From 421e5f46807782177ce058c12226a913c4ec188f Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 9 Oct 2024 08:10:02 +0200
Subject: [PATCH 17/17] Add support for mbedTLS 3.x instead of mbedTLS 2.x

... which is deprecated.

This removes a sanity check (whether issuer key and issuer certificate
match) that seems overly cautious and fails to compile with mbedTLS
3.x as the struct members are private.

We don't have an equivalent check in the OpenSSL or wolfSSL code either.
---
 ssl.c | 85 ++++++++++++++++-------------------------------------------
 1 file changed, 23 insertions(+), 62 deletions(-)

diff --git a/ssl.c b/ssl.c
index 44e15574..eeb546ac 100644
--- a/ssl.c
+++ b/ssl.c
@@ -32,11 +32,7 @@
 #include <string.h>
 #include <unistd.h>
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#  include "mbedtls/config.h"
-#else
-#  include MBEDTLS_CONFIG_FILE
-#endif
+#include <mbedtls/build_info.h>
 
 #include "mbedtls/sha256.h"
 #include "mbedtls/pem.h"
@@ -143,59 +139,37 @@ extern size_t is_ssl_pending(struct ssl_attr *ssl_attr)
 extern int ssl_send_data(struct ssl_attr *ssl_attr, const unsigned char *buf, size_t len)
 {
    mbedtls_ssl_context *ssl = &ssl_attr->mbedtls_attr.ssl;
-   int ret = 0;
-   size_t max_fragment_size = 0;  /* Maximal length of data in one SSL fragment*/
-   int send_len             = 0;  /* length of one data part to send */
-   int pos                  = 0;  /* Position of unsent part in buffer */
+   int pos = 0;       /* Position of unsent part in buffer */
 
    if (len == 0)
    {
       return 0;
    }
 
-   /* Getting maximal length of data sent in one fragment */
-   max_fragment_size = mbedtls_ssl_get_max_frag_len(ssl);
-
-   /*
-    * Whole buffer must be sent in many fragments, because each fragment
-    * has its maximal length.
-    */
    while (pos < len)
    {
-      /* Compute length of data, that can be send in next fragment */
-      if ((pos + (int)max_fragment_size) > len)
-      {
-         send_len = (int)len - pos;
-      }
-      else
-      {
-         send_len = (int)max_fragment_size;
-      }
+      int ret;
+      int send_len;
+
+      send_len = (int)len - pos;
 
       log_error(LOG_LEVEL_WRITING, "TLS on socket %d: %N",
          ssl_attr->mbedtls_attr.socket_fd.fd, send_len, buf+pos);
 
-      /*
-       * Sending one part of the buffer
-       */
-      while ((ret = mbedtls_ssl_write(ssl,
-         (const unsigned char *)(buf + pos),
-         (size_t)send_len)) < 0)
+      ret = mbedtls_ssl_write(ssl, (const unsigned char *)(buf + pos),
+         (size_t)send_len);
+      if (ret <= 0)
       {
-         if (ret != MBEDTLS_ERR_SSL_WANT_READ &&
-             ret != MBEDTLS_ERR_SSL_WANT_WRITE)
-         {
-            char err_buf[ERROR_BUF_SIZE];
+         char err_buf[ERROR_BUF_SIZE];
 
-            mbedtls_strerror(ret, err_buf, sizeof(err_buf));
-            log_error(LOG_LEVEL_ERROR,
-               "Sending data on socket %d over TLS/SSL failed: %s",
-               ssl_attr->mbedtls_attr.socket_fd.fd, err_buf);
-            return -1;
-         }
+         mbedtls_strerror(ret, err_buf, sizeof(err_buf));
+         log_error(LOG_LEVEL_ERROR,
+            "Sending %d bytes on socket %d over TLS/SSL failed with ret %d: %s",
+            send_len, ssl_attr->mbedtls_attr.socket_fd.fd, ret, err_buf);
+         return -1;
       }
-      /* Adding count of sent bytes to position in buffer */
-      pos = pos + send_len;
+
+      pos = pos + ret;
    }
 
    return (int)len;
@@ -372,7 +346,7 @@ extern int create_client_ssl_connection(struct client_state *csp)
    }
 
    ret = mbedtls_pk_parse_keyfile(&(ssl_attr->mbedtls_attr.prim_key),
-      key_file, NULL);
+      key_file, NULL, mbedtls_ctr_drbg_random, &ctr_drbg);
    if (ret != 0)
    {
       mbedtls_strerror(ret, err_buf, sizeof(err_buf));
@@ -1515,13 +1489,15 @@ static int generate_host_certificate(struct client_state *csp)
       /* Key was created in this function and is stored in buffer */
       ret = mbedtls_pk_parse_key(&loaded_subject_key, key_buf,
          (size_t)(subject_key_len + 1), (unsigned const char *)
-         cert_opt.subject_pwd, strlen(cert_opt.subject_pwd));
+         cert_opt.subject_pwd, strlen(cert_opt.subject_pwd),
+         mbedtls_ctr_drbg_random, &ctr_drbg);
    }
    else
    {
       /* Key wasn't created in this function, because it already existed */
       ret = mbedtls_pk_parse_keyfile(&loaded_subject_key,
-         cert_opt.subject_key, cert_opt.subject_pwd);
+         cert_opt.subject_key, cert_opt.subject_pwd,
+         mbedtls_ctr_drbg_random, &ctr_drbg);
    }
 
    if (ret != 0)
@@ -1534,7 +1510,7 @@ static int generate_host_certificate(struct client_state *csp)
    }
 
    ret = mbedtls_pk_parse_keyfile(&loaded_issuer_key, cert_opt.issuer_key,
-      cert_opt.issuer_pwd);
+      cert_opt.issuer_pwd, mbedtls_ctr_drbg_random, &ctr_drbg);
    if (ret != 0)
    {
       mbedtls_strerror(ret, err_buf, sizeof(err_buf));
@@ -1544,21 +1520,6 @@ static int generate_host_certificate(struct client_state *csp)
       goto exit;
    }
 
-   /*
-    * Check if key and issuer certificate match
-    */
-   if (!mbedtls_pk_can_do(&issuer_cert.pk, MBEDTLS_PK_RSA) ||
-      mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa(issuer_cert.pk)->N,
-         &mbedtls_pk_rsa(*issuer_key)->N) != 0 ||
-      mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa(issuer_cert.pk)->E,
-         &mbedtls_pk_rsa(*issuer_key)->E) != 0)
-   {
-      log_error(LOG_LEVEL_ERROR,
-         "Issuer key doesn't match issuer certificate");
-      ret = -1;
-      goto exit;
-   }
-
    mbedtls_x509write_crt_set_subject_key(&cert, subject_key);
    mbedtls_x509write_crt_set_issuer_key(&cert, issuer_key);
 
-- 
2.45.2