diff --git a/lib/tls/mbedtls/mbedtls-client.c b/lib/tls/mbedtls/mbedtls-client.c index 5fb46b416c..42ccb17d64 100644 --- a/lib/tls/mbedtls/mbedtls-client.c +++ b/lib/tls/mbedtls/mbedtls-client.c @@ -407,7 +407,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, return 1; } /* create context */ - vh->tls.ssl_client_ctx = SSL_CTX_new(method, &vh->context->mcdc); + vh->tls.ssl_client_ctx = SSL_CTX_new(method); if (!vh->tls.ssl_client_ctx) { error = (unsigned long)ERR_get_error(); lwsl_err("problem creating ssl context %lu: %s\n", @@ -416,6 +416,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, return 1; } + vh->tls.ssl_client_ctx->rngctx = &vh->context->mcdc; if (!ca_filepath && (!ca_mem || !ca_mem_len)) { #if defined(LWS_HAVE_SSL_CTX_load_verify_dir) if (!SSL_CTX_load_verify_dir( diff --git a/lib/tls/mbedtls/mbedtls-server.c b/lib/tls/mbedtls/mbedtls-server.c index c86f2cb7db..66430cd135 100644 --- a/lib/tls/mbedtls/mbedtls-server.c +++ b/lib/tls/mbedtls/mbedtls-server.c @@ -199,12 +199,13 @@ lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info, lws_filepos_t flen; int n; - vhost->tls.ssl_ctx = SSL_CTX_new(method, &vhost->context->mcdc); /* create context */ + vhost->tls.ssl_ctx = SSL_CTX_new(method); /* create context */ if (!vhost->tls.ssl_ctx) { lwsl_err("problem creating ssl context\n"); return 1; } + vhost->tls.ssl_ctx->rngctx = &vhost->context->mcdc; if (!vhost->tls.use_ssl || (!info->ssl_cert_filepath && !info->server_ssl_cert_mem)) return 0; diff --git a/lib/tls/mbedtls/wrapper/include/internal/ssl_cert.h b/lib/tls/mbedtls/wrapper/include/internal/ssl_cert.h index ab344f4d86..86cf31ad51 100644 --- a/lib/tls/mbedtls/wrapper/include/internal/ssl_cert.h +++ b/lib/tls/mbedtls/wrapper/include/internal/ssl_cert.h @@ -28,7 +28,7 @@ * * @return certification object point */ -CERT *__ssl_cert_new(CERT *ic, void *rngctx); +CERT *__ssl_cert_new(CERT *ic); /** * @brief create a certification object include private key object @@ -37,7 +37,7 @@ CERT *__ssl_cert_new(CERT *ic, void *rngctx); * * @return certification object point */ -CERT* ssl_cert_new(void *rngctx); +CERT* ssl_cert_new(void); /** * @brief free a certification object diff --git a/lib/tls/mbedtls/wrapper/include/internal/ssl_pkey.h b/lib/tls/mbedtls/wrapper/include/internal/ssl_pkey.h index edb7446772..e790fcc995 100644 --- a/lib/tls/mbedtls/wrapper/include/internal/ssl_pkey.h +++ b/lib/tls/mbedtls/wrapper/include/internal/ssl_pkey.h @@ -28,7 +28,7 @@ * * @return new private key object point */ -EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk, void *rngctx); +EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk); /** * @brief create a private key object @@ -37,7 +37,7 @@ EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk, void *rngctx); * * @return private key object point */ -EVP_PKEY* EVP_PKEY_new(void *rngctx); +EVP_PKEY* EVP_PKEY_new(void); /** * @brief load a character key context into system context. If '*a' is pointed to the @@ -53,7 +53,7 @@ EVP_PKEY* EVP_PKEY_new(void *rngctx); EVP_PKEY* d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, - long length, void *rngctx); + long length); /** * @brief free a private key object diff --git a/lib/tls/mbedtls/wrapper/include/internal/ssl_types.h b/lib/tls/mbedtls/wrapper/include/internal/ssl_types.h index b96ca268b5..b89d6374c8 100644 --- a/lib/tls/mbedtls/wrapper/include/internal/ssl_types.h +++ b/lib/tls/mbedtls/wrapper/include/internal/ssl_types.h @@ -306,7 +306,7 @@ struct x509_method_st { struct pkey_method_st { - int (*pkey_new)(EVP_PKEY *pkey, EVP_PKEY *m_pkey, void *rngctx); + int (*pkey_new)(EVP_PKEY *pkey, EVP_PKEY *m_pkey); void (*pkey_free)(EVP_PKEY *pkey); diff --git a/lib/tls/mbedtls/wrapper/include/openssl/ssl.h b/lib/tls/mbedtls/wrapper/include/openssl/ssl.h index ec9d682c95..14c8d80cc3 100755 --- a/lib/tls/mbedtls/wrapper/include/openssl/ssl.h +++ b/lib/tls/mbedtls/wrapper/include/openssl/ssl.h @@ -60,7 +60,7 @@ * * @return the context point */ -SSL_CTX* SSL_CTX_new(const SSL_METHOD *method, void *rngctx); +SSL_CTX* SSL_CTX_new(const SSL_METHOD *method); /** * @brief free a SSL context diff --git a/lib/tls/mbedtls/wrapper/include/platform/ssl_pm.h b/lib/tls/mbedtls/wrapper/include/platform/ssl_pm.h index e494737ac5..9a84f4496b 100644 --- a/lib/tls/mbedtls/wrapper/include/platform/ssl_pm.h +++ b/lib/tls/mbedtls/wrapper/include/platform/ssl_pm.h @@ -50,7 +50,7 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len); int x509_pm_load_file(X509 *x, const char *path); int x509_pm_load_path(X509 *x, const char *path); -int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pk, void *rngctx); +int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pk); void pkey_pm_free(EVP_PKEY *pk); int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len); diff --git a/lib/tls/mbedtls/wrapper/library/ssl_cert.c b/lib/tls/mbedtls/wrapper/library/ssl_cert.c index dab197c515..cd10e2f0d6 100644 --- a/lib/tls/mbedtls/wrapper/library/ssl_cert.c +++ b/lib/tls/mbedtls/wrapper/library/ssl_cert.c @@ -23,7 +23,7 @@ /** * @brief create a certification object according to input certification */ -CERT *__ssl_cert_new(CERT *ic, void *rngctx) +CERT *__ssl_cert_new(CERT *ic) { CERT *cert; @@ -44,7 +44,7 @@ CERT *__ssl_cert_new(CERT *ic, void *rngctx) ix = NULL; } - cert->pkey = __EVP_PKEY_new(ipk, rngctx); + cert->pkey = __EVP_PKEY_new(ipk); if (!cert->pkey) { SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "__EVP_PKEY_new() return NULL"); goto pkey_err; @@ -69,9 +69,9 @@ CERT *__ssl_cert_new(CERT *ic, void *rngctx) /** * @brief create a certification object include private key object */ -CERT *ssl_cert_new(void *rngctx) +CERT *ssl_cert_new(void) { - return __ssl_cert_new(NULL, rngctx); + return __ssl_cert_new(NULL); } /** diff --git a/lib/tls/mbedtls/wrapper/library/ssl_lib.c b/lib/tls/mbedtls/wrapper/library/ssl_lib.c index b91a79b64d..020240b3c7 100644 --- a/lib/tls/mbedtls/wrapper/library/ssl_lib.c +++ b/lib/tls/mbedtls/wrapper/library/ssl_lib.c @@ -185,7 +185,7 @@ const char *mbedtls_client_preload_filepath; /** * @brief create a SSL context */ -SSL_CTX* SSL_CTX_new(const SSL_METHOD *method, void *rngctx) +SSL_CTX* SSL_CTX_new(const SSL_METHOD *method) { SSL_CTX *ctx; CERT *cert; @@ -205,7 +205,7 @@ SSL_CTX* SSL_CTX_new(const SSL_METHOD *method, void *rngctx) goto failed1; } - cert = ssl_cert_new(rngctx); + cert = ssl_cert_new(); if (!cert) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "ssl_cert_new() return NULL"); goto failed2; @@ -220,7 +220,6 @@ SSL_CTX* SSL_CTX_new(const SSL_METHOD *method, void *rngctx) ctx->method = method; ctx->client_CA = client_ca; ctx->cert = cert; - ctx->rngctx = rngctx; ctx->version = method->version; @@ -330,7 +329,7 @@ SSL *SSL_new(SSL_CTX *ctx) goto failed2; } - ssl->cert = __ssl_cert_new(ctx->cert, ctx->rngctx); + ssl->cert = __ssl_cert_new(ctx->cert); if (!ssl->cert) { SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__ssl_cert_new() return NULL"); goto failed3; diff --git a/lib/tls/mbedtls/wrapper/library/ssl_pkey.c b/lib/tls/mbedtls/wrapper/library/ssl_pkey.c index 18436a2531..0b5fac7d2a 100644 --- a/lib/tls/mbedtls/wrapper/library/ssl_pkey.c +++ b/lib/tls/mbedtls/wrapper/library/ssl_pkey.c @@ -22,7 +22,7 @@ /** * @brief create a private key object according to input private key */ -EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk, void *rngctx) +EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk) { int ret; EVP_PKEY *pkey; @@ -39,7 +39,7 @@ EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk, void *rngctx) pkey->method = EVP_PKEY_method(); } - ret = EVP_PKEY_METHOD_CALL(new, pkey, ipk, rngctx); + ret = EVP_PKEY_METHOD_CALL(new, pkey, ipk); if (ret) { SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_METHOD_CALL(new) return %d", ret); goto failed; @@ -56,9 +56,9 @@ EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk, void *rngctx) /** * @brief create a private key object */ -EVP_PKEY* EVP_PKEY_new(void *rngctx) +EVP_PKEY* EVP_PKEY_new(void) { - return __EVP_PKEY_new(NULL, rngctx); + return __EVP_PKEY_new(NULL); } /** @@ -80,7 +80,7 @@ void EVP_PKEY_free(EVP_PKEY *pkey) EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, - long length, void *rngctx) + long length) { int m = 0; int ret; @@ -93,7 +93,7 @@ EVP_PKEY *d2i_PrivateKey(int type, if (a && *a) { pkey = *a; } else { - pkey = EVP_PKEY_new(rngctx); + pkey = EVP_PKEY_new(); if (!pkey) { SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_new() return NULL"); goto failed1; @@ -167,7 +167,7 @@ int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, int ret; EVP_PKEY *pk; - pk = d2i_PrivateKey(0, NULL, &d, len, ctx->rngctx); + pk = d2i_PrivateKey(0, NULL, &d, len); if (!pk) { SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_PrivateKey() return NULL"); goto failed1; @@ -196,7 +196,7 @@ int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, int ret; EVP_PKEY *pk; - pk = d2i_PrivateKey(0, NULL, &d, len, ssl->ctx->rngctx); + pk = d2i_PrivateKey(0, NULL, &d, len); if (!pk) { SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_PrivateKey() return NULL"); goto failed1; diff --git a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c index cb3821a5a7..1c9b1518f1 100755 --- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c +++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c @@ -62,8 +62,6 @@ struct pkey_pm mbedtls_pk_context *pkey; mbedtls_pk_context *ex_pkey; - - void *rngctx; }; unsigned int max_content_len; @@ -786,7 +784,7 @@ int x509_pm_load_path(X509 *x, const char *path) return -1; } -int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pkey, void *rngctx) +int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pkey) { struct pkey_pm *pkey_pm; @@ -795,7 +793,6 @@ int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pkey, void *rngctx) return -1; pk->pkey_pm = pkey_pm; - pkey_pm->rngctx = rngctx; if (m_pkey) { struct pkey_pm *m_pkey_pm = (struct pkey_pm *)m_pkey->pkey_pm; @@ -826,6 +823,7 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len) int ret; unsigned char *load_buf; struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm; + mbedtls_ctr_drbg_context ctr_drbg; if (pkey_pm->pkey) mbedtls_pk_free(pkey_pm->pkey); @@ -848,14 +846,15 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len) load_buf[len] = '\0'; mbedtls_pk_init(pkey_pm->pkey); + mbedtls_ctr_drbg_init(&ctr_drbg); #if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03000000 #if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03050000 ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, (unsigned int)len, NULL, 0, - mbedtls_ctr_drbg_random, pkey_pm->rngctx); + mbedtls_ctr_drbg_random, &ctr_drbg); #else ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, (unsigned int)len + 1, NULL, 0, - mbedtls_ctr_drbg_random, pkey_pm->rngctx); + mbedtls_ctr_drbg_random, &ctr_drbg); #endif #else ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, (unsigned int)len + 1, NULL, 0); @@ -867,9 +866,12 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len) goto failed; } + mbedtls_ctr_drbg_free(&ctr_drbg); + return 0; failed: + mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_pk_free(pkey_pm->pkey); ssl_mem_free(pkey_pm->pkey); pkey_pm->pkey = NULL; @@ -1057,7 +1059,7 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) if (ssl->cert) ssl_cert_free(ssl->cert); ssl->ctx = ctx; - ssl->cert = __ssl_cert_new(ctx->cert, ctx->rngctx); + ssl->cert = __ssl_cert_new(ctx->cert); #if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)