diff --git a/src/SSLClient.cpp b/src/SSLClient.cpp index 12cc6aa..dae9ae8 100644 --- a/src/SSLClient.cpp +++ b/src/SSLClient.cpp @@ -93,7 +93,7 @@ SSLClient::~SSLClient() { */ void SSLClient::stop() { if (sslclient->client != nullptr) { - if (sslclient->client >= 0) { + if (sslclient->client >= (void*)0) { log_d("Stopping ssl client"); stop_ssl_socket(sslclient, _CA_cert, _cert, _private_key); } else { diff --git a/src/certBundle.c b/src/certBundle.c index f7f13a9..b2d6db6 100644 --- a/src/certBundle.c +++ b/src/certBundle.c @@ -53,20 +53,32 @@ static int esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_k // Fast check to avoid expensive computations when not necessary +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (!mbedtls_pk_can_do(&parent.pk, child->private_sig_pk)) { +#else if (!mbedtls_pk_can_do(&parent.pk, child->sig_pk)) { +#endif log_e("Simple compare failed"); ret = -1; goto cleanup; } +#if (MBEDTLS_VERSION_MAJOR >= 3) + md_info = mbedtls_md_info_from_type(child->private_sig_md); +#else md_info = mbedtls_md_info_from_type(child->sig_md); +#endif if ( (ret = mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash )) != 0 ) { log_e("Internal mbedTLS error %X", ret); goto cleanup; } - +#if (MBEDTLS_VERSION_MAJOR >= 3) + if ((ret = mbedtls_pk_verify_ext(child->private_sig_pk, child->private_sig_opts, &parent.pk, child->private_sig_md, hash, mbedtls_md_get_size( md_info ), + child->private_sig.p, child->private_sig.len )) != 0 ) { +#else if ((ret = mbedtls_pk_verify_ext(child->sig_pk, child->sig_opts, &parent.pk, child->sig_md, hash, mbedtls_md_get_size( md_info ), child->sig.p, child->sig.len )) != 0 ) { +#endif log_e("PK verify failed with error %X", ret); goto cleanup; } diff --git a/src/ssl__client.cpp b/src/ssl__client.cpp index 199c40b..e4ee2bc 100644 --- a/src/ssl__client.cpp +++ b/src/ssl__client.cpp @@ -576,7 +576,14 @@ int auth_client_cert_key(sslclient__context *ssl_client, const char *cli_cert, c } log_v("Loading private key"); +#if (MBEDTLS_VERSION_MAJOR >= 3) + mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_ctr_drbg_init(&ctr_drbg); + ret = mbedtls_pk_parse_key(&ssl_client->client_key, (const unsigned char *)cli_key, strlen(cli_key) + 1, NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg); + mbedtls_ctr_drbg_free(&ctr_drbg); +#else ret = mbedtls_pk_parse_key(&ssl_client->client_key, (const unsigned char *)cli_key, strlen(cli_key) + 1, NULL, 0); +#endif if (ret != 0) { // PK or PEM non-zero error codes mbedtls_x509_crt_free(&ssl_client->client_cert); // cert+key are free'd in pair return ret; @@ -814,15 +821,21 @@ void stop_ssl_socket(sslclient__context *ssl_client, const char *rootCABuff, con log_d("Stopping SSL client. Current client pointer address: %p", (void *)ssl_client->client); ssl_client->client->stop(); } - +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (ssl_client->ssl_conf.private_ca_chain != NULL) { +#else if (ssl_client->ssl_conf.ca_chain != NULL) { +#endif log_d("Freeing CA cert. Current ca_cert address: %p", (void *)&ssl_client->ca_cert); // Free the memory associated with the CA certificate mbedtls_x509_crt_free(&ssl_client->ca_cert); } - +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (ssl_client->ssl_conf.private_key_cert != NULL) { +#else if (ssl_client->ssl_conf.key_cert != NULL) { +#endif log_d("Freeing client cert and client key. Current client_cert address: %p, client_key address: %p", (void *)&ssl_client->client_cert, (void *)&ssl_client->client_key); diff --git a/src/ssl__client.h b/src/ssl__client.h index 556494d..bc04112 100644 --- a/src/ssl__client.h +++ b/src/ssl__client.h @@ -12,7 +12,11 @@ #include #include #include +#if (MBEDTLS_VERSION_MAJOR >= 3) +#include +#else #include +#endif #include #include #include