Replace deprecated mbedtls DRBG update function

The function mbedtls_ctr_drbg_update is deprecated as of mbedtls 2.16 and is superseded by mbedtls_ctr_drbg_update_ret, which returns an error code. This commit replaces the call to the deprecated function with the new one and logs a warning in case of an error. For older versions of mbedtls, we add a compatibility function that runs mbedtls_ctr_drbg_update and returns 0. Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Antonio Quartulli <antonio@openvpn.net> Message-Id: <20210810061644.20353-1-maximilian.fillinger@foxcrypto.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22711.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2024-11-23 17:53:49 +08:00 · 2021-08-10 08:16:44 +02:00 · 2021-08-10 08:16:44 +02:00 · b99fa3fd4f
commit b99fa3fd4f
parent 903e2cf5c1
1 changed files with 19 additions and 1 deletions
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@ -62,6 +62,21 @@
 #include <mbedtls/oid.h>
 #include <mbedtls/pem.h>

+/**
+ * Compatibility: mbedtls_ctr_drbg_update was deprecated in mbedtls 2.16 and
+ * replaced with mbedtls_ctr_drbg_update_ret, which returns an error code.
+ * For older versions, we call mbedtls_ctr_drbg_update and return 0 (success).
+ */
+#if MBEDTLS_VERSION_NUMBER < 0x02100000
+static int mbedtls_ctr_drbg_update_ret(mbedtls_ctr_drbg_context *ctx,
+                                       const unsigned char *additional,
+                                       size_t add_len)
+{
+    mbedtls_ctr_drbg_update(ctx, additional, add_len);
+    return 0;
+}
+#endif
+
 static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy =
 {
    /* Hashes from SHA-1 and above */
@ -950,7 +965,10 @@ tls_ctx_personalise_random(struct tls_root_ctx *ctx)

        if (0 != memcmp(old_sha256_hash, sha256_hash, sizeof(sha256_hash)))
        {
-            mbedtls_ctr_drbg_update(cd_ctx, sha256_hash, 32);
+            if (!mbed_ok(mbedtls_ctr_drbg_update_ret(cd_ctx, sha256_hash, 32)))
+            {
+                msg(M_WARN, "WARNING: failed to personalise random, could not update CTR_DRBG");
+            }
            memcpy(old_sha256_hash, sha256_hash, sizeof(old_sha256_hash));
        }
    }