From 49af3742c6c7ccf1bf5746869c460002cc6f85f4 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Tue, 22 Feb 2022 17:35:02 +0000 Subject: [PATCH] mbedtls: v3.1 reverts privacy of mbedtls_net_context fd mbedtls seemed to realize that they went overboard with the privacy stuff on v3.0 and removed some of it. Introduce support for those members that are only private on exactly v3.0 and unprotected before and after. --- include/libwebsockets.h | 7 ++ lib/plat/unix/unix-sockets.c | 4 +- lib/tls/mbedtls/mbedtls-extensions.c | 82 ++++++++++----------- lib/tls/mbedtls/mbedtls-x509.c | 88 +++++++++++------------ lib/tls/mbedtls/wrapper/platform/ssl_pm.c | 5 +- 5 files changed, 96 insertions(+), 90 deletions(-) diff --git a/include/libwebsockets.h b/include/libwebsockets.h index 4409ee278..8fb98c344 100644 --- a/include/libwebsockets.h +++ b/include/libwebsockets.h @@ -291,11 +291,18 @@ typedef int suseconds_t; #include #include #include +#include #if !defined(MBEDTLS_PRIVATE) #define MBEDTLS_PRIVATE(_q) _q #endif +#if (MBEDTLS_VERSION_MAJOR == 3) && (MBEDTLS_VERSION_MINOR == 0) +#define MBEDTLS_PRIVATE_V30_ONLY(_q) MBEDTLS_PRIVATE(_q) +#else +#define MBEDTLS_PRIVATE_V30_ONLY(_q) _q +#endif + #endif #else #include diff --git a/lib/plat/unix/unix-sockets.c b/lib/plat/unix/unix-sockets.c index 07df994cc..0f5bf4b93 100644 --- a/lib/plat/unix/unix-sockets.c +++ b/lib/plat/unix/unix-sockets.c @@ -589,7 +589,7 @@ lws_plat_vhost_tls_client_ctx_init(struct lws_vhost *vhost) int lws_plat_mbedtls_net_send(void *ctx, const uint8_t *buf, size_t len) { - int fd = ((mbedtls_net_context *) ctx)->MBEDTLS_PRIVATE(fd); + int fd = ((mbedtls_net_context *) ctx)->MBEDTLS_PRIVATE_V30_ONLY(fd); int ret; if (fd < 0) @@ -614,7 +614,7 @@ lws_plat_mbedtls_net_send(void *ctx, const uint8_t *buf, size_t len) int lws_plat_mbedtls_net_recv(void *ctx, unsigned char *buf, size_t len) { - int fd = ((mbedtls_net_context *) ctx)->MBEDTLS_PRIVATE(fd); + int fd = ((mbedtls_net_context *) ctx)->MBEDTLS_PRIVATE_V30_ONLY(fd); int ret; if (fd < 0) diff --git a/lib/tls/mbedtls/mbedtls-extensions.c b/lib/tls/mbedtls/mbedtls-extensions.c index dc406e826..bf275eefe 100644 --- a/lib/tls/mbedtls/mbedtls-extensions.c +++ b/lib/tls/mbedtls/mbedtls-extensions.c @@ -1,7 +1,7 @@ /* * libwebsockets - small server side websockets and web server implementation * - * Copyright (C) 2010 - 2021 Andy Green + * Copyright (C) 2010 - 2022 Andy Green * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to @@ -104,8 +104,8 @@ static const oid_x509_ext_t oid_x509_ext[] = { (const mbedtls_oid_descriptor_t *) p; \ if( p == NULL || oid == NULL ) return( NULL ); \ while( cur->MBEDTLS_PRIVATE(asn1) != NULL ) { \ - if( cur->MBEDTLS_PRIVATE(asn1_len) == oid->MBEDTLS_PRIVATE(len) && \ - memcmp( cur->MBEDTLS_PRIVATE(asn1), oid->MBEDTLS_PRIVATE(p), oid->MBEDTLS_PRIVATE(len) ) == 0 ) { \ + if( cur->MBEDTLS_PRIVATE(asn1_len) == oid->MBEDTLS_PRIVATE_V30_ONLY(len) && \ + memcmp( cur->MBEDTLS_PRIVATE(asn1), oid->MBEDTLS_PRIVATE_V30_ONLY(p), oid->MBEDTLS_PRIVATE_V30_ONLY(len) ) == 0 ) { \ return( p ); \ } \ p++; \ @@ -177,10 +177,10 @@ x509_get_skid(uint8_t **p, const uint8_t *end, mbedtls_x509_buf *skid) if (ret) return ret; - skid->MBEDTLS_PRIVATE(len) = len; - skid->MBEDTLS_PRIVATE(tag) = MBEDTLS_ASN1_OCTET_STRING; - skid->MBEDTLS_PRIVATE(p) = *p; - *p += len; + skid->MBEDTLS_PRIVATE_V30_ONLY(len) = len; + skid->MBEDTLS_PRIVATE_V30_ONLY(tag) = MBEDTLS_ASN1_OCTET_STRING; + skid->MBEDTLS_PRIVATE_V30_ONLY(p) = *p; + *p += len; return *p != end; } @@ -204,10 +204,10 @@ lws_x509_clean_name(mbedtls_x509_name *name) if (!name) return; - n1 = name->MBEDTLS_PRIVATE(next); + n1 = name->MBEDTLS_PRIVATE_V30_ONLY(next); while (n1) { - name = n1->MBEDTLS_PRIVATE(next); + name = n1->MBEDTLS_PRIVATE_V30_ONLY(next); free(n1); n1 = name; } @@ -222,7 +222,7 @@ lws_mbedtls_x509_parse_general_name(const mbedtls_x509_buf *name_buf, mbedtls_x509_name rfc822Name; int ret; - switch (name_buf->MBEDTLS_PRIVATE(tag) & + switch (name_buf->MBEDTLS_PRIVATE_V30_ONLY(tag) & (LWS_MBEDTLS_ASN1_TAG_CLASS_MASK | LWS_MBEDTLS_ASN1_TAG_VALUE_MASK)) { @@ -239,17 +239,17 @@ lws_mbedtls_x509_parse_general_name(const mbedtls_x509_buf *name_buf, #endif case MBEDTLS_ASN1_SEQUENCE | LWS_MBEDTLS_X509_SAN_RFC822_NAME: - bufferPointer = name_buf->MBEDTLS_PRIVATE(p); + bufferPointer = name_buf->MBEDTLS_PRIVATE_V30_ONLY(p); p = &bufferPointer; - end = name_buf->MBEDTLS_PRIVATE(p) + - name_buf->MBEDTLS_PRIVATE(len); + end = name_buf->MBEDTLS_PRIVATE_V30_ONLY(p) + + name_buf->MBEDTLS_PRIVATE_V30_ONLY(len); /* The leading ASN1 tag and length has been processed. * Stepping back with 2 bytes, because mbedtls_x509_get_name * expects the beginning of the SET tag */ *p = *p - 2; - rfc822Name.MBEDTLS_PRIVATE(next) = NULL; + rfc822Name.MBEDTLS_PRIVATE_V30_ONLY(next) = NULL; ret = mbedtls_x509_get_name( p, end, &rfc822Name ); if (ret) { lws_x509_clean_name(&rfc822Name); @@ -318,51 +318,51 @@ lws_x509_get_general_names(uint8_t **p, const uint8_t *end, * Check that the name is structured correctly. */ r = lws_mbedtls_x509_parse_general_name( - &cur->MBEDTLS_PRIVATE(buf), &dnb); + &cur->MBEDTLS_PRIVATE_V30_ONLY(buf), &dnb); /* * In case the extension is malformed, return an error, * and clear the allocated sequences. */ if (r && r != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) { - mbedtls_x509_sequence *seq_cur = name->MBEDTLS_PRIVATE(next); + mbedtls_x509_sequence *seq_cur = name->MBEDTLS_PRIVATE_V30_ONLY(next); mbedtls_x509_sequence *seq_prv; while( seq_cur != NULL ) { seq_prv = seq_cur; - seq_cur = seq_cur->MBEDTLS_PRIVATE(next); + seq_cur = seq_cur->MBEDTLS_PRIVATE_V30_ONLY(next); lws_explicit_bzero(seq_prv, sizeof(*seq_cur)); lws_free(seq_prv); } - name->MBEDTLS_PRIVATE(next) = NULL; + name->MBEDTLS_PRIVATE_V30_ONLY(next) = NULL; return r; } /* Allocate and assign next pointer */ - if (cur->MBEDTLS_PRIVATE(buf).MBEDTLS_PRIVATE(p)) { - if (cur->MBEDTLS_PRIVATE(next)) + if (cur->MBEDTLS_PRIVATE_V30_ONLY(buf).MBEDTLS_PRIVATE_V30_ONLY(p)) { + if (cur->MBEDTLS_PRIVATE_V30_ONLY(next)) return 1; - cur->MBEDTLS_PRIVATE(next) = + cur->MBEDTLS_PRIVATE_V30_ONLY(next) = lws_zalloc(sizeof(*cur), __func__); - if (!cur->MBEDTLS_PRIVATE(next)) + if (!cur->MBEDTLS_PRIVATE_V30_ONLY(next)) return 1; - cur = cur->MBEDTLS_PRIVATE(next); + cur = cur->MBEDTLS_PRIVATE_V30_ONLY(next); } - buf = &(cur->MBEDTLS_PRIVATE(buf)); - buf->MBEDTLS_PRIVATE(tag) = tag; - buf->MBEDTLS_PRIVATE(p) = *p; - buf->MBEDTLS_PRIVATE(len) = tag_len; + buf = &(cur->MBEDTLS_PRIVATE_V30_ONLY(buf)); + buf->MBEDTLS_PRIVATE_V30_ONLY(tag) = tag; + buf->MBEDTLS_PRIVATE_V30_ONLY(p) = *p; + buf->MBEDTLS_PRIVATE_V30_ONLY(len) = tag_len; - *p += buf->MBEDTLS_PRIVATE(len); + *p += buf->MBEDTLS_PRIVATE_V30_ONLY(len); } /* Set final sequence entry's next pointer to NULL */ - cur->MBEDTLS_PRIVATE(next) = NULL; + cur->MBEDTLS_PRIVATE_V30_ONLY(next) = NULL; return *p != end; } @@ -380,9 +380,9 @@ x509_get_akid(uint8_t **p, uint8_t *end, lws_mbedtls_x509_authority *akid) r = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC); if (!r) { - akid->keyIdentifier.MBEDTLS_PRIVATE(len) = len; - akid->keyIdentifier.MBEDTLS_PRIVATE(p) = *p; - akid->keyIdentifier.MBEDTLS_PRIVATE(tag) = MBEDTLS_ASN1_OCTET_STRING; + akid->keyIdentifier.MBEDTLS_PRIVATE_V30_ONLY(len) = len; + akid->keyIdentifier.MBEDTLS_PRIVATE_V30_ONLY(p) = *p; + akid->keyIdentifier.MBEDTLS_PRIVATE_V30_ONLY(tag) = MBEDTLS_ASN1_OCTET_STRING; *p += len; } @@ -416,9 +416,9 @@ x509_get_akid(uint8_t **p, uint8_t *end, lws_mbedtls_x509_authority *akid) if (r) return r; - akid->authorityCertSerialNumber.MBEDTLS_PRIVATE(len) = len; - akid->authorityCertSerialNumber.MBEDTLS_PRIVATE(p) = *p; - akid->authorityCertSerialNumber.MBEDTLS_PRIVATE(tag) = MBEDTLS_ASN1_OCTET_STRING; + akid->authorityCertSerialNumber.MBEDTLS_PRIVATE_V30_ONLY(len) = len; + akid->authorityCertSerialNumber.MBEDTLS_PRIVATE_V30_ONLY(p) = *p; + akid->authorityCertSerialNumber.MBEDTLS_PRIVATE_V30_ONLY(tag) = MBEDTLS_ASN1_OCTET_STRING; *p += len; } @@ -434,9 +434,9 @@ int lws_x509_get_crt_ext(mbedtls_x509_crt *crt, mbedtls_x509_buf *skid, lws_mbedtls_x509_authority *akid) { - uint8_t *p = crt->MBEDTLS_PRIVATE(v3_ext).MBEDTLS_PRIVATE(p), + uint8_t *p = crt->MBEDTLS_PRIVATE_V30_ONLY(v3_ext).MBEDTLS_PRIVATE_V30_ONLY(p), *end_ext_data, *end_ext_octet; - const uint8_t *end = p + crt->MBEDTLS_PRIVATE(v3_ext).MBEDTLS_PRIVATE(len); + const uint8_t *end = p + crt->MBEDTLS_PRIVATE_V30_ONLY(v3_ext).MBEDTLS_PRIVATE_V30_ONLY(len); size_t len; int r = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); @@ -457,14 +457,14 @@ lws_x509_get_crt_ext(mbedtls_x509_crt *crt, mbedtls_x509_buf *skid, end_ext_data = p + len; /* Get extension ID */ - r = mbedtls_asn1_get_tag(&p, end_ext_data, &extn_oid.MBEDTLS_PRIVATE(len), + r = mbedtls_asn1_get_tag(&p, end_ext_data, &extn_oid.MBEDTLS_PRIVATE_V30_ONLY(len), MBEDTLS_ASN1_OID); if (r) return r; - extn_oid.MBEDTLS_PRIVATE(tag) = MBEDTLS_ASN1_OID; - extn_oid.MBEDTLS_PRIVATE(p) = p; - p += extn_oid.MBEDTLS_PRIVATE(len); + extn_oid.MBEDTLS_PRIVATE_V30_ONLY(tag) = MBEDTLS_ASN1_OID; + extn_oid.MBEDTLS_PRIVATE_V30_ONLY(p) = p; + p += extn_oid.MBEDTLS_PRIVATE_V30_ONLY(len); /* Get optional critical */ r = mbedtls_asn1_get_bool(&p, end_ext_data, &is_critical); diff --git a/lib/tls/mbedtls/mbedtls-x509.c b/lib/tls/mbedtls/mbedtls-x509.c index 2dad865d6..8b0ccd3f1 100644 --- a/lib/tls/mbedtls/mbedtls-x509.c +++ b/lib/tls/mbedtls/mbedtls-x509.c @@ -49,17 +49,17 @@ lws_tls_mbedtls_time_to_unix(mbedtls_x509_time *xtime) { struct tm t; - if (!xtime || !xtime->MBEDTLS_PRIVATE(year) || xtime->MBEDTLS_PRIVATE(year) < 0) + if (!xtime || !xtime->MBEDTLS_PRIVATE_V30_ONLY(year) || xtime->MBEDTLS_PRIVATE_V30_ONLY(year) < 0) return (time_t)(long long)-1; memset(&t, 0, sizeof(t)); - t.tm_year = xtime->MBEDTLS_PRIVATE(year) - 1900; - t.tm_mon = xtime->MBEDTLS_PRIVATE(mon) - 1; /* mbedtls months are 1+, tm are 0+ */ - t.tm_mday = xtime->MBEDTLS_PRIVATE(day) - 1; /* mbedtls days are 1+, tm are 0+ */ - t.tm_hour = xtime->MBEDTLS_PRIVATE(hour); - t.tm_min = xtime->MBEDTLS_PRIVATE(min); - t.tm_sec = xtime->MBEDTLS_PRIVATE(sec); + t.tm_year = xtime->MBEDTLS_PRIVATE_V30_ONLY(year) - 1900; + t.tm_mon = xtime->MBEDTLS_PRIVATE_V30_ONLY(mon) - 1; /* mbedtls months are 1+, tm are 0+ */ + t.tm_mday = xtime->MBEDTLS_PRIVATE_V30_ONLY(day) - 1; /* mbedtls days are 1+, tm are 0+ */ + t.tm_hour = xtime->MBEDTLS_PRIVATE_V30_ONLY(hour); + t.tm_min = xtime->MBEDTLS_PRIVATE_V30_ONLY(min); + t.tm_sec = xtime->MBEDTLS_PRIVATE_V30_ONLY(sec); t.tm_isdst = -1; return mktime(&t); @@ -81,13 +81,13 @@ lws_tls_mbedtls_get_x509_name(mbedtls_x509_name *name, } */ lws_strnncpy(&buf->ns.name[buf->ns.len], - (const char *)name->MBEDTLS_PRIVATE(val).MBEDTLS_PRIVATE(p), - name->MBEDTLS_PRIVATE(val).MBEDTLS_PRIVATE(len), + (const char *)name->MBEDTLS_PRIVATE_V30_ONLY(val).MBEDTLS_PRIVATE_V30_ONLY(p), + name->MBEDTLS_PRIVATE_V30_ONLY(val).MBEDTLS_PRIVATE_V30_ONLY(len), len - (size_t)buf->ns.len); buf->ns.len = (int)strlen(buf->ns.name); r = 0; - name = name->MBEDTLS_PRIVATE(next); + name = name->MBEDTLS_PRIVATE_V30_ONLY(next); } return r; @@ -109,22 +109,22 @@ lws_tls_mbedtls_cert_info(mbedtls_x509_crt *x509, enum lws_tls_cert_info type, switch (type) { case LWS_TLS_CERT_INFO_VALIDITY_FROM: - buf->time = lws_tls_mbedtls_time_to_unix(&x509->MBEDTLS_PRIVATE(valid_from)); + buf->time = lws_tls_mbedtls_time_to_unix(&x509->MBEDTLS_PRIVATE_V30_ONLY(valid_from)); if (buf->time == (time_t)(long long)-1) return -1; break; case LWS_TLS_CERT_INFO_VALIDITY_TO: - buf->time = lws_tls_mbedtls_time_to_unix(&x509->MBEDTLS_PRIVATE(valid_to)); + buf->time = lws_tls_mbedtls_time_to_unix(&x509->MBEDTLS_PRIVATE_V30_ONLY(valid_to)); if (buf->time == (time_t)(long long)-1) return -1; break; case LWS_TLS_CERT_INFO_COMMON_NAME: - return lws_tls_mbedtls_get_x509_name(&x509->MBEDTLS_PRIVATE(subject), buf, len); + return lws_tls_mbedtls_get_x509_name(&x509->MBEDTLS_PRIVATE_V30_ONLY(subject), buf, len); case LWS_TLS_CERT_INFO_ISSUER_NAME: - return lws_tls_mbedtls_get_x509_name(&x509->MBEDTLS_PRIVATE(issuer), buf, len); + return lws_tls_mbedtls_get_x509_name(&x509->MBEDTLS_PRIVATE_V30_ONLY(issuer), buf, len); case LWS_TLS_CERT_INFO_USAGE: buf->usage = x509->MBEDTLS_PRIVATE(key_usage); @@ -135,10 +135,10 @@ lws_tls_mbedtls_cert_info(mbedtls_x509_crt *x509, enum lws_tls_cert_info type, char *p = buf->ns.name; size_t r = len, u; - switch (mbedtls_pk_get_type(&x509->MBEDTLS_PRIVATE(pk))) { + switch (mbedtls_pk_get_type(&x509->MBEDTLS_PRIVATE_V30_ONLY(pk))) { case MBEDTLS_PK_RSA: { - mbedtls_rsa_context *rsa = mbedtls_pk_rsa(x509->MBEDTLS_PRIVATE(pk)); + mbedtls_rsa_context *rsa = mbedtls_pk_rsa(x509->MBEDTLS_PRIVATE_V30_ONLY(pk)); if (mbedtls_mpi_write_string(&rsa->MBEDTLS_PRIVATE(N), 16, p, r, &u)) return -1; @@ -153,7 +153,7 @@ lws_tls_mbedtls_cert_info(mbedtls_x509_crt *x509, enum lws_tls_cert_info type, } case MBEDTLS_PK_ECKEY: { - mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(x509->MBEDTLS_PRIVATE(pk)); + mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(x509->MBEDTLS_PRIVATE_V30_ONLY(pk)); if (mbedtls_mpi_write_string(&ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16, p, r, &u)) return -1; @@ -172,7 +172,7 @@ lws_tls_mbedtls_cert_info(mbedtls_x509_crt *x509, enum lws_tls_cert_info type, default: lwsl_notice("%s: x509 has unsupported pubkey type %d\n", __func__, - mbedtls_pk_get_type(&x509->MBEDTLS_PRIVATE(pk))); + mbedtls_pk_get_type(&x509->MBEDTLS_PRIVATE_V30_ONLY(pk))); return -1; } @@ -180,17 +180,17 @@ lws_tls_mbedtls_cert_info(mbedtls_x509_crt *x509, enum lws_tls_cert_info type, } case LWS_TLS_CERT_INFO_DER_RAW: - buf->ns.len = (int)x509->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len); + buf->ns.len = (int)x509->MBEDTLS_PRIVATE_V30_ONLY(raw).MBEDTLS_PRIVATE_V30_ONLY(len); - if (len < x509->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len)) + if (len < x509->MBEDTLS_PRIVATE_V30_ONLY(raw).MBEDTLS_PRIVATE_V30_ONLY(len)) /* * The buffer is too small and the attempt failed, but * the required object length is in buf->ns.len */ return -1; - memcpy(buf->ns.name, x509->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(p), - x509->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len)); + memcpy(buf->ns.name, x509->MBEDTLS_PRIVATE_V30_ONLY(raw).MBEDTLS_PRIVATE_V30_ONLY(p), + x509->MBEDTLS_PRIVATE_V30_ONLY(raw).MBEDTLS_PRIVATE_V30_ONLY(len)); break; case LWS_TLS_CERT_INFO_AUTHORITY_KEY_ID: @@ -199,13 +199,13 @@ lws_tls_mbedtls_cert_info(mbedtls_x509_crt *x509, enum lws_tls_cert_info type, memset(&skid, 0, sizeof(skid)); lws_x509_get_crt_ext(x509, &skid, &akid); - if (akid.keyIdentifier.MBEDTLS_PRIVATE(tag) != MBEDTLS_ASN1_OCTET_STRING) + if (akid.keyIdentifier.MBEDTLS_PRIVATE_V30_ONLY(tag) != MBEDTLS_ASN1_OCTET_STRING) return 1; - buf->ns.len = (int)akid.keyIdentifier.MBEDTLS_PRIVATE(len); - if (!akid.keyIdentifier.MBEDTLS_PRIVATE(p) || + buf->ns.len = (int)akid.keyIdentifier.MBEDTLS_PRIVATE_V30_ONLY(len); + if (!akid.keyIdentifier.MBEDTLS_PRIVATE_V30_ONLY(p) || len < (size_t)buf->ns.len) return -1; - memcpy(buf->ns.name, akid.keyIdentifier.MBEDTLS_PRIVATE(p), (size_t)buf->ns.len); + memcpy(buf->ns.name, akid.keyIdentifier.MBEDTLS_PRIVATE_V30_ONLY(p), (size_t)buf->ns.len); break; case LWS_TLS_CERT_INFO_AUTHORITY_KEY_ID_ISSUER: { @@ -221,17 +221,17 @@ lws_tls_mbedtls_cert_info(mbedtls_x509_crt *x509, enum lws_tls_cert_info type, buf->ns.len = 0; while (ip) { - if (akid.keyIdentifier.MBEDTLS_PRIVATE(tag) != MBEDTLS_ASN1_OCTET_STRING || - !ip->MBEDTLS_PRIVATE(buf).MBEDTLS_PRIVATE(p) || - ip->MBEDTLS_PRIVATE(buf).MBEDTLS_PRIVATE(len) < 9 || - len < (size_t)ip->MBEDTLS_PRIVATE(buf).MBEDTLS_PRIVATE(len) - 9u) + if (akid.keyIdentifier.MBEDTLS_PRIVATE_V30_ONLY(tag) != MBEDTLS_ASN1_OCTET_STRING || + !ip->MBEDTLS_PRIVATE_V30_ONLY(buf).MBEDTLS_PRIVATE_V30_ONLY(p) || + ip->MBEDTLS_PRIVATE_V30_ONLY(buf).MBEDTLS_PRIVATE_V30_ONLY(len) < 9 || + len < (size_t)ip->MBEDTLS_PRIVATE_V30_ONLY(buf).MBEDTLS_PRIVATE_V30_ONLY(len) - 9u) break; - memcpy(buf->ns.name + buf->ns.len, ip->MBEDTLS_PRIVATE(buf).MBEDTLS_PRIVATE(p), - (size_t)ip->MBEDTLS_PRIVATE(buf).MBEDTLS_PRIVATE(len) - 9); - buf->ns.len = buf->ns.len + (int)ip->MBEDTLS_PRIVATE(buf).MBEDTLS_PRIVATE(len) - 9; + memcpy(buf->ns.name + buf->ns.len, ip->MBEDTLS_PRIVATE_V30_ONLY(buf).MBEDTLS_PRIVATE_V30_ONLY(p), + (size_t)ip->MBEDTLS_PRIVATE_V30_ONLY(buf).MBEDTLS_PRIVATE_V30_ONLY(len) - 9); + buf->ns.len = buf->ns.len + (int)ip->MBEDTLS_PRIVATE_V30_ONLY(buf).MBEDTLS_PRIVATE_V30_ONLY(len) - 9; - ip = ip->MBEDTLS_PRIVATE(next); + ip = ip->MBEDTLS_PRIVATE_V30_ONLY(next); } break; } @@ -242,14 +242,14 @@ lws_tls_mbedtls_cert_info(mbedtls_x509_crt *x509, enum lws_tls_cert_info type, lws_x509_get_crt_ext(x509, &skid, &akid); - if (akid.authorityCertSerialNumber.MBEDTLS_PRIVATE(tag) != MBEDTLS_ASN1_OCTET_STRING) + if (akid.authorityCertSerialNumber.MBEDTLS_PRIVATE_V30_ONLY(tag) != MBEDTLS_ASN1_OCTET_STRING) return 1; - buf->ns.len = (int)akid.authorityCertSerialNumber.MBEDTLS_PRIVATE(len); - if (!akid.authorityCertSerialNumber.MBEDTLS_PRIVATE(p) || + buf->ns.len = (int)akid.authorityCertSerialNumber.MBEDTLS_PRIVATE_V30_ONLY(len); + if (!akid.authorityCertSerialNumber.MBEDTLS_PRIVATE_V30_ONLY(p) || len < (size_t)buf->ns.len) return -1; memcpy(buf->ns.name, akid.authorityCertSerialNumber. - MBEDTLS_PRIVATE(p), (size_t)buf->ns.len); + MBEDTLS_PRIVATE_V30_ONLY(p), (size_t)buf->ns.len); break; case LWS_TLS_CERT_INFO_SUBJECT_KEY_ID: @@ -259,12 +259,12 @@ lws_tls_mbedtls_cert_info(mbedtls_x509_crt *x509, enum lws_tls_cert_info type, lws_x509_get_crt_ext(x509, &skid, &akid); - if (skid.MBEDTLS_PRIVATE(tag) != MBEDTLS_ASN1_OCTET_STRING) + if (skid.MBEDTLS_PRIVATE_V30_ONLY(tag) != MBEDTLS_ASN1_OCTET_STRING) return 1; - buf->ns.len = (int)skid.MBEDTLS_PRIVATE(len); + buf->ns.len = (int)skid.MBEDTLS_PRIVATE_V30_ONLY(len); if (len < (size_t)buf->ns.len) return -1; - memcpy(buf->ns.name, skid.MBEDTLS_PRIVATE(p), (size_t)buf->ns.len); + memcpy(buf->ns.name, skid.MBEDTLS_PRIVATE_V30_ONLY(p), (size_t)buf->ns.len); break; default: return -1; @@ -379,7 +379,7 @@ int lws_x509_public_to_jwk(struct lws_jwk *jwk, struct lws_x509_cert *x509, const char *curves, int rsa_min_bits) { - int kt = (int)mbedtls_pk_get_type(&x509->cert.MBEDTLS_PRIVATE(pk)), + int kt = (int)mbedtls_pk_get_type(&x509->cert.MBEDTLS_PRIVATE_V30_ONLY(pk)), n, count = 0, ret = -1; mbedtls_rsa_context *rsactx; mbedtls_ecp_keypair *ecpctx; @@ -391,7 +391,7 @@ lws_x509_public_to_jwk(struct lws_jwk *jwk, struct lws_x509_cert *x509, case MBEDTLS_PK_RSA: lwsl_notice("%s: RSA key\n", __func__); jwk->kty = LWS_GENCRYPTO_KTY_RSA; - rsactx = mbedtls_pk_rsa(x509->cert.MBEDTLS_PRIVATE(pk)); + rsactx = mbedtls_pk_rsa(x509->cert.MBEDTLS_PRIVATE_V30_ONLY(pk)); mpi[LWS_GENCRYPTO_RSA_KEYEL_E] = &rsactx->MBEDTLS_PRIVATE(E); mpi[LWS_GENCRYPTO_RSA_KEYEL_N] = &rsactx->MBEDTLS_PRIVATE(N); @@ -409,7 +409,7 @@ lws_x509_public_to_jwk(struct lws_jwk *jwk, struct lws_x509_cert *x509, case MBEDTLS_PK_ECKEY: lwsl_notice("%s: EC key\n", __func__); jwk->kty = LWS_GENCRYPTO_KTY_EC; - ecpctx = mbedtls_pk_ec(x509->cert.MBEDTLS_PRIVATE(pk)); + ecpctx = mbedtls_pk_ec(x509->cert.MBEDTLS_PRIVATE_V30_ONLY(pk)); mpi[LWS_GENCRYPTO_EC_KEYEL_X] = &ecpctx->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X); mpi[LWS_GENCRYPTO_EC_KEYEL_D] = &ecpctx->MBEDTLS_PRIVATE(d); mpi[LWS_GENCRYPTO_EC_KEYEL_Y] = &ecpctx->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y); diff --git a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c index 0faf0d713..db63d0958 100755 --- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c +++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c @@ -499,14 +499,13 @@ void ssl_pm_set_fd(SSL *ssl, int fd, int mode) { struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm; - ssl_pm->fd.MBEDTLS_PRIVATE(fd) = fd; + ssl_pm->fd.MBEDTLS_PRIVATE_V30_ONLY(fd) = fd; } int ssl_pm_get_fd(const SSL *ssl, int mode) { struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm; - - return ssl_pm->fd.MBEDTLS_PRIVATE(fd); + return ssl_pm->fd.MBEDTLS_PRIVATE_V30_ONLY(fd); } OSSL_HANDSHAKE_STATE ssl_pm_get_state(const SSL *ssl)