add callbacks for debug messages

[project/ustream-ssl.git] / ustream-mbedtls.c

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 7fc78742f7c409389a5af5e1cc39d73ff87c78e3..b733ea1d79613adb07e86555d5e1e2cc4ef44e75 100644 (file)
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -25,6 +25,31 @@
 
 #include "ustream-ssl.h"
 #include "ustream-internal.h"
+#include <psa/crypto.h>
+#include <mbedtls/debug.h>
+
+static void debug_cb(void *ctx_p, int level,
+                     const char *file, int line,
+                     const char *str)
+{
+       struct ustream_ssl_ctx *ctx = ctx_p;
+       const char *fstr;
+       char buf[512];
+       int len;
+
+       if (!ctx->debug_cb)
+               return;
+
+       while ((fstr = strstr(file + 1, "library/")) != NULL)
+               file = fstr;
+
+       len = snprintf(buf, sizeof(buf), "%s:%04d: %s", file, line, str);
+       if (len >= (int)sizeof(buf))
+               len = (int)sizeof(buf) - 1;
+       if (buf[len - 1] == '\n')
+               buf[len - 1] = 0;
+       ctx->debug_cb(ctx->debug_cb_priv, level, buf);
+}
 
 static int s_ustream_read(void *ctx, unsigned char *buf, size_t len)
 {
@@ -67,11 +92,17 @@ __hidden void ustream_set_io(struct ustream_ssl_ctx *ctx, void *ssl, struct ustr
 
 static int _random(void *ctx, unsigned char *out, size_t len)
 {
-       ssize_t ret;
+#ifdef linux
+       if (getrandom(out, len, 0) != (ssize_t) len)
+               return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+#else
+       static FILE *f;
 
-       ret = getrandom(out, len, 0);
-       if (ret < 0 || (size_t)ret != len)
+       if (!f)
+               f = fopen("/dev/urandom", "r");
+       if (fread(out, len, 1, f) != 1)
                return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+#endif
 
        return 0;
 }
@@ -110,9 +141,15 @@ static const int default_ciphersuites_client[] =
        AES_CBC_CIPHERS(ECDHE_ECDSA),
        AES_CBC_CIPHERS(ECDHE_RSA),
        AES_CBC_CIPHERS(DHE_RSA),
+/* Removed in Mbed TLS 3.0.0 */
+#ifdef MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+#endif
        AES_CIPHERS(RSA),
+/* Removed in Mbed TLS 3.0.0 */
+#ifdef MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
        MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+#endif
        0
 };
 
@@ -124,6 +161,13 @@ __ustream_ssl_context_new(bool server)
        mbedtls_ssl_config *conf;
        int ep;
 
+#ifdef MBEDTLS_PSA_CRYPTO_C
+       static bool psa_init;
+
+       if (!psa_init && !psa_crypto_init())
+               psa_init = true;
+#endif
+
        ctx = calloc(1, sizeof(*ctx));
        if (!ctx)
                return NULL;
@@ -171,7 +215,7 @@ static void ustream_ssl_update_own_cert(struct ustream_ssl_ctx *ctx)
        if (!ctx->cert.version)
                return;
 
-       if (!ctx->key.pk_info)
+       if (mbedtls_pk_get_type(&ctx->key) == MBEDTLS_PK_NONE)
                return;
 
        mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key);
@@ -206,7 +250,11 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
 {
        int ret;
 
+#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
+       ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random, NULL);
+#else
        ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL);
+#endif
        if (ret)
                return -1;
 
@@ -409,6 +457,15 @@ __hidden int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len)
        return ret;
 }
 
+__hidden void __ustream_ssl_set_debug(struct ustream_ssl_ctx *ctx, int level,
+                                     ustream_ssl_debug_cb cb, void *cb_priv)
+{
+       ctx->debug_cb = cb;
+       ctx->debug_cb_priv = cb_priv;
+       mbedtls_ssl_conf_dbg(&ctx->conf, debug_cb, ctx);
+       mbedtls_debug_set_threshold(level);
+}
+
 __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx)
 {
        mbedtls_ssl_context *ssl;