mbedtls: support old 2.2-era version from xenial

daaaanil81 · Mar 21, 2020 · 2a7a92f · 2a7a92f
1 parent 47ea968
commit 2a7a92f
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 1 deletion.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -2222,7 +2222,9 @@ if (LWS_WITH_MBEDTLS)
 	CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_own_cert LWS_HAVE_mbedtls_ssl_set_hs_own_cert)
 	CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_authmode LWS_HAVE_mbedtls_ssl_set_hs_authmode)
 	CHECK_FUNCTION_EXISTS(mbedtls_net_init LWS_HAVE_mbedtls_net_init)
-
+	CHECK_FUNCTION_EXISTS(mbedtls_md_setup LWS_HAVE_mbedtls_md_setup) # not on xenial 2.2
+	CHECK_FUNCTION_EXISTS(mbedtls_rsa_complete LWS_HAVE_mbedtls_rsa_complete) # not on xenial 2.2
+	CHECK_FUNCTION_EXISTS(mbedtls_internal_aes_encrypt LWS_HAVE_mbedtls_internal_aes_encrypt) # not on xenial 2.2
 else()
 CHECK_FUNCTION_EXISTS(${VARIA}TLS_client_method LWS_HAVE_TLS_CLIENT_METHOD)
 CHECK_FUNCTION_EXISTS(${VARIA}TLSv1_2_client_method LWS_HAVE_TLSV1_2_CLIENT_METHOD)

diff --git a/cmake/lws_config.h.in b/cmake/lws_config.h.in
@@ -46,7 +46,10 @@
 #cmakedefine LWS_HAVE_MALLOC_H
 #cmakedefine LWS_HAVE_MALLOC_TRIM
 #cmakedefine LWS_HAVE_MALLOC_USABLE_SIZE
+#cmakedefine LWS_HAVE_mbedtls_md_setup
 #cmakedefine LWS_HAVE_mbedtls_net_init
+#cmakedefine LWS_HAVE_mbedtls_rsa_complete
+#cmakedefine LWS_HAVE_mbedtls_internal_aes_encrypt
 #cmakedefine LWS_HAVE_mbedtls_ssl_conf_alpn_protocols
 #cmakedefine LWS_HAVE_mbedtls_ssl_get_alpn_protocol
 #cmakedefine LWS_HAVE_mbedtls_ssl_conf_sni

diff --git a/lib/tls/mbedtls/lws-genaes.c b/lib/tls/mbedtls/lws-genaes.c
@@ -161,6 +161,7 @@ lws_genaes_destroy(struct lws_genaes_ctx *ctx, unsigned char *tag, size_t tlen)
 	return 0;
 }
 
+#if defined(LWS_HAVE_mbedtls_internal_aes_encrypt)
 static int
 lws_genaes_rfc3394_wrap(int wrap, int cek_bits, const uint8_t *kek,
 			int kek_bits, const uint8_t *in, uint8_t *out)
@@ -271,6 +272,7 @@ lws_genaes_rfc3394_wrap(int wrap, int cek_bits, const uint8_t *kek,
 
 	return ret;
 }
+#endif
 
 int
 lws_genaes_crypt(struct lws_genaes_ctx *ctx, const uint8_t *in, size_t len,
@@ -282,13 +284,18 @@ lws_genaes_crypt(struct lws_genaes_ctx *ctx, const uint8_t *in, size_t len,
 
 	switch (ctx->mode) {
 	case LWS_GAESM_KW:
+#if defined(LWS_HAVE_mbedtls_internal_aes_encrypt)
 		/* a key of length ctx->k->len is wrapped by a 128-bit KEK */
 		n = lws_genaes_rfc3394_wrap(ctx->op == MBEDTLS_AES_ENCRYPT,
 				ctx->op == MBEDTLS_AES_ENCRYPT ? len * 8 :
 						(len - 8) * 8, ctx->k->buf,
 						ctx->k->len * 8,
 				in, out);
 		break;
+#else
+		lwsl_err("%s: your mbedtls is too old\n", __func__);
+		return -1;
+#endif
 	case LWS_GAESM_CBC:
 		memcpy(iv, iv_or_nonce_ctr_or_data_unit_16, 16);
 

diff --git a/lib/tls/mbedtls/lws-genhash.c b/lib/tls/mbedtls/lws-genhash.c
@@ -148,8 +148,13 @@ lws_genhmac_init(struct lws_genhmac_ctx *ctx, enum lws_genhmac_types type,
 	if (!ctx->hmac)
 		return -1;
 
+#if !defined(LWS_HAVE_mbedtls_md_setup)
 	if (mbedtls_md_init_ctx(&ctx->ctx, ctx->hmac))
 		return -1;
+#else
+	if (mbedtls_md_setup(&ctx->ctx, ctx->hmac, 1))
+		return -1;
+#endif
 
 	if (mbedtls_md_hmac_starts(&ctx->ctx, key, key_len)) {
 		mbedtls_md_free(&ctx->ctx);

diff --git a/lib/tls/mbedtls/lws-genrsa.c b/lib/tls/mbedtls/lws-genrsa.c
@@ -85,8 +85,13 @@ lws_genrsa_create(struct lws_genrsa_ctx *ctx, struct lws_gencrypto_keyelem *el,
 		if ( el[LWS_GENCRYPTO_RSA_KEYEL_D].len &&
 		    !el[LWS_GENCRYPTO_RSA_KEYEL_P].len &&
 		    !el[LWS_GENCRYPTO_RSA_KEYEL_Q].len) {
+#if defined(LWS_HAVE_mbedtls_rsa_complete)
 			if (mbedtls_rsa_complete(ctx->ctx)) {
 				lwsl_notice("mbedtls_rsa_complete failed\n");
+#else
+			{
+				lwsl_notice("%s: you have to provide P and Q\n", __func__);
+#endif
 				lws_free_set_NULL(ctx->ctx);
 
 				return -1;
@@ -176,7 +181,9 @@ lws_genrsa_public_decrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in,
 
 	ctx->ctx->len = in_len;
 
+#if defined(LWS_HAVE_mbedtls_rsa_complete)
 	mbedtls_rsa_complete(ctx->ctx);
+#endif
 
 	switch(ctx->mode) {
 	case LGRSAM_PKCS1_1_5:
@@ -214,7 +221,9 @@ lws_genrsa_private_decrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in,
 
 	ctx->ctx->len = in_len;
 
+#if defined(LWS_HAVE_mbedtls_rsa_complete)
 	mbedtls_rsa_complete(ctx->ctx);
+#endif
 
 	switch(ctx->mode) {
 	case LGRSAM_PKCS1_1_5:
@@ -249,7 +258,9 @@ lws_genrsa_public_encrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in,
 {
 	int n;
 
+#if defined(LWS_HAVE_mbedtls_rsa_complete)
 	mbedtls_rsa_complete(ctx->ctx);
+#endif
 
 	switch(ctx->mode) {
 	case LGRSAM_PKCS1_1_5:
@@ -284,7 +295,9 @@ lws_genrsa_private_encrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in,
 {
 	int n;
 
+#if defined(LWS_HAVE_mbedtls_rsa_complete)
 	mbedtls_rsa_complete(ctx->ctx);
+#endif
 
 	switch(ctx->mode) {
 	case LGRSAM_PKCS1_1_5:
@@ -323,7 +336,9 @@ lws_genrsa_hash_sig_verify(struct lws_genrsa_ctx *ctx, const uint8_t *in,
 	if (h < 0)
 		return -1;
 
+#if defined(LWS_HAVE_mbedtls_rsa_complete)
 	mbedtls_rsa_complete(ctx->ctx);
+#endif
 
 	switch(ctx->mode) {
 	case LGRSAM_PKCS1_1_5:
@@ -358,7 +373,9 @@ lws_genrsa_hash_sign(struct lws_genrsa_ctx *ctx, const uint8_t *in,
 	if (h < 0)
 		return -1;
 
+#if defined(LWS_HAVE_mbedtls_rsa_complete)
 	mbedtls_rsa_complete(ctx->ctx);
+#endif
 
 	/*
 	 * The "sig" buffer must be as large as the size of ctx->N