diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2022-01-19 08:58:18 -0500 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2022-01-19 09:03:09 -0500 |
commit | 274f8ce0bcbf52d8aa4c346cfe8a4825de924f12 (patch) | |
tree | 79adfba207b639f08a17f267d72268a28885ca55 | |
parent | 4f488255424825ec2e9e028550e5b0f0568e51ed (diff) | |
download | lighttpd-git-274f8ce0bcbf52d8aa4c346cfe8a4825de924f12.tar.gz |
[mod_mbedtls] mbedtls_ssl_conf_groups for 3.1.0
use mbedtls_ssl_conf_groups() for mbedtls 3.1.0
(replaces deprecated mbedtls_ssl_conf_curves())
-rw-r--r-- | src/mod_mbedtls.c | 66 |
1 files changed, 62 insertions, 4 deletions
diff --git a/src/mod_mbedtls.c b/src/mod_mbedtls.c index 46af2eba..895d0195 100644 --- a/src/mod_mbedtls.c +++ b/src/mod_mbedtls.c @@ -114,13 +114,13 @@ typedef struct { typedef struct { mbedtls_ssl_config *ssl_ctx; /* context shared between mbedtls_ssl_CONTEXT structures */ int *ciphersuites; - mbedtls_ecp_group_id *curves; + void *curves; } plugin_ssl_ctx; typedef struct { mbedtls_ssl_config *ssl_ctx; /* output from network_init_ssl() */ int *ciphersuites; /* output from network_init_ssl() */ - mbedtls_ecp_group_id *curves; /* output from network_init_ssl() */ + void *curves; /* output from network_init_ssl() */ /*(used only during startup; not patched)*/ unsigned char ssl_enabled; /* only interesting for setting up listening sockets. don't use at runtime */ @@ -3939,6 +3939,7 @@ mod_mbedtls_ssl_conf_ciphersuites (server *srv, plugin_config_socket *s, buffer } +#if MBEDTLS_VERSION_NUMBER < 0x03010000 /* mbedtls 3.01.0 */ static int mod_mbedtls_ssl_append_curve (server *srv, mbedtls_ecp_group_id *ids, int nids, int idsz, const mbedtls_ecp_group_id id) { @@ -3947,9 +3948,7 @@ mod_mbedtls_ssl_append_curve (server *srv, mbedtls_ecp_group_id *ids, int nids, "MTLS: error: too many curves during list expand"); return -1; } - ids[++nids] = id; - return nids; } @@ -3998,6 +3997,65 @@ mod_mbedtls_ssl_conf_curves(server *srv, plugin_config_socket *s, const buffer * mbedtls_ssl_conf_curves(s->ssl_ctx, s->curves); return 1; } +#else +static int +mod_mbedtls_ssl_append_curve (server *srv, uint16_t *ids, int nids, int idsz, const uint16_t id) +{ + if (1 >= idsz - (nids + 1)) { + log_error(srv->errh, __FILE__, __LINE__, + "MTLS: error: too many curves during list expand"); + return -1; + } + ids[++nids] = id; + return nids; +} + + +static int +mod_mbedtls_ssl_conf_curves(server *srv, plugin_config_socket *s, const buffer *curvelist) +{ + uint16_t ids[512]; + int nids = -1; + const int idsz = (int)(sizeof(ids)/sizeof(*ids)-1); + const mbedtls_ecp_curve_info * const curve_info = mbedtls_ecp_curve_list(); + + const buffer * const b = curvelist; + for (const char *e = b->ptr-1; e; ) { + const char * const n = e+1; + e = strchr(n, ':'); + size_t len = e ? (size_t)(e - n) : strlen(n); + /* similar to mbedtls_ecp_curve_info_from_name() */ + const mbedtls_ecp_curve_info *info; + for (info = curve_info; info->tls_id != 0; ++info) { + if (0 == strncmp(info->name, n, len) && info->name[len] == '\0') + break; + } + if (info->tls_id == 0) { + log_error(srv->errh, __FILE__, __LINE__, + "MTLS: unrecognized curve: %.*s; ignored", (int)len, n); + continue; + } + + nids = mod_mbedtls_ssl_append_curve(srv, ids, nids, idsz, info->tls_id); + if (-1 == nids) return 0; + } + + /* XXX: mod_openssl configures "prime256v1" if curve list not specified, + * but mbedtls provides a list of supported curves if not explicitly set */ + if (-1 == nids) return 1; /* empty list; no-op */ + + ids[++nids] = 0; /* terminate list */ + ++nids; + + /* curves list must be persistent for lifetime of mbedtls_ssl_config */ + s->curves = malloc(nids * sizeof(uint16_t)); + force_assert(s->curves); + memcpy(s->curves, ids, nids * sizeof(uint16_t)); + + mbedtls_ssl_conf_groups(s->ssl_ctx, s->curves); + return 1; +} +#endif /* MBEDTLS_VERSION_NUMBER >= 0x03010000 */ /* mbedtls 3.01.0 */ static void |