From patchwork Sun Jun 18 07:01:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: abnoeh X-Patchwork-Id: 1796217 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QkP7x0MPbz20X8 for ; Sun, 18 Jun 2023 17:06:19 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Subject:From:To:MIME-Version:Date:Message-ID: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=Kqy3Oi7UcSU2BWtxt5cBVGfuv2zSvQBqyJc45YmTiLQ=; b=l6JinYbtj4thKQ /72HRRoKgJG+7BlnDdtL4FilT94jBNTAEXoy942MCix6KSFg1kNG/RXDgy1wuxHeqcTAEb2A2UJYV ipsuzvi22FR/I1c1BiYFnztQQ7Ef3yN98KmKnDi/Kfno2zkwG1q6XSJ7PdCYgyKoYrRnskr17IZI4 3bsofY7Qq17ZHKKu5KC/hynLh9hx0ZiQvw76zKRI2Kyansng1TQAx2+gw2xbkZ+olzmbiOdEUf9jw fW5cKI+gvIbbZ4Ml4BfRdouT5kVPLxOF3Wr6SRASVHWYoFVl9b2AG6YkOF6mVRAcNxaRVVjd2t/ES noLIYU3CN4BMb1qyMMiw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qAmQR-005IDD-1n; Sun, 18 Jun 2023 07:02:15 +0000 Received: from mout.gmx.com ([74.208.4.201]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qAmQL-005ICZ-3B for openwrt-devel@lists.openwrt.org; Sun, 18 Jun 2023 07:02:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.com; s=s1089575; t=1687071726; x=1687676526; i=abnoeh@mail.com; bh=ZBKYVaK+DoxC0RTQXux1P7X+8j457IkxGzMDd/wVx/Y=; h=X-UI-Sender-Class:Date:To:From:Subject; b=SbpM7jXhgFtkgdlRvs0Xq5hheKr3s5wU9fFUjZFyzI8amsWi1FKb5thqke2O7fmWh2NEAxu CQgZmfNA9eifjeIhfvm0TpEzM1Fm50lNBm1hyhI5SYrZHH36xwvc9ij+WnJo1Z/BrF6iM+An7 3FF4ahOpKoBwU9xwjfERADzcT/BesUuRSO8aeTRR0gWjnCiCX1t5+MmHDj3OVsCRafYXWR7tB lEUIfjZtDrYte4msjM8CBMIzPxrLpoG4OggQ9JKWYpH4MPZyz6bAeLId/m122LKMbe3NmhSEg ccFJQm1ARYp9JBX/uS6mMOc8ICU12zbyqVGXMwJ4wPszWMr6kWiQ== X-UI-Sender-Class: f2cb72be-343f-493d-8ec3-b1efb8d6185a Received: from [192.168.1.123] ([58.29.45.102]) by smtp.mail.com (mrgmxus005 [74.208.5.15]) with ESMTPSA (Nemesis) id 0M2sTY-1prSot38FS-00sgz9 for ; Sun, 18 Jun 2023 09:02:06 +0200 Message-ID: <976594fc-292a-58ea-2175-696a7540eeee@mail.com> Date: Sun, 18 Jun 2023 16:01:18 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Content-Language: en-US To: openwrt-devel@lists.openwrt.org From: abnoeh Subject: preparing for Mbedtls 3 X-Provags-ID: V03:K1:sin38icLa+hkrskF8JcYBQaRdc4kRcWtBs8x1Yc7N6AfEi44FZx GFHMvohaBi4FUgNou3CmsM6AVA3F0aei+Y4ZVVJvWu3XJlOiQ/QH1AbrqszdjM/8XVTDwY8 9FJPbY1ZD5+GKkA2FeqhLkCIcES5d+t5Ilf1BXbn23UUnOY/quc2fakt71pfsQqvx5AN9wi /hTL+T3KabXGBBFcJnESQ== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:Rg8EMVIjseY=;KGsLjo7bbb1+KiriE+5zdcf+I8Y LzEn3fnKEOkyq/qPcxR9LVWNPpAbOOKBjK+y1ZQocgfuP0tWLv1Y8iCSclcrScNQW+AgTixTp ZBox5ycAVSIHZia7bJcXFDVIoPsWaUkqfSN1AHBAiilpk3iAfZYpRybX2/4zVgkyEOcWXJolv 1dqHeQLxZjF2em07U8hblAL/H8Y8HqHPnXZ6DInvjHg+RsQvDQI2lKbPi3hcD0HD8gepzmsu5 lJCMoc2wxh2uw0u5OWBV0VBPaTW7ZpGhMGsQSBFiwrVnGWBorZAJOpV1ZSjJTIJqOCLyIR71B XeFueohOrHDB0Zn1CqwyhiGDJrMipijiqwSqAhSQTW6DlyVCIsDAEQWUv05xmenPMdctljQxN lv3BrjJT+Nv7YLwyx2XbWnuxNnLXDcrGnro+Fd/L+rZykH8bD6quiqAObI3Ua/dugUr0xiC+/ Bp9ObpRigvuRO2C+DBh2aPCJau9fGMZKlNjBgf2y4JwcWgXXLgJPaObSlChzhgp9pZvoqmlv7 iYI5GMc7NhQaiDsaLlbzsKm74DaTTNU8fdo5xFQQxtIbtp5MD8nfTn9H6OB7Tfua8V9imOBEi ubJSmMCyGjNKcEHEjfi3nlet4+mIb+tRnb3e0vM67/X7FGIS4uNb8c2+r4urnQ9vxoXIMRB9B oI2LbsR8zjXH/HIviAsSrTRQDVL1NKvQ8HE1cHtBVxghRSWpDYvkMSrHoDNDxdtDb02oyXqGT bFES24A6MZUCcjCEFf/s23CGug3kS1SiHzsbRWikqpIzF86YDOUAm/t8ca5R7wtlSkoYzxJ+l eV/7TN2lPSkAzaawF6H3pZIPVqu3aGSd9yjdqpv00q5DkEx10DI3IJpYGEP0k6OcN8+/A5bBU OXlZdR+T4qDvO2wzkE4zXXfeZjlfjt6z2GUINoOsbw5y2FxMhpmE2T1OpLX9sO/XZE0RIKV22 VPQCk+3RrHh2JN71T8SWfpjmZtU= X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230618_000210_280539_C37328C4 X-CRM114-Status: UNSURE ( 3.45 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.9 (/) X-Spam-Report: =?unknown-8bit?q?Spam_detection_software=2C_running_on_the_sy?= =?unknown-8bit?q?stem_=22bombadil=2Einfradead=2Eorg=22=2C?= =?unknown-8bit?q?_has_NOT_identified_this_incoming_email_as_spam=2E__The_ori?= =?unknown-8bit?q?ginal?= =?unknown-8bit?q?_message_has_been_attached_to_this_so_you_can_view_it_or_la?= =?unknown-8bit?q?bel?= =?unknown-8bit?q?_similar_future_email=2E__If_you_have_any_questions=2C_see?= =?unknown-8bit?q?_the_administrator_of_that_system_for_details=2E?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_Content_preview=3A__Mbedtls_2=2E28_is_planed_to_EOL_at_202?= =?unknown-8bit?q?4/12=2C_=28as_they_only_keep?= =?unknown-8bit?q?_LTS_branch_just_for_3_years_from_2=2E7_and_2=2E16_trees_ar?= =?unknown-8bit?q?e=2E=C2=A0_so_we_have_1=2E5?= =?unknown-8bit?q?_years_for_prepare_for_it=2C_and_they_support_TLS_1=2E3_I_m?= =?unknown-8bit?q?ade_this_PR_on_github?= =?unknown-8bit?q?_to_openwrt/ustream-ssl_can_work_on_mbedtls_3=2Ex_version?= =?unknown-8bit?q?=2E_?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_Content_analysis_details=3A___=28-0=2E9_points=2C_5=2E0_re?= =?unknown-8bit?q?quired=29?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_pts_rule_name______________description?= =?unknown-8bit?q?_----_----------------------_------------------------------?= =?unknown-8bit?q?--------------------?= =?unknown-8bit?q?_-0=2E7_RCVD=5FIN=5FDNSWL=5FLOW______RBL=3A_Sender_listed_a?= =?unknown-8bit?q?t_https=3A//www=2Ednswl=2Eorg/=2C?= =?unknown-8bit?q?_low_trust?= =?unknown-8bit?q?_=5B74=2E208=2E4=2E201_listed_in_list=2Ednswl=2Eorg=5D?= =?unknown-8bit?q?_-0=2E0_SPF=5FPASS_______________SPF=3A_sender_matches_SPF_?= =?unknown-8bit?q?record?= =?unknown-8bit?q?_0=2E0_SPF=5FHELO=5FNONE__________SPF=3A_HELO_does_not_publ?= =?unknown-8bit?q?ish_an_SPF_Record?= =?unknown-8bit?q?_0=2E0_FREEMAIL=5FFROM__________Sender_email_is_commonly_ab?= =?unknown-8bit?q?used_enduser_mail?= =?unknown-8bit?q?_provider?= =?unknown-8bit?b?IFthYm5vZWhbYXRdbWFpbC5jb21d?= =?unknown-8bit?q?_0=2E0_RCVD=5FIN=5FMSPIKE=5FH4______RBL=3A_Very_Good_reputa?= =?unknown-8bit?q?tion_=28+4=29?= =?unknown-8bit?q?_=5B74=2E208=2E4=2E201_listed_in_wl=2Emailspike=2Enet=5D?= =?unknown-8bit?q?_-0=2E1_DKIM=5FVALID=5FAU__________Message_has_a_valid_DKIM?= =?unknown-8bit?q?_or_DK_signature_from?= =?unknown-8bit?q?_author=27s_domain?= =?unknown-8bit?q?_-0=2E1_DKIM=5FVALID_____________Message_has_at_least_one_v?= =?unknown-8bit?q?alid_DKIM_or_DK_signature?= =?unknown-8bit?q?_0=2E1_DKIM=5FSIGNED____________Message_has_a_DKIM_or_DK_si?= =?unknown-8bit?q?gnature=2C_not_necessarily?= =?unknown-8bit?q?_valid?= =?unknown-8bit?q?_-0=2E1_DKIM=5FVALID=5FEF__________Message_has_a_valid_DKIM?= =?unknown-8bit?q?_or_DK_signature_from?= =?unknown-8bit?q?_envelope-from_domain?= =?unknown-8bit?q?_0=2E0_RCVD=5FIN=5FMSPIKE=5FWL______Mailspike_good_senders?= X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Mbedtls 2.28 is planed to EOL at 2024/12, (as they only keep LTS branch just for 3 years from 2.7 and 2.16 trees are.  so we have 1.5 years for prepare for it, and they support TLS 1.3 I made this PR on github to openwrt/ustream-ssl can work on mbedtls 3.x version. it looksing a deprecated macro so detect it was compliing for v3 vs v2 3DES ciphers are removed in 3.0, but DES as crypto is still there. looks like hostapd doesn't need patch to compile- will trying it on mt7621 router if it breaks in runtime don't really know what's offical procedure for submit patch to that repo github PR: https://github.com/openwrt/ustream-ssl/pull/2 git diff for the PR diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index 7fc7874..472dfa5 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -110,9 +110,7 @@ static const int default_ciphersuites_client[] =         AES_CBC_CIPHERS(ECDHE_ECDSA),         AES_CBC_CIPHERS(ECDHE_RSA),         AES_CBC_CIPHERS(DHE_RSA), -       MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,         AES_CIPHERS(RSA), -       MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,         0  }; @@ -171,7 +169,8 @@ static void ustream_ssl_update_own_cert(struct ustream_ssl_ctx *ctx)         if (!ctx->cert.version)                 return; -       if (!ctx->key.pk_info) +// mbedtls 3.x made pk_info unexposed so we check it has a type +       if (!mbedtls_pk_get_type(&ctx->key))                 return;         mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key); @@ -205,8 +204,12 @@ __hidden int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char  __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file)  {         int ret; - +// because we striped version info from mbedtls, use a const that removed in mbedtls 3.X +#if defined(MBEDTLS_DHM_RFC5114_MODP_2048_P)         ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL); +#else +       ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random, NULL); +#endif         if (ret)                 return -1; diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h index e622e5e..7e7c699 100644 --- a/ustream-mbedtls.h +++ b/ustream-mbedtls.h @@ -21,7 +21,6 @@  #include  #include -#include  #include  #include  #include