diff --git a/CMakeLists.txt b/CMakeLists.txt index 1daf7b843..11b0d5857 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2222,7 +2222,9 @@ if (LWS_WITH_MBEDTLS) CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_own_cert LWS_HAVE_mbedtls_ssl_set_hs_own_cert) CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_authmode LWS_HAVE_mbedtls_ssl_set_hs_authmode) CHECK_FUNCTION_EXISTS(mbedtls_net_init LWS_HAVE_mbedtls_net_init) - + CHECK_FUNCTION_EXISTS(mbedtls_md_setup LWS_HAVE_mbedtls_md_setup) # not on xenial 2.2 + CHECK_FUNCTION_EXISTS(mbedtls_rsa_complete LWS_HAVE_mbedtls_rsa_complete) # not on xenial 2.2 + CHECK_FUNCTION_EXISTS(mbedtls_internal_aes_encrypt LWS_HAVE_mbedtls_internal_aes_encrypt) # not on xenial 2.2 else() CHECK_FUNCTION_EXISTS(${VARIA}TLS_client_method LWS_HAVE_TLS_CLIENT_METHOD) CHECK_FUNCTION_EXISTS(${VARIA}TLSv1_2_client_method LWS_HAVE_TLSV1_2_CLIENT_METHOD) diff --git a/cmake/lws_config.h.in b/cmake/lws_config.h.in index ecfd8f4d2..1af2f0235 100644 --- a/cmake/lws_config.h.in +++ b/cmake/lws_config.h.in @@ -46,7 +46,10 @@ #cmakedefine LWS_HAVE_MALLOC_H #cmakedefine LWS_HAVE_MALLOC_TRIM #cmakedefine LWS_HAVE_MALLOC_USABLE_SIZE +#cmakedefine LWS_HAVE_mbedtls_md_setup #cmakedefine LWS_HAVE_mbedtls_net_init +#cmakedefine LWS_HAVE_mbedtls_rsa_complete +#cmakedefine LWS_HAVE_mbedtls_internal_aes_encrypt #cmakedefine LWS_HAVE_mbedtls_ssl_conf_alpn_protocols #cmakedefine LWS_HAVE_mbedtls_ssl_get_alpn_protocol #cmakedefine LWS_HAVE_mbedtls_ssl_conf_sni diff --git a/lib/tls/mbedtls/lws-genaes.c b/lib/tls/mbedtls/lws-genaes.c index d7766062e..a74a1696b 100644 --- a/lib/tls/mbedtls/lws-genaes.c +++ b/lib/tls/mbedtls/lws-genaes.c @@ -161,6 +161,7 @@ lws_genaes_destroy(struct lws_genaes_ctx *ctx, unsigned char *tag, size_t tlen) return 0; } +#if defined(LWS_HAVE_mbedtls_internal_aes_encrypt) static int lws_genaes_rfc3394_wrap(int wrap, int cek_bits, const uint8_t *kek, int kek_bits, const uint8_t *in, uint8_t *out) @@ -271,6 +272,7 @@ bail: return ret; } +#endif int lws_genaes_crypt(struct lws_genaes_ctx *ctx, const uint8_t *in, size_t len, @@ -282,6 +284,7 @@ lws_genaes_crypt(struct lws_genaes_ctx *ctx, const uint8_t *in, size_t len, switch (ctx->mode) { case LWS_GAESM_KW: +#if defined(LWS_HAVE_mbedtls_internal_aes_encrypt) /* a key of length ctx->k->len is wrapped by a 128-bit KEK */ n = lws_genaes_rfc3394_wrap(ctx->op == MBEDTLS_AES_ENCRYPT, ctx->op == MBEDTLS_AES_ENCRYPT ? len * 8 : @@ -289,6 +292,10 @@ lws_genaes_crypt(struct lws_genaes_ctx *ctx, const uint8_t *in, size_t len, ctx->k->len * 8, in, out); break; +#else + lwsl_err("%s: your mbedtls is too old\n", __func__); + return -1; +#endif case LWS_GAESM_CBC: memcpy(iv, iv_or_nonce_ctr_or_data_unit_16, 16); diff --git a/lib/tls/mbedtls/lws-genhash.c b/lib/tls/mbedtls/lws-genhash.c index 396f8b131..a32d2152d 100644 --- a/lib/tls/mbedtls/lws-genhash.c +++ b/lib/tls/mbedtls/lws-genhash.c @@ -148,8 +148,13 @@ lws_genhmac_init(struct lws_genhmac_ctx *ctx, enum lws_genhmac_types type, if (!ctx->hmac) return -1; +#if !defined(LWS_HAVE_mbedtls_md_setup) if (mbedtls_md_init_ctx(&ctx->ctx, ctx->hmac)) return -1; +#else + if (mbedtls_md_setup(&ctx->ctx, ctx->hmac, 1)) + return -1; +#endif if (mbedtls_md_hmac_starts(&ctx->ctx, key, key_len)) { mbedtls_md_free(&ctx->ctx); diff --git a/lib/tls/mbedtls/lws-genrsa.c b/lib/tls/mbedtls/lws-genrsa.c index 5b3b234a2..5269d1266 100644 --- a/lib/tls/mbedtls/lws-genrsa.c +++ b/lib/tls/mbedtls/lws-genrsa.c @@ -85,8 +85,13 @@ lws_genrsa_create(struct lws_genrsa_ctx *ctx, struct lws_gencrypto_keyelem *el, if ( el[LWS_GENCRYPTO_RSA_KEYEL_D].len && !el[LWS_GENCRYPTO_RSA_KEYEL_P].len && !el[LWS_GENCRYPTO_RSA_KEYEL_Q].len) { +#if defined(LWS_HAVE_mbedtls_rsa_complete) if (mbedtls_rsa_complete(ctx->ctx)) { lwsl_notice("mbedtls_rsa_complete failed\n"); +#else + { + lwsl_notice("%s: you have to provide P and Q\n", __func__); +#endif lws_free_set_NULL(ctx->ctx); return -1; @@ -176,7 +181,9 @@ lws_genrsa_public_decrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in, ctx->ctx->len = in_len; +#if defined(LWS_HAVE_mbedtls_rsa_complete) mbedtls_rsa_complete(ctx->ctx); +#endif switch(ctx->mode) { case LGRSAM_PKCS1_1_5: @@ -214,7 +221,9 @@ lws_genrsa_private_decrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in, ctx->ctx->len = in_len; +#if defined(LWS_HAVE_mbedtls_rsa_complete) mbedtls_rsa_complete(ctx->ctx); +#endif switch(ctx->mode) { case LGRSAM_PKCS1_1_5: @@ -249,7 +258,9 @@ lws_genrsa_public_encrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in, { int n; +#if defined(LWS_HAVE_mbedtls_rsa_complete) mbedtls_rsa_complete(ctx->ctx); +#endif switch(ctx->mode) { case LGRSAM_PKCS1_1_5: @@ -284,7 +295,9 @@ lws_genrsa_private_encrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in, { int n; +#if defined(LWS_HAVE_mbedtls_rsa_complete) mbedtls_rsa_complete(ctx->ctx); +#endif switch(ctx->mode) { case LGRSAM_PKCS1_1_5: @@ -323,7 +336,9 @@ lws_genrsa_hash_sig_verify(struct lws_genrsa_ctx *ctx, const uint8_t *in, if (h < 0) return -1; +#if defined(LWS_HAVE_mbedtls_rsa_complete) mbedtls_rsa_complete(ctx->ctx); +#endif switch(ctx->mode) { case LGRSAM_PKCS1_1_5: @@ -358,7 +373,9 @@ lws_genrsa_hash_sign(struct lws_genrsa_ctx *ctx, const uint8_t *in, if (h < 0) return -1; +#if defined(LWS_HAVE_mbedtls_rsa_complete) mbedtls_rsa_complete(ctx->ctx); +#endif /* * The "sig" buffer must be as large as the size of ctx->N