[ssl] support mbedtls 4.0 (#849)

Author: Apprentice-Alchemist

libs/ssl/CMakeLists.txt

@@ -123,8 +123,8 @@ if (WIN32)
     )
 elseif(DOWNLOAD_DEPENDENCIES)
 	FetchContent_Declare(mbedtls-project
-        URL https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-3.6.4/mbedtls-3.6.4.tar.bz2
-        URL_HASH SHA256=ec35b18a6c593cf98c3e30db8b98ff93e8940a8c4e690e66b41dfc011d678110
+        URL https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-4.0.0/mbedtls-4.0.0.tar.bz2
+        URL_HASH SHA256=2f3a47f7b3a541ddef450e4867eeecb7ce2ef7776093f3a11d6d43ead6bf2827
         EXCLUDE_FROM_ALL
     )
     set(_OLD_BUILD_SHARED_LIBS ${BUILD_SHARED_LIBS})
@@ -133,7 +133,7 @@ elseif(DOWNLOAD_DEPENDENCIES)
     set(ENABLE_TESTING OFF CACHE INTERNAL "")
     FetchContent_MakeAvailable(mbedtls-project)
     set(BUILD_SHARED_LIBS ${_OLD_BUILD_SHARED_LIBS})
-    set(MBEDTLS_LIBRARIES MbedTLS::mbedtls MbedTLS::mbedx509 MbedTLS::mbedcrypto)
+    set(MBEDTLS_LIBRARIES MbedTLS::mbedtls MbedTLS::mbedx509 TF-PSA-Crypto::tfpsacrypto)
 else()
     find_package(MbedTLS REQUIRED)
 endif()

libs/ssl/ssl.c

@@ -22,15 +22,16 @@ typedef int SOCKET;
 #define SOCKET_ERROR (-1)
 #define NRETRYS	20
 
-#include "mbedtls/platform.h"
 #include "mbedtls/error.h"
-#include "mbedtls/entropy.h"
-#include "mbedtls/ctr_drbg.h"
 #include "mbedtls/md.h"
 #include "mbedtls/pk.h"
-#include "mbedtls/oid.h"
-#include "mbedtls/x509_crt.h"
+#include "mbedtls/x509.h"
 #include "mbedtls/ssl.h"
+#include "mbedtls/oid.h"
+#if MBEDTLS_VERSION_MAJOR < 4
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/entropy.h"
+#endif
 
 #ifdef MBEDTLS_PSA_CRYPTO_C
 #include <psa/crypto.h>
@@ -68,8 +69,10 @@ struct _hl_ssl_pkey {
 #define TPKEY _ABSTRACT(hl_ssl_pkey)
 
 static bool ssl_init_done = false;
+#if MBEDTLS_VERSION_MAJOR < 4
 static mbedtls_entropy_context entropy;
 static mbedtls_ctr_drbg_context ctr_drbg;
+#endif
 
 static bool is_ssl_blocking( int r ) {
 	return r == MBEDTLS_ERR_SSL_WANT_READ || r == MBEDTLS_ERR_SSL_WANT_WRITE;
@@ -245,7 +248,9 @@ HL_PRIM mbedtls_ssl_config *HL_NAME(conf_new)(bool server) {
 		ssl_error(ret);
 		return NULL;
 	}
+#if MBEDTLS_VERSION_MAJOR < 4
 	mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &ctr_drbg);
+#endif
 	return conf;
 }
 
@@ -409,16 +414,158 @@ static vbyte *asn1_buf_to_string(mbedtls_asn1_buf *dat) {
 	return (vbyte*)hl_buffer_content(buf,NULL);
 }
 
+// The following code is adapted from `library/x509_oid.c` in MbedTLS 4.0.0
+// Originally Copyright The Mbed TLS Contributors
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+#define ADD_LEN(s) s, MBEDTLS_OID_SIZE(s)
+#define OID_DESCRIPTOR(s, name, description) {ADD_LEN(s)}
+#define NULL_OID_DESCRIPTOR {NULL, 0}
+
+typedef struct {
+  const char *asn1; /*!< OID ASN.1 representation       */
+  size_t asn1_len;  /*!< length of asn1                 */
+} mbedtls_x509_oid_descriptor_t;
+
+typedef struct {
+    mbedtls_x509_oid_descriptor_t    descriptor;
+    const char          *short_name;
+} oid_x520_attr_t;
+
+static const oid_x520_attr_t oid_x520_attr_type[] = {
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_CN, "id-at-commonName", "Common Name"),
+        "CN",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_COUNTRY, "id-at-countryName", "Country"),
+        "C",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_LOCALITY, "id-at-locality", "Locality"),
+        "L",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_STATE, "id-at-state", "State"),
+        "ST",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_ORGANIZATION, "id-at-organizationName",
+                       "Organization"),
+        "O",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_ORG_UNIT, "id-at-organizationalUnitName",
+                       "Org Unit"),
+        "OU",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_PKCS9_EMAIL, "emailAddress",
+                       "E-mail address"),
+        "emailAddress",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_SERIAL_NUMBER, "id-at-serialNumber",
+                       "Serial number"),
+        "serialNumber",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_POSTAL_ADDRESS, "id-at-postalAddress",
+                       "Postal address"),
+        "postalAddress",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_POSTAL_CODE, "id-at-postalCode",
+                       "Postal code"),
+        "postalCode",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_SUR_NAME, "id-at-surName", "Surname"),
+        "SN",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_GIVEN_NAME, "id-at-givenName",
+                       "Given name"),
+        "GN",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_INITIALS, "id-at-initials", "Initials"),
+        "initials",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_GENERATION_QUALIFIER,
+                       "id-at-generationQualifier", "Generation qualifier"),
+        "generationQualifier",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_TITLE, "id-at-title", "Title"),
+        "title",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_DN_QUALIFIER, "id-at-dnQualifier",
+                       "Distinguished Name qualifier"),
+        "dnQualifier",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_PSEUDONYM, "id-at-pseudonym",
+                       "Pseudonym"),
+        "pseudonym",
+    },
+#ifdef MBEDTLS_OID_UID
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_UID, "id-uid", "User Id"),
+        "uid",
+    },
+#endif
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_DOMAIN_COMPONENT, "id-domainComponent",
+                       "Domain component"),
+        "DC",
+    },
+    {
+        OID_DESCRIPTOR(MBEDTLS_OID_AT_UNIQUE_IDENTIFIER,
+                       "id-at-uniqueIdentifier", "Unique Identifier"),
+        "uniqueIdentifier",
+    },
+    {
+        NULL_OID_DESCRIPTOR,
+        NULL,
+    }};
+
+static const oid_x520_attr_t *
+oid_x520_attr_from_asn1(const mbedtls_asn1_buf *oid) {
+  const oid_x520_attr_t *p = (oid_x520_attr_type);
+  const mbedtls_x509_oid_descriptor_t *cur =
+      (const mbedtls_x509_oid_descriptor_t *)p;
+  if (p == NULL || oid == NULL)
+    return NULL;
+  while (cur->asn1 != NULL) {
+    if (cur->asn1_len == oid->len && memcmp(cur->asn1, oid->p, oid->len) == 0) {
+      return p;
+    }
+    p++;
+    cur = (const mbedtls_x509_oid_descriptor_t *)p;
+  }
+  return NULL;
+}
+
+static int oid_get_attr_short_name(const mbedtls_asn1_buf *oid,
+                                         const char **short_name) {
+  const oid_x520_attr_t *data = oid_x520_attr_from_asn1(oid);
+  if (data == NULL)
+    return -0x2100;
+  *short_name = data->short_name;
+  return 0;
+}
+
+// end code adapted from MbedTLS
+
 HL_PRIM vbyte *HL_NAME(cert_get_subject)(hl_ssl_cert *cert, vbyte *objname) {
-	mbedtls_x509_name *obj;
-	int r;
-	const char *oname, *rname;
-	obj = &cert->c->subject;
-	if (obj == NULL)
-		hl_error("Invalid subject");
-	rname = (char*)objname;
+	mbedtls_x509_name *obj = &cert->c->subject;
+	const char *rname = (char*)objname;
 	while (obj != NULL) {
-		r = mbedtls_oid_get_attr_short_name(&obj->oid, &oname);
+		const char *oname;
+		int r = oid_get_attr_short_name(&obj->oid, &oname);
 		if (r == 0 && strcmp(oname, rname) == 0)
 			return asn1_buf_to_string(&obj->val);
 		obj = obj->next;
@@ -427,15 +574,11 @@ HL_PRIM vbyte *HL_NAME(cert_get_subject)(hl_ssl_cert *cert, vbyte *objname) {
 }
 
 HL_PRIM vbyte *HL_NAME(cert_get_issuer)(hl_ssl_cert *cert, vbyte *objname) {
-	mbedtls_x509_name *obj;
-	int r;
-	const char *oname, *rname;
-	obj = &cert->c->issuer;
-	if (obj == NULL)
-		hl_error("Invalid issuer");
-	rname = (char*)objname;
+	mbedtls_x509_name *obj = &cert->c->issuer;
+	const char *rname = (char*)objname;
 	while (obj != NULL) {
-		r = mbedtls_oid_get_attr_short_name(&obj->oid, &oname);
+		const char *oname;
+		int r = oid_get_attr_short_name(&obj->oid, &oname);
 		if (r == 0 && strcmp(oname, rname) == 0)
 			return asn1_buf_to_string(&obj->val);
 		obj = obj->next;
@@ -587,7 +730,9 @@ HL_PRIM hl_ssl_pkey *HL_NAME(key_from_der)(vbyte *data, int len, bool pub) {
 	if (pub)
 		r = mbedtls_pk_parse_public_key(pk, (const unsigned char*)data, len);
 	else
-#if MBEDTLS_VERSION_MAJOR >= 3
+#if MBEDTLS_VERSION_MAJOR >= 4
+		r = mbedtls_pk_parse_key(pk, (const unsigned char*)data, len, NULL, 0);
+#elif MBEDTLS_VERSION_MAJOR >= 3
 		r = mbedtls_pk_parse_key(pk, (const unsigned char*)data, len, NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg);
 #else
 		r = mbedtls_pk_parse_key(pk, (const unsigned char*)data, len, NULL, 0);
@@ -616,7 +761,12 @@ HL_PRIM hl_ssl_pkey *HL_NAME(key_from_pem)(vbyte *data, bool pub, vbyte *pass) {
 	buf[len - 1] = '\0';
 	if (pub)
 		r = mbedtls_pk_parse_public_key(pk, buf, len);
-#if MBEDTLS_VERSION_MAJOR >= 3
+#if MBEDTLS_VERSION_MAJOR >= 4
+	else if (pass == NULL)
+		r = mbedtls_pk_parse_key(pk, buf, len, NULL, 0);
+	else
+		r = mbedtls_pk_parse_key(pk, buf, len, (const unsigned char*)pass, strlen((char*)pass));
+#elif MBEDTLS_VERSION_MAJOR >= 3
 	else if (pass == NULL)
 		r = mbedtls_pk_parse_key(pk, buf, len, NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg);
 	else
@@ -643,12 +793,32 @@ HL_PRIM hl_ssl_pkey *HL_NAME(key_from_pem)(vbyte *data, bool pub, vbyte *pass) {
 DEFINE_PRIM(TPKEY, key_from_der, _BYTES _I32 _BOOL);
 DEFINE_PRIM(TPKEY, key_from_pem, _BYTES _BOOL _BYTES);
 
+static mbedtls_md_type_t md_type_from_string(const char *alg) {
+  if (strcmp(alg, "MD5") == 0) {
+	return MBEDTLS_MD_MD5;
+  } else if(strcmp(alg, "SHA1") == 0) {
+	return MBEDTLS_MD_SHA1;
+  } else if (strcmp(alg, "SHA224") == 0) {
+    return MBEDTLS_MD_SHA224;
+  } else if (strcmp(alg, "SHA256") == 0) {
+    return MBEDTLS_MD_SHA256;
+  } else if (strcmp(alg, "SHA384") == 0) {
+    return MBEDTLS_MD_SHA384;
+  } else if (strcmp(alg, "SHA512") == 0) {
+    return MBEDTLS_MD_SHA512;
+  } else if (strcmp(alg, "RIPEMD160") == 0) {
+    return MBEDTLS_MD_RIPEMD160;
+  } else {
+	hl_error("Unknown hash algorithm: %s", alg);
+  }
+}
+
 HL_PRIM vbyte *HL_NAME(dgst_make)(vbyte *data, int len, vbyte *alg, int *size) {
 	const mbedtls_md_info_t *md;
 	int mdlen, r = -1;
 	vbyte *out;
 
-	md = mbedtls_md_info_from_string((char*)alg);
+	md = mbedtls_md_info_from_type(md_type_from_string((char*)alg));
 	if (md == NULL) {
 		hl_error("Invalid hash algorithm");
 		return NULL;
@@ -671,7 +841,7 @@ HL_PRIM vbyte *HL_NAME(dgst_sign)(vbyte *data, int len, hl_ssl_pkey *key, vbyte
 	unsigned char hash[MBEDTLS_MD_MAX_SIZE];
 	size_t ssize = size ? *size : 0;
 
-	md = mbedtls_md_info_from_string((char*)alg);
+	md = mbedtls_md_info_from_type(md_type_from_string((char*)alg));
 	if (md == NULL) {
 		hl_error("Invalid hash algorithm");
 		return NULL;
@@ -681,7 +851,10 @@ HL_PRIM vbyte *HL_NAME(dgst_sign)(vbyte *data, int len, hl_ssl_pkey *key, vbyte
 		ssl_error(r);
 		return NULL;
 	}
-#if MBEDTLS_VERSION_MAJOR >= 3
+#if MBEDTLS_VERSION_MAJOR >= 4
+	out = hl_gc_alloc_noptr(MBEDTLS_PK_SIGNATURE_MAX_SIZE);
+	if ((r = mbedtls_pk_sign(key->k, mbedtls_md_get_type(md), hash, mbedtls_md_get_size(md), out, MBEDTLS_PK_SIGNATURE_MAX_SIZE, (size ? &ssize : NULL))) != 0) {
+#elif MBEDTLS_VERSION_MAJOR >= 3
 	out = hl_gc_alloc_noptr(MBEDTLS_PK_SIGNATURE_MAX_SIZE);
 	if ((r = mbedtls_pk_sign(key->k, mbedtls_md_get_type(md), hash, mbedtls_md_get_size(md), out, MBEDTLS_PK_SIGNATURE_MAX_SIZE, (size ? &ssize : NULL), mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
 #else
@@ -700,7 +873,7 @@ HL_PRIM bool HL_NAME(dgst_verify)(vbyte *data, int dlen, vbyte *sign, int slen,
 	int r = -1;
 	unsigned char hash[MBEDTLS_MD_MAX_SIZE];
 
-	md = mbedtls_md_info_from_string((char*)alg);
+	md = mbedtls_md_info_from_type(md_type_from_string((char*)alg));
 	if (md == NULL) {
 		hl_error("Invalid hash algorithm");
 		return false;
@@ -764,10 +937,11 @@ HL_PRIM void HL_NAME(ssl_init)() {
 #endif
 
 	// Init RNG
+#if MBEDTLS_VERSION_MAJOR < 4
 	mbedtls_entropy_init(&entropy);
 	mbedtls_ctr_drbg_init(&ctr_drbg);
 	mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
-
+#endif
 	#ifdef MBEDTLS_PSA_CRYPTO_C
 	psa_crypto_init();
 	#endif