[mod_mbedtls] use newer mbedtls 3.2.0+ interfaces
parent
54c07b5456
commit
f82006a0db
|
|
@ -810,14 +810,25 @@ mod_mbedtls_conf_verify (handler_ctx *hctx)
|
|||
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||
}
|
||||
|
||||
mbedtls_ssl_context * const ssl = &hctx->ssl;
|
||||
|
||||
#if MBEDTLS_VERSION_NUMBER >= 0x03020000 /* mbedtls 3.02.0 */
|
||||
int mode = (hctx->conf.ssl_verifyclient_enforce)
|
||||
? MBEDTLS_SSL_VERIFY_REQUIRED
|
||||
: MBEDTLS_SSL_VERIFY_OPTIONAL;
|
||||
mbedtls_ssl_set_hs_authmode(ssl, mode);
|
||||
mbedtls_ssl_set_hs_ca_chain(ssl, hctx->conf.ssl_ca_file,
|
||||
hctx->conf.ssl_ca_crl_file);
|
||||
if (hctx->conf.ssl_ca_dn_file)
|
||||
mbedtls_ssl_set_hs_dn_hints(ssl, hctx->conf.ssl_ca_dn_file);
|
||||
#else
|
||||
/* send ssl_ca_dn_file (if set) in client certificate request
|
||||
* (later changed to ssl_ca_file before client certificate verification) */
|
||||
mbedtls_x509_crt *ca_certs = hctx->conf.ssl_ca_dn_file
|
||||
? hctx->conf.ssl_ca_dn_file
|
||||
: hctx->conf.ssl_ca_file;
|
||||
|
||||
mbedtls_ssl_context * const ssl = &hctx->ssl;
|
||||
mbedtls_ssl_set_hs_ca_chain(ssl, ca_certs, hctx->conf.ssl_ca_crl_file);
|
||||
#endif
|
||||
#if MBEDTLS_VERSION_NUMBER >= 0x02120000 /* mbedtls 2.18.0 */
|
||||
mbedtls_ssl_set_verify(ssl, mod_mbedtls_verify_cb, hctx);
|
||||
#else
|
||||
|
|
@ -1243,6 +1254,45 @@ mod_mbedtls_alpn_select_cb (handler_ctx *hctx, const unsigned char *in, const un
|
|||
#endif /* MBEDTLS_SSL_ALPN */
|
||||
|
||||
|
||||
#if MBEDTLS_VERSION_NUMBER >= 0x03020000 /* mbedtls 3.02.0 */
|
||||
static int
|
||||
mod_mbedtls_cert_cb (mbedtls_ssl_context * const ssl)
|
||||
{
|
||||
handler_ctx * const hctx = mbedtls_ssl_get_user_data_p(ssl);
|
||||
int rc = 0;
|
||||
|
||||
#ifdef MBEDTLS_SSL_ALPN
|
||||
const char *alpn = mbedtls_ssl_get_alpn_protocol(&hctx->ssl);
|
||||
if (NULL != alpn) {
|
||||
rc = mod_mbedtls_alpn_selected(hctx, alpn);
|
||||
if (0 != rc) return rc;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef MBEDTLS_SSL_SERVER_NAME_INDICATION
|
||||
size_t len;
|
||||
const unsigned char *servername = mbedtls_ssl_get_hs_sni(ssl, &len);
|
||||
if (servername) {
|
||||
rc = mod_mbedtls_SNI(hctx, ssl, servername, len);
|
||||
if (0 != rc) return rc;
|
||||
} /*(else no SNI)*/
|
||||
#if 0 /*"acme-tls/1" required SNI; use default cert; let cert challenge fail*/
|
||||
else if (hctx->alpn == MOD_MBEDTLS_ALPN_ACME_TLS_1)
|
||||
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
|
||||
|
||||
if (hctx->conf.ssl_verifyclient
|
||||
&& hctx->alpn != MOD_MBEDTLS_ALPN_ACME_TLS_1) { /*(not "acme-tls/1")*/
|
||||
rc = mod_mbedtls_conf_verify(hctx);
|
||||
if (0 != rc) return rc;
|
||||
}
|
||||
|
||||
return rc;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
static int
|
||||
mod_mbedtls_ssl_conf_ciphersuites (server *srv, plugin_config_socket *s, buffer *ciphersuites, const buffer *cipherstring);
|
||||
|
||||
|
|
@ -1430,6 +1480,10 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
|
|||
return -1;
|
||||
}
|
||||
|
||||
#if MBEDTLS_VERSION_NUMBER >= 0x03020000 /* mbedtls 3.02.0 */
|
||||
mbedtls_ssl_conf_cert_cb(s->ssl_ctx, mod_mbedtls_cert_cb);
|
||||
#endif
|
||||
|
||||
#ifdef MBEDTLS_SSL_ALPN
|
||||
/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids */
|
||||
static const char *alpn_protos_http_acme[] = {
|
||||
|
|
@ -1487,7 +1541,8 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
|
|||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
if (s->ssl_session_ticket && !p->ticket_ctx.ticket_lifetime) { /*init once*/
|
||||
if (s->ssl_session_ticket /*(.ticket_lifetime is private)*/
|
||||
&& !*(unsigned char *)&p->ticket_ctx) { /*init once*/
|
||||
rc = mbedtls_ssl_ticket_setup(&p->ticket_ctx, mbedtls_ctr_drbg_random,
|
||||
&p->ctr_drbg, MBEDTLS_CIPHER_AES_256_GCM,
|
||||
43200); /* ticket timeout: 12 hours */
|
||||
|
|
@ -2118,7 +2173,6 @@ connection_write_cq_ssl (connection * const con, chunkqueue * const cq, off_t ma
|
|||
|
||||
|
||||
#if MBEDTLS_VERSION_NUMBER >= 0x03020000 /* mbedtls 3.02.0 */
|
||||
#define handshake_state(ssl) (ssl)->MBEDTLS_PRIVATE(state)
|
||||
#elif MBEDTLS_VERSION_NUMBER >= 0x03000000 /* mbedtls 3.00.0 */
|
||||
#define handshake_state(ssl) (ssl)->MBEDTLS_PRIVATE(state)
|
||||
#else /* MBEDTLS_VERSION_NUMBER < 0x03000000 */ /* mbedtls 3.00.0 */
|
||||
|
|
@ -2136,6 +2190,12 @@ mod_mbedtls_ssl_handshake (handler_ctx *hctx)
|
|||
{
|
||||
int rc = 0;
|
||||
|
||||
#if MBEDTLS_VERSION_NUMBER >= 0x03020000 /* mbedtls 3.02.0 */
|
||||
|
||||
rc = mbedtls_ssl_handshake(&hctx->ssl);
|
||||
|
||||
#else
|
||||
|
||||
/* overwrite callback with hctx each time we enter here, before handshake
|
||||
* (Some callbacks are on mbedtls_ssl_config, not mbedtls_ssl_context)
|
||||
* (Not thread-safe if config (mbedtls_ssl_config *ssl_ctx) is shared)
|
||||
|
|
@ -2209,6 +2269,8 @@ mod_mbedtls_ssl_handshake (handler_ctx *hctx)
|
|||
rc = mbedtls_ssl_handshake(&hctx->ssl);
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
switch (rc) {
|
||||
case 0:
|
||||
hctx->handshake_done = 1;
|
||||
|
|
@ -2359,6 +2421,10 @@ CONNECTION_FUNC(mod_mbedtls_handle_con_accept)
|
|||
return HANDLER_ERROR;
|
||||
}
|
||||
|
||||
#if MBEDTLS_VERSION_NUMBER >= 0x03020000 /* mbedtls 3.02.0 */
|
||||
mbedtls_ssl_set_user_data_p(&hctx->ssl, hctx);
|
||||
#endif
|
||||
|
||||
mbedtls_ssl_set_bio(&hctx->ssl, (mbedtls_net_context *)&con->fd,
|
||||
mbedtls_net_send, mbedtls_net_recv, NULL);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue