diff --git a/libratbox/src/mbedtls.c b/libratbox/src/mbedtls.c index 348bd558..f5578b5d 100644 --- a/libratbox/src/mbedtls.c +++ b/libratbox/src/mbedtls.c @@ -65,9 +65,12 @@ typedef struct static mbedtls_ctr_drbg_context ctr_drbg_ctx; static mbedtls_entropy_context entropy_ctx; -static mbedtls_x509_crt dummy_ca_ctx; static rb_mbedtls_cfg_context *rb_mbedtls_cfg = NULL; +#if (MBEDTLS_VERSION_NUMBER < 0x02050100) +static mbedtls_x509_crt dummy_ca_ctx; +#endif + struct ssl_connect @@ -226,8 +229,10 @@ rb_mbedtls_cfg_new(void) mbedtls_ssl_conf_rng(&cfg->server_cfg, mbedtls_ctr_drbg_random, &ctr_drbg_ctx); mbedtls_ssl_conf_rng(&cfg->client_cfg, mbedtls_ctr_drbg_random, &ctr_drbg_ctx); +#if (MBEDTLS_VERSION_NUMBER < 0x02050100) mbedtls_ssl_conf_ca_chain(&cfg->server_cfg, &dummy_ca_ctx, NULL); mbedtls_ssl_conf_ca_chain(&cfg->client_cfg, &dummy_ca_ctx, NULL); +#endif mbedtls_ssl_conf_authmode(&cfg->server_cfg, MBEDTLS_SSL_VERIFY_OPTIONAL); mbedtls_ssl_conf_authmode(&cfg->client_cfg, MBEDTLS_SSL_VERIFY_NONE); @@ -429,12 +434,14 @@ rb_init_ssl(void) return 0; } +#if (MBEDTLS_VERSION_NUMBER < 0x02050100) if((ret = mbedtls_x509_crt_parse_der(&dummy_ca_ctx, rb_mbedtls_dummy_ca_certificate, sizeof(rb_mbedtls_dummy_ca_certificate))) != 0) { rb_lib_log("%s: x509_crt_parse_der (Dummy CA): %s", __func__, rb_ssl_strerror(ret)); return 0; } +#endif rb_lib_log("%s: MbedTLS backend initialised", __func__); return 1; diff --git a/libratbox/src/mbedtls_ratbox.h b/libratbox/src/mbedtls_ratbox.h index 57184dc9..2eb96abf 100644 --- a/libratbox/src/mbedtls_ratbox.h +++ b/libratbox/src/mbedtls_ratbox.h @@ -152,8 +152,8 @@ static const int rb_mbedtls_ciphersuites[] = { * * BEFORE YOU THROW YOUR ARMS UP IN A PANIC ABOUT A BACKDOOR, READ THIS TEXT! * - * ARM mbedTLS requires a CA certificate to be set in its configuration before it will - * request a client certificate from peers. Since we want to do that, and not all + * ARM mbedTLS required a CA certificate to be set in its configuration before it will + * process a client certificate from peers. Since we want to do that, and not all * installations will have a CA certificate to hand, we have this. * * Its key was securely destroyed after being generated, but even if it wasn't, that @@ -163,9 +163,15 @@ static const int rb_mbedtls_ciphersuites[] = { * After all, it only cares about certificates in as far as to generate a fingerprint * for them. * - * Yes, this is a massive hack, but there is no alternative. + * Yes, this is a massive hack, but there is no alternative for older versions. + * + * This issue was fixed in commit 39ae8cd2077d on the MbedTLS 2.5 development branch, + * released in version 2.5.1 on 19 June 2017. This certificate will not be used if + * that version (or greater) is installed. */ +#if (MBEDTLS_VERSION_NUMBER < 0x02050100) + static const unsigned char rb_mbedtls_dummy_ca_certificate[825] = { 0x30, 0x82, 0x03, 0x35, 0x30, 0x82, 0x02, 0x1D, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0x86, 0xC5, 0x1F, 0x62, 0xBE, 0xFC, 0x0B, 0xA8, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, @@ -221,4 +227,6 @@ static const unsigned char rb_mbedtls_dummy_ca_certificate[825] = { 0xB3, 0x1F, 0x72, 0xDE, 0x2A, 0x28, 0xFE, 0x7C, 0x2D }; +#endif /* MBEDTLS_VERSION_NUMBER */ + #endif /* RB_MBEDTLS_EMBEDDED_DATA_H */