Message ID | 976594fc-292a-58ea-2175-696a7540eeee@mail.com |
---|---|
State | Not Applicable |
Delegated to: | Petr Štetiar |
Headers | show |
Series | preparing for Mbedtls 3 | expand |
wpad-full complies and works (at least in basic wifi setting ) 2023-06-18 오후 4:01에 abnoeh 이(가) 쓴 글: > Mbedtls 2.28 is planed to EOL at 2024/12, (as they only keep LTS branch > just for 3 years from 2.7 and 2.16 trees are. so we have 1.5 years for > prepare for it, and they support TLS 1.3 > > > I made this PR on github to openwrt/ustream-ssl can work on mbedtls 3.x > version. > > it looksing a deprecated macro so detect it was compliing for v3 vs v2 > > 3DES ciphers are removed in 3.0, but DES as crypto is still there. > > looks like hostapd doesn't need patch to compile- will trying it on > mt7621 router if it breaks in runtime > > don't really know what's offical procedure for submit patch to that repo > > github PR: https://github.com/openwrt/ustream-ssl/pull/2 > > > git diff for the PR > > diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c > index 7fc7874..472dfa5 100644 > --- a/ustream-mbedtls.c > +++ b/ustream-mbedtls.c > @@ -110,9 +110,7 @@ static const int default_ciphersuites_client[] = > AES_CBC_CIPHERS(ECDHE_ECDSA), > AES_CBC_CIPHERS(ECDHE_RSA), > AES_CBC_CIPHERS(DHE_RSA), > - MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > AES_CIPHERS(RSA), > - MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, > 0 > }; > > @@ -171,7 +169,8 @@ static void ustream_ssl_update_own_cert(struct > ustream_ssl_ctx *ctx) > if (!ctx->cert.version) > return; > > - if (!ctx->key.pk_info) > +// mbedtls 3.x made pk_info unexposed so we check it has a type > + if (!mbedtls_pk_get_type(&ctx->key)) > return; > > mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key); > @@ -205,8 +204,12 @@ __hidden int __ustream_ssl_set_crt_file(struct > ustream_ssl_ctx *ctx, const char > __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, > const char *file) > { > int ret; > - > +// because we striped version info from mbedtls, use a const that > removed in mbedtls 3.X > +#if defined(MBEDTLS_DHM_RFC5114_MODP_2048_P) > ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL); > +#else > + ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random, > NULL); > +#endif > if (ret) > return -1; > > diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h > index e622e5e..7e7c699 100644 > --- a/ustream-mbedtls.h > +++ b/ustream-mbedtls.h > @@ -21,7 +21,6 @@ > > #include <mbedtls/net_sockets.h> > #include <mbedtls/ssl.h> > -#include <mbedtls/certs.h> > #include <mbedtls/x509.h> > #include <mbedtls/rsa.h> > #include <mbedtls/error.h> > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index 7fc7874..472dfa5 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -110,9 +110,7 @@ static const int default_ciphersuites_client[] = AES_CBC_CIPHERS(ECDHE_ECDSA), AES_CBC_CIPHERS(ECDHE_RSA), AES_CBC_CIPHERS(DHE_RSA), - MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, AES_CIPHERS(RSA), - MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, 0 }; @@ -171,7 +169,8 @@ static void ustream_ssl_update_own_cert(struct ustream_ssl_ctx *ctx) if (!ctx->cert.version) return; - if (!ctx->key.pk_info) +// mbedtls 3.x made pk_info unexposed so we check it has a type + if (!mbedtls_pk_get_type(&ctx->key)) return; mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key); @@ -205,8 +204,12 @@ __hidden int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file) { int ret; - +// because we striped version info from mbedtls, use a const that removed in mbedtls 3.X +#if defined(MBEDTLS_DHM_RFC5114_MODP_2048_P) ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL); +#else + ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random, NULL); +#endif if (ret) return -1; diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h index e622e5e..7e7c699 100644 --- a/ustream-mbedtls.h +++ b/ustream-mbedtls.h @@ -21,7 +21,6 @@ #include <mbedtls/net_sockets.h> #include <mbedtls/ssl.h> -#include <mbedtls/certs.h> #include <mbedtls/x509.h> #include <mbedtls/rsa.h> #include <mbedtls/error.h>