Browse code
mbedtls: don't use API deprecated in mbed 2.7
The void-returning mbedtls_sha256() was deprecated in mbed TLS 2.7.
Use our own md_full() abstraction instead.
(The new function can theoretically fail, but only in case of highly
unlikely digest function failures. The personalisation on random using
the certificate is a best-effort measure, so we simply log a warning and
skip the personalisation if such highly unlikely errors occur.)
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <1518006166-14285-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16445.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger authored on 2018/02/07 21:22:46Showing 1 changed files
| ... | ... |
@@ -60,7 +60,6 @@ |
| 60 | 60 |
|
| 61 | 61 |
#include <mbedtls/oid.h> |
| 62 | 62 |
#include <mbedtls/pem.h> |
| 63 |
-#include <mbedtls/sha256.h> |
|
| 64 | 63 |
|
| 65 | 64 |
static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy = |
| 66 | 65 |
{
|
| ... | ... |
@@ -851,9 +850,14 @@ tls_ctx_personalise_random(struct tls_root_ctx *ctx) |
| 851 | 851 |
|
| 852 | 852 |
if (NULL != ctx->crt_chain) |
| 853 | 853 |
{
|
| 854 |
+ const md_kt_t *sha256_kt = md_kt_get("SHA256");
|
|
| 854 | 855 |
mbedtls_x509_crt *cert = ctx->crt_chain; |
| 855 | 856 |
|
| 856 |
- mbedtls_sha256(cert->tbs.p, cert->tbs.len, sha256_hash, false); |
|
| 857 |
+ if (0 != md_full(sha256_kt, cert->tbs.p, cert->tbs.len, sha256_hash)) |
|
| 858 |
+ {
|
|
| 859 |
+ msg(M_WARN, "WARNING: failed to personalise random"); |
|
| 860 |
+ } |
|
| 861 |
+ |
|
| 857 | 862 |
if (0 != memcmp(old_sha256_hash, sha256_hash, sizeof(sha256_hash))) |
| 858 | 863 |
{
|
| 859 | 864 |
mbedtls_ctr_drbg_update(cd_ctx, sha256_hash, 32); |