From: Steffan Karger Date: Wed, 7 Feb 2018 12:22:46 +0000 (+0100) Subject: mbedtls: don't use API deprecated in mbed 2.7 X-Git-Tag: v2.4.5~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c913600105505bd7f539d6b4206d358b6811943;p=thirdparty%2Fopenvpn.git mbedtls: don't use API deprecated in mbed 2.7 The void-returning mbedtls_sha256() was deprecated in mbed TLS 2.7. Use our own md_full() abstraction instead. (The new function can theoretically fail, but only in case of highly unlikely digest function failures. The personalisation on random using the certificate is a best-effort measure, so we simply log a warning and skip the personalisation if such highly unlikely errors occur.) Signed-off-by: Steffan Karger Acked-by: Antonio Quartulli Message-Id: <1518006166-14285-1-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16445.html Signed-off-by: Gert Doering (cherry picked from commit f22e89bd2311d3cab511e574746c6f82f1fa1a54) --- diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index dce201a91..74b4726d3 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -60,7 +60,6 @@ #include #include -#include static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy = { @@ -851,9 +850,14 @@ tls_ctx_personalise_random(struct tls_root_ctx *ctx) if (NULL != ctx->crt_chain) { + const md_kt_t *sha256_kt = md_kt_get("SHA256"); mbedtls_x509_crt *cert = ctx->crt_chain; - mbedtls_sha256(cert->tbs.p, cert->tbs.len, sha256_hash, false); + if (0 != md_full(sha256_kt, cert->tbs.p, cert->tbs.len, sha256_hash)) + { + msg(M_WARN, "WARNING: failed to personalise random"); + } + if (0 != memcmp(old_sha256_hash, sha256_hash, sizeof(sha256_hash))) { mbedtls_ctr_drbg_update(cd_ctx, sha256_hash, 32);