From 2a8a19c674dd843828771c04f25e906e3c58f845 Mon Sep 17 00:00:00 2001 From: Joel Klinghed Date: Tue, 18 Jul 2023 14:11:04 +0200 Subject: Support mbedtls 3.x --- src/genca.cc | 2 +- src/mitm.cc | 5 +++-- src/monitor-gui.cc | 2 +- src/ssl.hh | 3 ++- src/ssl_mbedtls.cc | 16 +++++++++------- 5 files changed, 16 insertions(+), 12 deletions(-) diff --git a/src/genca.cc b/src/genca.cc index ee0f580..9762321 100644 --- a/src/genca.cc +++ b/src/genca.cc @@ -20,7 +20,7 @@ bool genca(std::ostream& out, std::string const& name) { std::string key; if (!SSLKey::generate(logger.get(), entropy.get(), &key)) return false; std::string cert; - std::unique_ptr pkey(SSLKey::load(logger.get(), key)); + std::unique_ptr pkey(SSLKey::load(logger.get(), key, entropy.get())); if (!SSLCert::generate(logger.get(), entropy.get(), nullptr, nullptr, name, pkey.get(), &cert)) return false; out << cert << '\n' << key << std::endl; diff --git a/src/mitm.cc b/src/mitm.cc index f809afd..fb5c6c2 100644 --- a/src/mitm.cc +++ b/src/mitm.cc @@ -148,7 +148,7 @@ public: unsecure_ = config->get("ssl_unsecure", false); issuer_cert_.reset(SSLCert::load(logger_, ca_cert)); if (!issuer_cert_) return false; - issuer_key_.reset(SSLKey::load(logger_, ca_key)); + issuer_key_.reset(SSLKey::load(logger_, ca_key, entropy_.get())); if (!issuer_key_) return false; return true; } @@ -163,7 +163,8 @@ public: unsecure_ = config->get("ssl_unsecure", false); std::unique_ptr issuer_cert(SSLCert::load(logger_, ca_cert)); if (!issuer_cert) return false; - std::unique_ptr issuer_key(SSLKey::load(logger_, ca_key)); + std::unique_ptr issuer_key( + SSLKey::load(logger_, ca_key, entropy_.get())); if (!issuer_key) return false; store_.swap(store); issuer_cert_.swap(issuer_cert); diff --git a/src/monitor-gui.cc b/src/monitor-gui.cc index b02f028..c4152b0 100644 --- a/src/monitor-gui.cc +++ b/src/monitor-gui.cc @@ -699,7 +699,7 @@ private: std::string key; if (!SSLKey::generate(logger, entropy.get(), &key)) return false; std::string cert; - std::unique_ptr pkey(SSLKey::load(logger, key)); + std::unique_ptr pkey(SSLKey::load(logger, key, entropy.get())); if (!SSLCert::generate(logger, entropy.get(), nullptr, nullptr, issuer, pkey.get(), &cert)) return false; std::ofstream of(output); diff --git a/src/ssl.hh b/src/ssl.hh index 1cd6aea..c4465e1 100644 --- a/src/ssl.hh +++ b/src/ssl.hh @@ -34,7 +34,8 @@ class SSLKey { public: virtual ~SSLKey() {} static bool generate(Logger* logger, SSLEntropy* entropy, std::string* key); - static SSLKey* load(Logger* logger, std::string const& data); + static SSLKey* load(Logger* logger, std::string const& data, + SSLEntropy* entropy); protected: SSLKey() {} diff --git a/src/ssl_mbedtls.cc b/src/ssl_mbedtls.cc index a34067b..50c7975 100644 --- a/src/ssl_mbedtls.cc +++ b/src/ssl_mbedtls.cc @@ -4,7 +4,6 @@ #include #include -#include #include #include #include @@ -108,11 +107,13 @@ public: mbedtls_pk_free(&key_); } - bool load(Logger* logger, std::string const& data) { + bool load(Logger* logger, std::string const& data, SSLEntropy* entropy) { auto ret = mbedtls_pk_parse_key( &key_, reinterpret_cast(data.c_str()), data.size() + 1, - nullptr, 0); + nullptr, 0, + mbedtls_ctr_drbg_random, + static_cast(entropy)->random()); if (ret) { logerr(logger, ret, "Error parsing key"); return false; @@ -394,8 +395,8 @@ private: mbedtls_ssl_conf_min_version(&conf_, MBEDTLS_SSL_MAJOR_VERSION_3, - unsecure() ? MBEDTLS_SSL_MINOR_VERSION_0 : - MBEDTLS_SSL_MINOR_VERSION_1); + unsecure() ? MBEDTLS_SSL_MINOR_VERSION_3 : + MBEDTLS_SSL_MINOR_VERSION_4); return true; } }; @@ -482,9 +483,10 @@ SSLCertStore* SSLCertStore::create(Logger* logger, std::string const& path) { } // static -SSLKey* SSLKey::load(Logger* logger, std::string const& data) { +SSLKey* SSLKey::load(Logger* logger, std::string const& data, + SSLEntropy* entropy) { std::unique_ptr key(new SSLKeyImpl()); - if (!key->load(logger, data)) return nullptr; + if (!key->load(logger, data, entropy)) return nullptr; return key.release(); } -- cgit v1.2.3-70-g09d2