{ + return cipher->type; +} + +static inline size_t +mbedtls_dhm_get_bitlen(const mbedtls_dhm_context *ctx) +{ + return 8 * ctx->len; +} + +static inline const mbedtls_md_info_t * +mbedtls_md_info_from_ctx(const mbedtls_md_context_t *ctx) +{ + return ctx->md_info; +} + +static inline const unsigned char * +mbedtls_pem_get_buffer(const mbedtls_pem_context *ctx, size_t *buf_size) +{ + *buf_size = ctx->buflen; + return ctx->buf; +} + +static inline int +mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx, int ext_type) +{ + return ctx->ext_types & ext_type; +} +#endif /* MBEDTLS_VERSION_NUMBER < 0x03020100 */ + +#endif /* MBEDTLS_COMPAT_H_ */ diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index a4ed722..cdb0ebe 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -41,6 +41,7 @@ #include "buffer.h" #include "misc.h" #include "manage.h" +#include "mbedtls_compat.h" #include "pkcs11_backend.h" #include "ssl_common.h" @@ -54,8 +55,6 @@ #include #include -#include - /** * Compatibility: mbedtls_ctr_drbg_update was deprecated in mbedtls 2.16 and * replaced with mbedtls_ctr_drbg_update_ret, which returns an error code. @@ -106,7 +105,7 @@ void tls_init_lib(void) { - (void)psa_crypto_init(); + mbedtls_compat_psa_crypto_init(); } void @@ -503,40 +502,40 @@ if (priv_key_inline) { - status = mbedtls_pk_parse_key(ctx->priv_key, - (const unsigned char *) priv_key_file, - strlen(priv_key_file) + 1, NULL, 0, - mbedtls_ctr_drbg_random, - rand_ctx_get()); + status = mbedtls_compat_pk_parse_key(ctx->priv_key, + (const unsigned char *) priv_key_file, + strlen(priv_key_file) + 1, NULL, 0, + mbedtls_ctr_drbg_random, + rand_ctx_get()); if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status) { char passbuf[512] = {0}; pem_password_callback(passbuf, 512, 0, NULL); - status = mbedtls_pk_parse_key(ctx->priv_key, - (const unsigned char *) priv_key_file, - strlen(priv_key_file) + 1, - (unsigned char *) passbuf, - strlen(passbuf), - mbedtls_ctr_drbg_random, - rand_ctx_get()); + status = mbedtls_compat_pk_parse_key(ctx->priv_key, + (const unsigned char *) priv_key_file, + strlen(priv_key_file) + 1, + (unsigned char *) passbuf, + strlen(passbuf), + mbedtls_ctr_drbg_random, + rand_ctx_get()); } } else { - status = mbedtls_pk_parse_keyfile(ctx->priv_key, - priv_key_file, - NULL, - mbedtls_ctr_drbg_random, - rand_ctx_get()); + status = mbedtls_compat_pk_parse_keyfile(ctx->priv_key, + priv_key_file, + NULL, + mbedtls_ctr_drbg_random, + rand_ctx_get()); if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status) { char passbuf[512] = {0}; pem_password_callback(passbuf, 512, 0, NULL); - status = mbedtls_pk_parse_keyfile(ctx->priv_key, - priv_key_file, passbuf, - mbedtls_ctr_drbg_random, - rand_ctx_get()); + status = mbedtls_compat_pk_parse_keyfile(ctx->priv_key, + priv_key_file, passbuf, + mbedtls_ctr_drbg_random, + rand_ctx_get()); } } if (!mbed_ok(status)) @@ -553,9 +552,12 @@ } if (!mbed_ok(mbedtls_pk_check_pair(&ctx->crt_chain->pk, - ctx->priv_key, - mbedtls_ctr_drbg_random, - rand_ctx_get()))) + ctx->priv_key +#if MBEDTLS_VERSION_NUMBER >= 0x03000000 + , mbedtls_ctr_drbg_random, + rand_ctx_get() +#endif + ))) { msg(M_WARN, "Private key does not match the certificate"); return 1; @@ -585,6 +587,9 @@ static inline int external_pkcs1_sign( void *ctx_voidptr, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, +#if MBEDTLS_VERSION_NUMBER < 0x03020100 + int mode, +#endif mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig ) { @@ -599,6 +604,13 @@ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } +#if MBEDTLS_VERSION_NUMBER < 0x03020100 + if (MBEDTLS_RSA_PRIVATE != mode) + { + return MBEDTLS_RSA_BAD_INPUT_DATA; + } +#endif + /* * Support a wide range of hashes. TLSv1.1 and before only need SIG_RSA_RAW, * but TLSv1.2 needs the full suite of hashes. @@ -1173,7 +1185,7 @@ /* Initialize minimum TLS version */ { - const int tls_version_min = + const int configured_tls_version_min = (session->opt->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) &SSLF_TLS_VERSION_MIN_MASK; @@ -1181,9 +1193,9 @@ int major = MBEDTLS_SSL_MAJOR_VERSION_3; int minor = MBEDTLS_SSL_MINOR_VERSION_3; - if (tls_version_min > TLS_VER_UNSPEC) + if (configured_tls_version_min > TLS_VER_UNSPEC) { - tls_version_to_major_minor(tls_version_min, &major, &minor); + tls_version_to_major_minor(configured_tls_version_min, &major, &minor); } mbedtls_ssl_conf_min_version(ks_ssl->ssl_config, major, minor); @@ -1191,17 +1203,21 @@ /* Initialize maximum TLS version */ { - const int tls_version_max = + const int configured_tls_version_max = (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) &SSLF_TLS_VERSION_MAX_MASK; - /* default to TLS 1.3 */ - int major = MBEDTLS_SSL_MAJOR_VERSION_3; - int minor = MBEDTLS_SSL_MINOR_VERSION_4; + int major = 0; + int minor = 0; - if (tls_version_max > TLS_VER_UNSPEC) + if (configured_tls_version_max > TLS_VER_UNSPEC) { - tls_version_to_major_minor(tls_version_max, &major, &minor); + tls_version_to_major_minor(configured_tls_version_max, &major, &minor); + } + else + { + /* Default to tls_version_max(). */ + tls_version_to_major_minor(tls_version_max(), &major, &minor); } mbedtls_ssl_conf_max_version(ks_ssl->ssl_config, major, minor); diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 33c3769..ce21324 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -35,6 +35,7 @@ #if defined(ENABLE_CRYPTO_MBEDTLS) #include "crypto_mbedtls.h" +#include "mbedtls_compat.h" #include "ssl_verify.h" #include #include