#include "ustream-ssl.h"
#include "ustream-internal.h"
+#include <psa/crypto.h>
+#include <mbedtls/debug.h>
+
+static void debug_cb(void *ctx_p, int level,
+ const char *file, int line,
+ const char *str)
+{
+ struct ustream_ssl_ctx *ctx = ctx_p;
+ const char *fstr;
+ char buf[512];
+ int len;
+
+ if (!ctx->debug_cb)
+ return;
+
+ while ((fstr = strstr(file + 1, "library/")) != NULL)
+ file = fstr;
+
+ len = snprintf(buf, sizeof(buf), "%s:%04d: %s", file, line, str);
+ if (len >= (int)sizeof(buf))
+ len = (int)sizeof(buf) - 1;
+ if (buf[len - 1] == '\n')
+ buf[len - 1] = 0;
+ ctx->debug_cb(ctx->debug_cb_priv, level, buf);
+}
static int s_ustream_read(void *ctx, unsigned char *buf, size_t len)
{
static int _random(void *ctx, unsigned char *out, size_t len)
{
- ssize_t ret;
+#ifdef linux
+ if (getrandom(out, len, 0) != (ssize_t) len)
+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+#else
+ static FILE *f;
- ret = getrandom(out, len, 0);
- if (ret < 0 || (size_t)ret != len)
+ if (!f)
+ f = fopen("/dev/urandom", "r");
+ if (fread(out, len, 1, f) != 1)
return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+#endif
return 0;
}
static const int default_ciphersuites_server[] =
{
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+ MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256,
+ MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
+ MBEDTLS_TLS1_3_AES_128_GCM_SHA256,
+ MBEDTLS_TLS1_3_AES_128_CCM_SHA256,
+ MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256,
+#endif
+
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
AES_GCM_CIPHERS(ECDHE_ECDSA),
MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
static const int default_ciphersuites_client[] =
{
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+ MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256,
+ MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
+ MBEDTLS_TLS1_3_AES_128_GCM_SHA256,
+ MBEDTLS_TLS1_3_AES_128_CCM_SHA256,
+ MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256,
+#endif
+
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
AES_GCM_CIPHERS(ECDHE_ECDSA),
MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
AES_CBC_CIPHERS(ECDHE_ECDSA),
AES_CBC_CIPHERS(ECDHE_RSA),
AES_CBC_CIPHERS(DHE_RSA),
+/* Removed in Mbed TLS 3.0.0 */
+#ifdef MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+#endif
AES_CIPHERS(RSA),
+/* Removed in Mbed TLS 3.0.0 */
+#ifdef MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+#endif
0
};
mbedtls_ssl_config *conf;
int ep;
+#ifdef MBEDTLS_PSA_CRYPTO_C
+ static bool psa_init;
+
+ if (!psa_init && !psa_crypto_init())
+ psa_init = true;
+#endif
+
ctx = calloc(1, sizeof(*ctx));
if (!ctx)
return NULL;
if (!ctx->cert.version)
return;
- if (!ctx->key.pk_info)
+ if (mbedtls_pk_get_type(&ctx->key) == MBEDTLS_PK_NONE)
return;
mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key);
{
int ret;
+#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
+ ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random, NULL);
+#else
ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL);
+#endif
if (ret)
return -1;
if (!require)
mode = MBEDTLS_SSL_VERIFY_NONE;
+ /* force TLS 1.2 when not requiring validation for now */
+ if (!require && !ctx->server)
+ mbedtls_ssl_conf_max_version(&ctx->conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+ MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_authmode(&ctx->conf, mode);
return 0;
return ret;
}
+__hidden void __ustream_ssl_set_debug(struct ustream_ssl_ctx *ctx, int level,
+ ustream_ssl_debug_cb cb, void *cb_priv)
+{
+ ctx->debug_cb = cb;
+ ctx->debug_cb_priv = cb_priv;
+ mbedtls_ssl_conf_dbg(&ctx->conf, debug_cb, ctx);
+ mbedtls_debug_set_threshold(level);
+}
+
__hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx)
{
mbedtls_ssl_context *ssl;