Update code to support mbed tls v2 and v3

#944

0readme.txt

@@ -9,9 +9,12 @@ The source tree contains two versions of MbedTLS.
 * MbedTLS 3.x in folder mbedtls3.
 
 Switching between the two versions can be done as follows.
-1. Define MBEDTLS2 or MBEDTLS3.
+1. Define HAVE_MBEDTLS2 or HAVE_MBEDTLS3.
 2. Put the relevant source code in Makefile.am.
    The source code is listed below for both versions.
+3. Make a soft link from folder mbedtls2 or mbedtls3 to mbedtls:
+   $ rm mbedtls
+   $ ln -s mbedtls3 mbedtls
 
 Version 2 source code:
 

config/config.h

@@ -40,8 +40,7 @@
 #define RUN_SECURE_SERVER 1
 
 
-// Which version of MbedTLS to use.
-//#define HAVE_MBEDTLS2 1
+// Which version of MbedTLS to use, by default it uses v3.
 #define HAVE_MBEDTLS3 1
 
 
@@ -56,6 +55,8 @@
 #undef DIRECTORY_SEPARATOR
 #define DIRECTORY_SEPARATOR R"(\)"
 #undef RUN_SECURE_SERVER
+#undef HAVE_MBEDTLS3
+define HAVE_MBEDTLS2 1
 #endif
 
 

filter/url.cpp

@@ -21,6 +21,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #include <webserver/http.h>
 #include <webserver/request.h>
 #include <config/globals.h>
+#include <config/config.h>
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wold-style-cast"
 #include <filter/UriCodec.hpp>
@@ -99,6 +100,13 @@ static_assert (false, "MBEDTLS_X509_REMOVE_INFO should not be defined");
 #endif
 
 
+#if defined(HAVE_MBEDTLS2)
+#elif defined(HAVE_MBEDTLS3)
+#else
+static_assert (false, "Both HAVE_MBEDTLS2 and HAVE_MBEDTLS3 are undefined")
+#endif
+
+
 // SSL/TLS variables.
 static mbedtls_x509_crt x509_ca_cert;
 static mbedtls_ctr_drbg_context ctr_drbg_context;
@@ -1927,9 +1935,11 @@ void filter_url_ssl_tls_initialize ()
   mbedtls_ctr_drbg_init (&ctr_drbg_context);
   mbedtls_entropy_init (&entropy_context);
 
-  // Initialize the Platform Security Architecture.
+  // Initialize the Platform Security Architecture that MbedTLS version 3 introduces.
+#ifdef HAVE_MBEDTLS3
   psa_status_t status = psa_crypto_init();
   filter_url_display_mbed_tls_error (status, nullptr, false, std::string());
+#endif
 
   // Seed the random number generator.
   constexpr const auto pers = "Client";
@@ -1953,7 +1963,9 @@ void filter_url_ssl_tls_finalize ()
   mbedtls_ctr_drbg_free (&ctr_drbg_context);
   mbedtls_entropy_free (&entropy_context);
   mbedtls_x509_crt_free (&x509_ca_cert);
+#ifdef HAVE_MBEDTLS3
   mbedtls_psa_crypto_free();
+#endif
 }
 
 

webserver/webserver.cpp

@@ -89,6 +89,13 @@ static_assert (false, "MBEDTLS_X509_REMOVE_INFO should not be defined");
 #endif
 
 
+#if defined(HAVE_MBEDTLS2)
+#elif defined(HAVE_MBEDTLS3)
+#else
+static_assert (false, "Both HAVE_MBEDTLS2 and HAVE_MBEDTLS3 are undefined")
+#endif
+
+
 // Gets a line from a socket.
 // The line may end with a newline, a carriage return, or a CR-LF combination.
 // It terminates the string read with a null character.
@@ -870,16 +877,24 @@ void https_server ()
   mbedtls_ctr_drbg_context ctr_drbg;
   mbedtls_ctr_drbg_init (&ctr_drbg);
 
+#ifdef HAVE_MBEDTLS3
   const psa_status_t psa_status = psa_crypto_init();
   if (psa_status != PSA_SUCCESS) {
     Database_Logs::log("Failure to run PSA crypto initialization: Not running the secure server");
     return;
   }
+#endif
 
   // Load the private RSA server key.
   mbedtls_pk_context pkey;
   mbedtls_pk_init (&pkey);
-  int ret = mbedtls_pk_parse_keyfile (&pkey, server_key_path.c_str (), nullptr, mbedtls_ctr_drbg_random, &ctr_drbg);
+  int ret =
+#ifdef HAVE_MBEDTLS2
+  mbedtls_pk_parse_keyfile (&pkey, server_key_path.c_str (), nullptr);
+#endif
+#ifdef HAVE_MBEDTLS3
+  mbedtls_pk_parse_keyfile (&pkey, server_key_path.c_str (), nullptr, mbedtls_ctr_drbg_random, &ctr_drbg);
+#endif
   if (ret != 0) {
     filter_url_display_mbed_tls_error (ret, nullptr, true, std::string());
     Database_Logs::log("Invalid " + server_key_path + " so not running secure server");
@@ -980,8 +995,11 @@ void https_server ()
   mbedtls_ssl_cache_free (&cache);
   mbedtls_ctr_drbg_free (&ctr_drbg);
   mbedtls_entropy_free (&entropy);
+#ifdef HAVE_MBEDTLS3
   mbedtls_psa_crypto_free();
 #endif
+
+#endif // ifdef RUN_SECURE_SERVER
 }