Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1412?usp=email
to review the following change.
Change subject: Drop Mbed TLS 2.X compatibility
......................................................................
Drop Mbed TLS 2.X compatibility
Mbed TLS 2.28 is out of support since March and adding support for
Mbed TLS 4 will get ugly enough without the old compatibility code lying
around too.
Mbed TLS 2.28 still ships on some supported distributions
(e.g. Ubuntu 24.04) but nobody is maintaining openvpn-mbedtls packages
there. This commit will probably break on some test machines.
Change-Id: Ia4afabcb6006dc9304a4c09f824d9c7c2d4d64ad
Signed-off-by: Max Fillinger <[email protected]>
---
M configure.ac
M src/openvpn/crypto_mbedtls.c
M src/openvpn/mbedtls_compat.h
M src/openvpn/ssl_mbedtls.c
M src/openvpn/ssl_mbedtls.h
M src/openvpn/ssl_verify_mbedtls.c
6 files changed, 19 insertions(+), 221 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/12/1412/1
diff --git a/configure.ac b/configure.ac
index 44c7b65..ad86031 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1020,13 +1020,13 @@
#include <mbedtls/version.h>
]],
[[
-#if MBEDTLS_VERSION_NUMBER < 0x02000000 || (MBEDTLS_VERSION_NUMBER >=
0x03000000 && MBEDTLS_VERSION_NUMBER < 0x03020100)
+#if MBEDTLS_VERSION_NUMBER < 0x03020100
#error invalid version
#endif
]]
)],
[AC_MSG_RESULT([ok])],
- [AC_MSG_ERROR([mbed TLS version >= 2.0.0 or >= 3.2.1 required])]
+ [AC_MSG_ERROR([mbed TLS version >= 3.2.1 required])]
)
AC_CHECK_HEADERS(psa/crypto.h)
@@ -1043,12 +1043,6 @@
fi
fi
- AC_CHECK_FUNC(
- [mbedtls_ctr_drbg_update_ret],
- AC_DEFINE([HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET], [1],
- [Use mbedtls_ctr_drbg_update_ret from mbed TLS]),
- )
-
CFLAGS="${saved_CFLAGS}"
LIBS="${saved_LIBS}"
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 89f0ab9..63c665f 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -41,7 +41,6 @@
#include "integer.h"
#include "crypto_backend.h"
#include "otime.h"
-#include "mbedtls_compat.h"
#include "misc.h"
#include <mbedtls/base64.h>
diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h
index 68096c4..540f370 100644
--- a/src/openvpn/mbedtls_compat.h
+++ b/src/openvpn/mbedtls_compat.h
@@ -23,10 +23,8 @@
/**
* @file
* mbedtls compatibility stub.
- * This file provide compatibility stubs for the mbedtls libraries
- * prior to version 3. This version made most fields in structs private
- * and requires accessor functions to be used. For earlier versions, we
- * implement the accessor functions here.
+ * This file provides compatibility stubs to handle API differences between
+ * different versions of Mbed TLS.
*/
#ifndef MBEDTLS_COMPAT_H_
@@ -36,27 +34,10 @@
#include "errlevel.h"
-#include <mbedtls/cipher.h>
-#include <mbedtls/ctr_drbg.h>
-#include <mbedtls/dhm.h>
-#include <mbedtls/ecp.h>
-#include <mbedtls/md.h>
-#include <mbedtls/pem.h>
-#include <mbedtls/pk.h>
-#include <mbedtls/ssl.h>
-#include <mbedtls/version.h>
-#include <mbedtls/x509_crt.h>
-
#ifdef HAVE_PSA_CRYPTO_H
#include <psa/crypto.h>
#endif
-#if MBEDTLS_VERSION_NUMBER >= 0x03000000
-typedef uint16_t mbedtls_compat_group_id;
-#else
-typedef mbedtls_ecp_group_id mbedtls_compat_group_id;
-#endif
-
static inline void
mbedtls_compat_psa_crypto_init(void)
{
@@ -70,162 +51,4 @@
#endif
}
-static inline mbedtls_compat_group_id
-mbedtls_compat_get_group_id(const mbedtls_ecp_curve_info *curve_info)
-{
-#if MBEDTLS_VERSION_NUMBER >= 0x03000000
- return curve_info->tls_id;
-#else
- return curve_info->grp_id;
-#endif
-}
-
-/*
- * In older versions of mbedtls, mbedtls_ctr_drbg_update() did not return an
- * error code, and it was deprecated in favor of mbedtls_ctr_drbg_update_ret()
- * which does.
- *
- * In mbedtls 3, this function was removed and mbedtls_ctr_drbg_update()
returns
- * an error code.
- */
-static inline int
-mbedtls_compat_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx, const unsigned
char *additional,
- size_t add_len)
-{
-#if MBEDTLS_VERSION_NUMBER > 0x03000000
- return mbedtls_ctr_drbg_update(ctx, additional, add_len);
-#elif defined(HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET)
- return mbedtls_ctr_drbg_update_ret(ctx, additional, add_len);
-#else
- mbedtls_ctr_drbg_update(ctx, additional, add_len);
- return 0;
-#endif /* HAVE_MBEDTLS_CTR_DRBG_UPDATE_RET */
-}
-
-static inline int
-mbedtls_compat_pk_check_pair(const mbedtls_pk_context *pub, const
mbedtls_pk_context *prv,
- int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
-{
-#if MBEDTLS_VERSION_NUMBER < 0x03020100
- return mbedtls_pk_check_pair(pub, prv);
-#else
- return mbedtls_pk_check_pair(pub, prv, f_rng, p_rng);
-#endif /* MBEDTLS_VERSION_NUMBER < 0x03020100 */
-}
-
-static inline int
-mbedtls_compat_pk_parse_key(mbedtls_pk_context *ctx, const unsigned char *key,
size_t keylen,
- const unsigned char *pwd, size_t pwdlen,
- int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
-{
-#if MBEDTLS_VERSION_NUMBER < 0x03020100
- return mbedtls_pk_parse_key(ctx, key, keylen, pwd, pwdlen);
-#else
- return mbedtls_pk_parse_key(ctx, key, keylen, pwd, pwdlen, f_rng, p_rng);
-#endif
-}
-
-static inline int
-mbedtls_compat_pk_parse_keyfile(mbedtls_pk_context *ctx, const char *path,
const char *password,
- int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
-{
-#if MBEDTLS_VERSION_NUMBER < 0x03020100
- return mbedtls_pk_parse_keyfile(ctx, path, password);
-#else
- return mbedtls_pk_parse_keyfile(ctx, path, password, f_rng, p_rng);
-#endif
-}
-
-#if MBEDTLS_VERSION_NUMBER < 0x03020100
-typedef enum
-{
- MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version
not yet negotiated. */
- MBEDTLS_SSL_VERSION_TLS1_2 = 0x0303, /*!< (D)TLS 1.2 */
- MBEDTLS_SSL_VERSION_TLS1_3 = 0x0304, /*!< (D)TLS 1.3 */
-} mbedtls_ssl_protocol_version;
-
-static inline void
-mbedtls_ssl_conf_min_tls_version(mbedtls_ssl_config *conf,
mbedtls_ssl_protocol_version tls_version)
-{
- int major = (tls_version >> 8) & 0xff;
- int minor = tls_version & 0xff;
- mbedtls_ssl_conf_min_version(conf, major, minor);
-}
-
-static inline void
-mbedtls_ssl_conf_max_tls_version(mbedtls_ssl_config *conf,
mbedtls_ssl_protocol_version tls_version)
-{
- int major = (tls_version >> 8) & 0xff;
- int minor = tls_version & 0xff;
- mbedtls_ssl_conf_max_version(conf, major, minor);
-}
-
-static inline void
-mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, mbedtls_compat_group_id
*groups)
-{
- mbedtls_ssl_conf_curves(conf, groups);
-}
-
-static inline size_t
-mbedtls_cipher_info_get_block_size(const mbedtls_cipher_info_t *cipher)
-{
- return (size_t)cipher->block_size;
-}
-
-static inline size_t
-mbedtls_cipher_info_get_iv_size(const mbedtls_cipher_info_t *cipher)
-{
- return (size_t)cipher->iv_size;
-}
-
-static inline size_t
-mbedtls_cipher_info_get_key_bitlen(const mbedtls_cipher_info_t *cipher)
-{
- return (size_t)cipher->key_bitlen;
-}
-
-static inline mbedtls_cipher_mode_t
-mbedtls_cipher_info_get_mode(const mbedtls_cipher_info_t *cipher)
-{
- return cipher->mode;
-}
-
-static inline const char *
-mbedtls_cipher_info_get_name(const mbedtls_cipher_info_t *cipher)
-{
- return cipher->name;
-}
-
-static inline mbedtls_cipher_type_t
-mbedtls_cipher_info_get_type(const mbedtls_cipher_info_t *cipher)
-{
- return cipher->type;
-}
-
-static inline size_t
-mbedtls_dhm_get_bitlen(const mbedtls_dhm_context *ctx)
-{
- return 8 * ctx->len;
-}
-
-static inline const mbedtls_md_info_t *
-mbedtls_md_info_from_ctx(const mbedtls_md_context_t *ctx)
-{
- return ctx->md_info;
-}
-
-static inline const unsigned char *
-mbedtls_pem_get_buffer(const mbedtls_pem_context *ctx, size_t *buf_size)
-{
- *buf_size = ctx->buflen;
- return ctx->buf;
-}
-
-static inline int
-mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx, int ext_type)
-{
- return ctx->ext_types & ext_type;
-}
-#endif /* MBEDTLS_VERSION_NUMBER < 0x03020100 */
-
#endif /* MBEDTLS_COMPAT_H_ */
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 488f9b9..3e000ef 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -49,13 +49,8 @@
#include "ssl_verify_mbedtls.h"
#include <mbedtls/debug.h>
#include <mbedtls/error.h>
-#include <mbedtls/version.h>
-
-#if MBEDTLS_VERSION_NUMBER >= 0x02040000
#include <mbedtls/net_sockets.h>
-#else
-#include <mbedtls/net.h>
-#endif
+#include <mbedtls/version.h>
#include <mbedtls/oid.h>
#include <mbedtls/pem.h>
@@ -397,7 +392,7 @@
/* Get number of groups and allocate an array in ctx */
int groups_count = get_num_elements(groups, ':');
- ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_compat_group_id, groups_count + 1)
+ ALLOC_ARRAY_CLEAR(ctx->groups, uint16_t, groups_count + 1)
/* Parse allowed ciphers, getting IDs */
int i = 0;
@@ -413,7 +408,7 @@
}
else
{
- ctx->groups[i] = mbedtls_compat_get_group_id(ci);
+ ctx->groups[i] = ci->tls_id;
i++;
}
}
@@ -537,29 +532,29 @@
if (priv_key_inline)
{
- status = mbedtls_compat_pk_parse_key(ctx->priv_key, (const unsigned
char *)priv_key_file,
- strlen(priv_key_file) + 1, NULL,
0,
- mbedtls_ctr_drbg_random,
rand_ctx_get());
+ status = mbedtls_pk_parse_key(ctx->priv_key, (const unsigned char
*)priv_key_file,
+ strlen(priv_key_file) + 1, NULL, 0,
+ mbedtls_ctr_drbg_random, rand_ctx_get());
if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status)
{
char passbuf[512] = { 0 };
pem_password_callback(passbuf, 512, 0, NULL);
- status = mbedtls_compat_pk_parse_key(
+ status = mbedtls_pk_parse_key(
ctx->priv_key, (const unsigned char *)priv_key_file,
strlen(priv_key_file) + 1,
(unsigned char *)passbuf, strlen(passbuf),
mbedtls_ctr_drbg_random, rand_ctx_get());
}
}
else
{
- status = mbedtls_compat_pk_parse_keyfile(ctx->priv_key, priv_key_file,
NULL,
- mbedtls_ctr_drbg_random,
rand_ctx_get());
+ status = mbedtls_pk_parse_keyfile(ctx->priv_key, priv_key_file, NULL,
+ mbedtls_ctr_drbg_random,
rand_ctx_get());
if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status)
{
char passbuf[512] = { 0 };
pem_password_callback(passbuf, 512, 0, NULL);
- status = mbedtls_compat_pk_parse_keyfile(ctx->priv_key,
priv_key_file, passbuf,
- mbedtls_ctr_drbg_random,
rand_ctx_get());
+ status = mbedtls_pk_parse_keyfile(ctx->priv_key, priv_key_file,
passbuf,
+ mbedtls_ctr_drbg_random,
rand_ctx_get());
}
}
if (!mbed_ok(status))
@@ -575,8 +570,8 @@
return 1;
}
- if (!mbed_ok(mbedtls_compat_pk_check_pair(&ctx->crt_chain->pk,
ctx->priv_key,
- mbedtls_ctr_drbg_random,
rand_ctx_get())))
+ if (!mbed_ok(mbedtls_pk_check_pair(&ctx->crt_chain->pk, ctx->priv_key,
+ mbedtls_ctr_drbg_random,
rand_ctx_get())))
{
msg(M_WARN, "Private key does not match the certificate");
return 1;
@@ -610,9 +605,6 @@
*/
static inline int
external_pkcs1_sign(void *ctx_voidptr, int (*f_rng)(void *, unsigned char *,
size_t), void *p_rng,
-#if MBEDTLS_VERSION_NUMBER < 0x03020100
- int mode,
-#endif
mbedtls_md_type_t md_alg, unsigned int hashlen, const
unsigned char *hash,
unsigned char *sig)
{
@@ -627,13 +619,6 @@
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
-#if MBEDTLS_VERSION_NUMBER < 0x03020100
- if (MBEDTLS_RSA_PRIVATE != mode)
- {
- return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
- }
-#endif
-
/*
* Support a wide range of hashes. TLSv1.1 and before only need
SIG_RSA_RAW,
* but TLSv1.2 needs the full suite of hashes.
@@ -1000,7 +985,7 @@
if (0 != memcmp(old_sha256_hash, sha256_hash, sizeof(sha256_hash)))
{
- if (!mbed_ok(mbedtls_compat_ctr_drbg_update(cd_ctx, sha256_hash,
32)))
+ if (!mbed_ok(mbedtls_ctr_drbg_update(cd_ctx, sha256_hash, 32)))
{
msg(M_WARN, "WARNING: failed to personalise random, could not
update CTR_DRBG");
}
diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h
index 0f85d96..8380a116 100644
--- a/src/openvpn/ssl_mbedtls.h
+++ b/src/openvpn/ssl_mbedtls.h
@@ -39,8 +39,6 @@
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
#endif
-#include "mbedtls_compat.h"
-
typedef struct _buffer_entry buffer_entry;
struct _buffer_entry
@@ -130,7 +128,7 @@
#endif
struct external_context external_key; /**< External key context */
int *allowed_ciphers; /**< List of allowed ciphers for
this connection */
- mbedtls_compat_group_id *groups; /**< List of allowed groups for
this connection */
+ uint16_t *groups; /**< List of allowed groups for
this connection */
mbedtls_x509_crt_profile cert_profile; /**< Allowed certificate types */
};
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index 80ef837..250c806 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -35,7 +35,6 @@
#if defined(ENABLE_CRYPTO_MBEDTLS)
#include "crypto_mbedtls.h"
-#include "mbedtls_compat.h"
#include "ssl_verify.h"
#include <mbedtls/asn1.h>
#include <mbedtls/error.h>
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1412?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia4afabcb6006dc9304a4c09f824d9c7c2d4d64ad
Gerrit-Change-Number: 1412
Gerrit-PatchSet: 1
Gerrit-Owner: MaxF <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
